Skip to content
/ javascript-secure-coding Public

Several (in)secure JavaScript code examples, meant to learn more about secure coding in JavaScript

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PeterMosmans/javascript-secure-coding

BranchesTags

Repository files navigation

Secure Coding in JavaScript

This is a JavaScript / Node.js demo application mean to practice secure coding. Make sure to NOT use this code anytime in production, as the examples contain deliberate security vulnerabilities.

Prerequisites

Have docker, node and optionally openssl installed.

Installation

git clone https://github.com/PeterMosmans/javascript-secure-coding \
  && cd javascript-secure-coding \
  && ./installer.sh

This will:

  • clone the repository,
  • check the prerequisites,
  • generate a self-signed certificate when openssl is installed,
  • copy defaults/.env to .env (unless there is already a .env present), and
  • install the required dependencies.

Optionally check the .env file: In order for the demos to work, the hosts mentioned in .env should resolve to accessible IP addresses. This might include modifying your local hosts file.

Run all servers

./start-servers.sh

This will start all servers in the background, including the Docker container.

Stop all servers

./stop-servers.sh

⚠ IMPORTANT ⚠

Don't forget to trust the self-signed certificate for each one of the services, as this certificate is not trusted by default.

You can do this by visiting https://localhost:3000/test , accepting the self-signed certificate for this site, then by clicking on "browse to authentication URL" and "browse to API URL", and accepting the self-signed certificates for each one of the servers.

If you don't trust the certificates manually, then the demos will not work.

When manually starting the services, source the .env file, as the environment file contains important variables required for the various services to run.

Architecture

The web server has the following functionality:

  • Input output page / - dynamically display output, filter, sanitize, and validate data
  • Authentication page /authentication: log in, reset session
  • Authorization page /authorization - perform an action as authenticated user, validate access permissions of a token
  • Protected authorization page /authorization-protected - perform a protected, validated action as authenticated user, validate access permissions of a token
  • Test page /test - Check whether the demo site is correctly functioning

Furthermore there are a few variations on the input output page:

  • /csp - Apply a simple Content Security Policy header
  • /frame - Apply a bit more advanced Content Security Policy header

Copyright / License

Great that you're using this code, hopefully you'll find it useful! All that I'm asking is that you properly attribute the author (Peter Mosmans), and respect the GPLv3 license.

This demo uses Cerbos and DOMPurify, both licensed under the Apache License.

About

Several (in)secure JavaScript code examples, meant to learn more about secure coding in JavaScript

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages