From ab01c1121edd3240b1a5692d7616945b10c12ae2 Mon Sep 17 00:00:00 2001 From: Matt Strapp Date: Wed, 9 Feb 2022 19:56:27 -0600 Subject: Add some security stuffs Signed-off-by: Matt Strapp --- src/index.ts | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/index.ts b/src/index.ts index 09126ca..e6e083b 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,23 +1,54 @@ import express, { Request, Response } from 'express'; +import session from 'express-session'; +import rateLimit from 'express-rate-limit'; +import slowDown from 'express-slow-down'; import path from 'path'; import { env } from 'process'; +import helmet from 'helmet'; +import csurf from 'csurf'; const app = express(); -const port = env.PORT || 2000; +// Middleware +const port: string = env.PORT || '2000'; +const csrf = csurf({ cookie: false }); +const rateLimiter = rateLimit({ + windowMs: 1 * 60 * 1000, // 1 minute + max: 30, // Limit each IP to 100 requests per `window` (here, per 15 minutes) + standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers + legacyHeaders: false, // Disable the `X-RateLimit-*` headers +}); +const speedLimiter = slowDown({ + windowMs: 15 * 60 * 1000, // 15 minutes + delayAfter: 100, // allow 100 requests per 15 minutes, then... + delayMs: 500 // begin adding 500ms of delay per request above 100: + // request # 101 is delayed by 500ms + // request # 102 is delayed by 1000ms + // request # 103 is delayed by 1500ms + // etc. +}); +// This will be run behind an nginx proxy +app.enable('trust proxy'); +// apply to all requests +app.use(speedLimiter); +app.use('/api', rateLimiter); +app.use(helmet()); + +// Add ejs as view engine app.set('view engine', 'ejs'); app.set('views', path.join(__dirname, 'views/pages')); + app.use('/public', express.static(path.join(__dirname, 'public'))); -app.get('/', (req: Request, res: Response) => { +app.get('/', csrf, (req: Request, res: Response) => { res.render('index', { errors: [], }); }); -app.get('/about', (req: Request, res: Response) => { +app.get('/about', csrf, (req: Request, res: Response) => { res.render('about'); }); -- cgit v1.2.3