diff options
author | Matt Strapp <matt@mattstrapp.net> | 2022-02-14 20:39:37 -0600 |
---|---|---|
committer | Matt Strapp <matt@mattstrapp.net> | 2022-02-14 20:41:59 -0600 |
commit | 84bf2fe74a2ec2e932cd5084bd995c7b55300629 (patch) | |
tree | 91297df22acd942ee6c35d5ec0a1ed67866b797b /src | |
parent | Remove redundant rate limiter (diff) | |
download | ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.gz ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.bz2 ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.lz ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.xz ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.tar.zst ee4511w-web-84bf2fe74a2ec2e932cd5084bd995c7b55300629.zip |
Reorder middleware for "security"
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to 'src')
-rw-r--r-- | src/index.ts | 14 | ||||
-rw-r--r-- | src/routes/api.ts | 13 |
2 files changed, 14 insertions, 13 deletions
diff --git a/src/index.ts b/src/index.ts index 1bf018f..385aecc 100644 --- a/src/index.ts +++ b/src/index.ts @@ -12,6 +12,13 @@ const app = express(); /* MIDDLEWARE */ +// Hide the software being used (helps security) +app.use(helmet()); + +// CSRF protection +app.use(cookieParser()); +const csrf = csurf({ cookie: true }); + // Rate limiting const rateLimiter = rateLimit({ windowMs: 1 * 60 * 1000, // 1 minute @@ -21,13 +28,6 @@ const rateLimiter = rateLimit({ }); app.use(rateLimiter); -// CSRF protection -app.use(cookieParser()); -const csrf = csurf({ cookie: true }); - - -// Hide the software being used (helps security) -app.use(helmet()); // The API app.use('/api/v1/', api); diff --git a/src/routes/api.ts b/src/routes/api.ts index 4d55626..ab0ff26 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -11,6 +11,12 @@ import { spawn } from 'child_process'; const api = express.Router(); +// Use JSON parser for API requests and responses +api.use(express.json()); +// CSRF protection +api.use(cookieParser()); +const csrf = csurf({ cookie: true }); + // For file uploads api.use(fileUpload({ preserveExtension: true, // Preserve file extension on upload @@ -21,12 +27,6 @@ api.use(fileUpload({ debug: false, // Log debug information })); -// CSRF protection -api.use(cookieParser()); -const csrf = csurf({ cookie: true }); - -// Use JSON parser for API requests and responses -api.use(express.json()); /* Upload a file to the server @@ -101,6 +101,7 @@ api.route('/upload') */ api.route('/actuate') + // Snyk error mitigation, should be fine since the rate limiting is already in place // file deepcode ignore NoRateLimitingForExpensiveWebOperation: This is already rate limited by the website, so we don't need to do it again .post(csrf, async (req: Request, res: Response) => { // Make sure the file being requested to run exists |