An effective way to handle various of security weaknesses within JavaScript-related back- ends is by using a dependency calledHelmet. Helmet helps in a relatively easy way to modify many HTTP headers related with security and privacy. Its initialization implies adding protection into seven different attacks. The remaining ones have to be set up manually. Listing 6 clearly presents the logic behind it written in NestJS.
1 import * as e x p r e s s from ’ e x p r e s s ’;
2 import { E x p r e s s } from ’ e x pr e s s ’;
3 const helmet = r e q u i r e (’ helmet ’) ;
4
5 const e x p r e s s A p p : E x p r e s s = e x p r e s s () ; // Create E x p r e s s i n s t a n c e .
6
7 e x p r e s s A p p . use ( helmet () ) ; // Enable Helmet ’s 7 d ef a u l t m i d d l e w a r e protections , i . e . d n s P r e f e t c h C o n t r o l , frameguard , hidePo weredBy , hsts , ieNoOpen , n o S n i f f and x s s F i l t e r .
8
9 // P r e l o a d HTTP Strict T r a n s p o r t S e c u r i t y ( HSTS ) .
10 e x p r e s s A p p . use (
11 helmet . hsts ({
12 i n c l u d e S u b D o m a i n s : true, // Must be enabled , so " p r e l o a d " will work .
13 maxAge : 31536000 , // In seconds , one year .
14 p r e l o a d : true
15 })
16 ) ;
17
18 e x p r e s s A p p . use ( helmet . p e r m i t t e d C r o s s D o m a i n P o l i c i e s () ) ; // P r e v e n t Adobe Flash and Adobe A c r o b a t from l o a d i n g co n t e n t .
19
20 // E n f o r c e to expect C e r t i f i c a t e T r a n s p a r e n c y ( CT ) for 24 ho urs .
21 e x p r e s s A p p . use (
22 helmet . e x p e c t C t ({
23 e n f o r c e : true,
24 maxAge : 24 * 60 * 60 // In seconds , regard it for max 24 hours .
25 }) 26 ) ; 27 28 // Limit w e b s it e f e a t u r e s by i m p l e m e n t i n g F e a t u r e Policy . 29 e x p r e s s A p p . use ( 30 helmet . f e a t u r e P o l i c y ({ 31 f e a t u r e s : { 32 f u l l s c r e e n : [" ’ self ’"] , 33 p a y m e n t : [" ’ none ’"] , 34 s y n c X h r : [" ’ none ’"] 35 } 36 }) 37 ) ; 38
39 server . use ( helmet . n o C a c h e () ) ; // D i s a b l e client - side c a c h i n g .
40 server . use ( helmet . r e f e r r e r P o l i c y ({ policy : ’ same - origin ’ }) ) ; // Send R e f e r e r header only for pages on the same origin .
Listing 6: Declaration of security headers in NestJS.
5. IMPLEMENTATION Master of Science in Technology Thesis
Initialization of this (line seven) implies that these following middleware will inform HTTP headers69
how the browser should behave. The following behaviour is expected from the browser:
• dnsPrefetchControl— disable DNS prefetching in the browsers (setsX-DNS-Prefetch-
Control tooff).
• frameguard — mitigate clickjacking70 attacks (sets X-Frame-Options to SAMEO-
RIGIN).
• hidePoweredBy— hide used on the website technological stack (removesX-Powered-
By).
• hsts— enforce keeping users on HTTPS (turns onStrict-Transport-Security). • ieNoOpen — inform Internet Explorer no to execute downloads in a client site’s
context (sets X-Download-Optionsto noopen).
• noSniff — prevent browsers from trying to guess (sniff) a MIME type (sets X-
Content-Type-Options tonosniff).
• xssFilter— prevent reflected XSS attack by (setsX-XSS-Protectionto1; mode=block).
However, there are still a number of headers left which can be set to increase the security:
• contentSecurityPolicy — whitelist scripts which can be loaded in an application
(setsContent-Security-Policy).
• crossdomain— prevent handling data across domains (setsX-Permitted-Cross-Domain-
Policies to none). Especially it focus on Adobe Flash and Adobe Acrobat which can load content from other sites.
• expectCt— browser will expect Certificate Transparency (CT)71from the requested
website (setsExpect-CT).
• featurePolicy— restrict which features the application can use (setsFeature-Policy). • noCache — disable browser caching (modifies Cache-Control, Expires, Pragma and
Surrogate-Control).
• referrerPolicy — disable forwarding information about site origin when user moves
from one site to another (modifies Referer and Referrer-Policy). This is a privacy enhancement rather than a security issue.
One option has not been used at all, i.e. hpkp (HTTP Public Key Pinning (HPKP)). The newExpect-CTheader is considered to be more flexible and safer [61]. Both of them mitigate the same attack.
69
However, if particular browser does not support certain header it will not be enforced.
70
Tricking victim to click on certain element which attacker controls. This element might be invisible or masked.
71
Technique for auditing and monitoring identity certificates (also known as public key certificate or digital certificate). It detects fake and malicious SSL certificates.
5. IMPLEMENTATION Master of Science in Technology Thesis