All Projects → mcibique → Express Security

mcibique / Express Security

nodejs + express security and performance boilerplate.

Programming Languages

javascript
184084 projects - #8 most used programming language

Projects that are alternatives of or similar to Express Security

React Redux Saucepan
A minimal and universal react redux starter project. With hot reloading, linting and server-side rendering
Stars: ✭ 86 (+132.43%)
Mutual labels:  babel, express, boilerplate
Express Mongoose Es6 Rest Api
💥 A boilerplate application for building RESTful APIs Microservice in Node.js using express and mongoose in ES6 with code coverage and JsonWebToken Authentication
Stars: ✭ 2,811 (+7497.3%)
Mutual labels:  babel, express, boilerplate
Js Stack Boilerplate
Final boilerplate code of the JavaScript Stack from Scratch tutorial –
Stars: ✭ 145 (+291.89%)
Mutual labels:  babel, express, boilerplate
Nginxconfig.io
⚙️ NGINX config generator on steroids 💉
Stars: ✭ 14,983 (+40394.59%)
Mutual labels:  http2, gzip, rate-limiting
Express Graphql Mongodb Boilerplate
A boilerplate for Node.js apps / GraphQL-API / Authentication from scratch - express, graphql - (graphql compose), mongodb (mongoose).
Stars: ✭ 288 (+678.38%)
Mutual labels:  redis, express, boilerplate
Express Static Gzip
Simple wrapper on top of serveStatic, that allows serving pre-gzipped files as well as other types of compressions.
Stars: ✭ 119 (+221.62%)
Mutual labels:  express, gzip, brotli
Blackwidow
A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
Stars: ✭ 887 (+2297.3%)
Mutual labels:  xss, owasp, csrf
React
Extremely simple boilerplate, easiest you can find, for React application including all the necessary tools: Flow | React 16 | redux | babel 6 | webpack 3 | css-modules | jest | enzyme | express + optional: sass/scss
Stars: ✭ 244 (+559.46%)
Mutual labels:  babel, express, boilerplate
restler
Restler is a beautiful and powerful Android app for quickly testing REST API anywhere and anytime.
Stars: ✭ 120 (+224.32%)
Mutual labels:  gzip, http2, brotli
restio
HTTP Client for Dart inspired by OkHttp
Stars: ✭ 46 (+24.32%)
Mutual labels:  gzip, http2, brotli
Javasecurity
Java web and command line applications demonstrating various security topics
Stars: ✭ 182 (+391.89%)
Mutual labels:  xss, csp, csrf
Express Babel
Express starter kit with ES2017+ support, testing, linting, and code coverage
Stars: ✭ 621 (+1578.38%)
Mutual labels:  babel, express, boilerplate
Cazador unr
Hacking tools
Stars: ✭ 95 (+156.76%)
Mutual labels:  xss, owasp, csrf
Express Mongodb Rest Api Boilerplate
A boilerplate for Node.js apps / Rest API / Authentication from scratch - express, mongodb (mongoose).
Stars: ✭ 153 (+313.51%)
Mutual labels:  redis, express, boilerplate
restish
Restish is a CLI for interacting with REST-ish HTTP APIs with some nice features built-in
Stars: ✭ 453 (+1124.32%)
Mutual labels:  gzip, http2, brotli
Node Tutorial
☺️Some of the node tutorial -《Node学习笔记》
Stars: ✭ 364 (+883.78%)
Mutual labels:  redis, express, socket-io
Express React Boilerplate
🚀🚀🚀 This is a tool that helps programmers create Express & React projects easily base on react-cool-starter.
Stars: ✭ 32 (-13.51%)
Mutual labels:  babel, express, boilerplate
Express Boilerplate
🚀 Starter project for a RESTful API in Node with Express & mongoose component-based
Stars: ✭ 9 (-75.68%)
Mutual labels:  express, boilerplate
Next Boilerplate
A well-structured production ready Next.js boilerplate with Typescript, Redux, Jest, Enzyme, Express.js, Sass, Css, EnvConfig, Fetch, Reverse Proxy, Bundle Analyzer and Built-in Project CLI. https://pankod.github.io/next-boilerplate/
Stars: ✭ 936 (+2429.73%)
Mutual labels:  babel, boilerplate
Online Bling
Stars: ✭ 9 (-75.68%)
Mutual labels:  babel, express

express security playground

My nodejs + express security and performance playground (boilerplate).

Security Known Vulnerabilities

  1. Cookie auth (secure, http-only, sameSite)
  2. Signed session + sliding expiration
  3. Cross-Site Request Forgery (CSRF)
  4. Cross-Site WebSocket Hijacking (CSWSH)
  5. Content-Security-Policy (CSP, nonce)
  6. Strict-Transport-Security (HSTS)
  7. Public-Key-Pins (HPKP)
  8. X-Frame-Options
  9. X-XSS-Protection
  10. X-Powered-By
  11. X-Download-Options
  12. X-Content-Type-Options
  13. Rate limits (number of requests per second)

Performance

  1. HTTP2
  2. Client caching (cache-control, e-tags, expires, last-modified, cache busting)
  3. Client assets minification
  4. GZIP, deflate
  5. Precompressed assets (Brotli and Gzip support)
  6. Imagemin
  7. Node cluster
  8. Memory and redis caching

Others

  1. HTTPS
  2. Redis store (session, caching)
  3. Web sockets (socket.io, cookies authentication, shared session, redis store)
  4. Logging (winston -> Console, FileSystem)
  5. Custom errors (4XX, 5XX)
  6. Configuration + Environment (config.json + config.dev.json)
  7. Nodemon
  8. Webpack + babel + SASS + postcss + autoprefixer
  9. ES6 modules (babel, babel-preset-env)
  10. Unit tests (ES6, mocha + chai)
  11. E2E tests (ES6, mocha + chai, supertest + superagent)
  12. ESLint 3 (linting server, client, tests and pug templates)
  13. npm scripts (npm-run-all, cross-env, client tasks, server tasks)
  14. http://realfavicongenerator.net/
  15. Pug view engine

How to run

Disclaimer: The main purpose of this repository is to demonstrate security, caching and performance principles, it's not about DB, UI, UX.

Certificate

The application runs only on HTTPS, so a certificate is required. If you want to just try it locally, then generate self-signed certificate online for domain localhost and save both files into the server/certificates/ folder. Name them server.cert and server.key.

Redis The application uses Redis to store sessions, caching, websockets and saving rate limits. Please follow their installation guide.

Production build

  1. run yarn install or npm install
  2. run yarn run start or npm run start
  3. open URL https://localhost:8443/ in a browser (you can change the port if you re-run the previous command with PORT=8444 yarn run start)
  4. use any username and password to log in. There is no real DB behind the app, it's not the main purpose of the demo.

Development

  1. run yarn install or npm install
  2. run yarn run build:client
  3. run yarn run watch:server (runs nodemon so any change in server's code immediately restarts server)
  4. open URL https://localhost:5000/ in a browser (you can change the port in nodemon.json)

Running the cluster

The application can run as a cluster of node applications. Use "useCluster" option in server/config/config.json:

  • "auto": no cluster in dev mode, all possible cores in prod mode.
  • true: all possible cores in all modes.
  • any number: spawn a given number of instances.
  • anything else: no cluster in any mode.

Configuring application

You can change server/config/config.json file directly. If you are in development mode and you don't want to commit your config changes, then create config.dev.json next to the original JSON file and store your overrides there. Both configs are deeply merged together, config.dev.json takes precedence.

Running tests

  • run yarn run test:unit to run unit tests only
  • run yarn run test:vulnerabilities to check app dependencies for vulnerabilities (using nsp)

to run e2e tests, you have to start the server in development first

  • then run yarn run test:e2e

If you want to run all tests, start the server in development mode and then run yarn run test

The application uses rate limiters to prevent hundreds of requests from the same IP address. This protection must be turned off while running e2e tests, otherwise the tests will start to fail randomly after the limits are reached. To turn it off, create config.dev.json and add into it:

{
  "rateLimiter": {
    "enabled": false
  }
}
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].