From ab01c1121edd3240b1a5692d7616945b10c12ae2 Mon Sep 17 00:00:00 2001
From: Matt Strapp <matt@mattstrapp.net>
Date: Wed, 9 Feb 2022 19:56:27 -0600
Subject: Add some security stuffs

Signed-off-by: Matt Strapp <matt@mattstrapp.net>
---
 src/index.ts | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

(limited to 'src/index.ts')

diff --git a/src/index.ts b/src/index.ts
index 09126ca..e6e083b 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,23 +1,54 @@
 import express, { Request, Response } from 'express';
+import session from 'express-session';
+import rateLimit from 'express-rate-limit';
+import slowDown from 'express-slow-down';
 import path from 'path';
 import { env } from 'process';
+import helmet from 'helmet';
+import csurf from 'csurf';
 
 const app = express();
 
-const port = env.PORT || 2000;
+// Middleware
+const port: string = env.PORT || '2000';
 
+const csrf = csurf({ cookie: false });
+const rateLimiter = rateLimit({
+    windowMs: 1 * 60 * 1000, // 1 minute
+    max: 30, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
+    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+const speedLimiter = slowDown({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    delayAfter: 100, // allow 100 requests per 15 minutes, then...
+    delayMs: 500 // begin adding 500ms of delay per request above 100:
+    // request # 101 is delayed by  500ms
+    // request # 102 is delayed by 1000ms
+    // request # 103 is delayed by 1500ms
+    // etc.
+});
+// This will be run behind an nginx proxy
+app.enable('trust proxy');
+//  apply to all requests
+app.use(speedLimiter);
+app.use('/api', rateLimiter);
+app.use(helmet());
+
+// Add ejs as view engine
 app.set('view engine', 'ejs');
 app.set('views', path.join(__dirname, 'views/pages'));
+
 app.use('/public', express.static(path.join(__dirname, 'public')));
 
 
-app.get('/', (req: Request, res: Response) => {
+app.get('/', csrf, (req: Request, res: Response) => {
     res.render('index', {
         errors: [],
     });
 });
 
-app.get('/about', (req: Request, res: Response) => {
+app.get('/about', csrf, (req: Request, res: Response) => {
     res.render('about');
 });
 
-- 
cgit v1.2.3