Xavfsizlik2 min read

Helmet

Helmet HTTP headerlarni mos ravishda o'rnatish orqali ilovangizni ba'zi mashhur veb zaifliklardan himoya qilishga yordam beradi. Umuman olganda, Helmet xavfsizlikka oid HTTP header

Helmet HTTP headerlarni mos ravishda o'rnatish orqali ilovangizni ba'zi mashhur veb zaifliklardan himoya qilishga yordam beradi. Umuman olganda, Helmet xavfsizlikka oid HTTP headerlarni o'rnatadigan kichik middleware funksiyalar to'plamidir (batafsil bu yerda).

Hint

helmetni global qo'llash yoki ro'yxatdan o'tkazish boshqa app.use() chaqiruvlari yoki app.use() ni chaqirishi mumkin bo'lgan setup funksiyalaridan oldin bo'lishi kerakligini unutmang. Bu platformaning (ya'ni Express yoki Fastify) ishlash usuli bilan bog'liq; bunda middleware/route lar aniqlanish tartibi muhim. Agar siz helmet yoki cors kabi middlewarelarni route aniqlangandan keyin ishlatsangiz, u middleware o'sha routega qo'llanmaydi, faqat undan keyin aniqlangan routelarga qo'llanadi.

Express bilan foydalanish (default)

Avval kerakli paketni o'rnating.

Terminal

1$ npm i --save helmet

O'rnatish tugagach, uni global middleware sifatida qo'llang.

TypeScript

1import helmet from 'helmet';
2// somewhere in your initialization file
3app.use(helmet());

Warning

helmet, @apollo/server (4.x) va Apollo Sandbox birga ishlatilganda, Apollo Sandboxda CSP bilan muammo bo'lishi mumkin. Bu muammoni hal qilish uchun CSPni quyida ko'rsatilgandek sozlang:

app.use(helmet({
  crossOriginEmbedderPolicy: false,
  contentSecurityPolicy: {
    directives: {
      imgSrc: [`'self'`, 'data:', 'apollo-server-landing-page.cdn.apollographql.com'],
      scriptSrc: [`'self'`, `https: 'unsafe-inline'`],
      manifestSrc: [`'self'`, 'apollo-server-landing-page.cdn.apollographql.com'],
      frameSrc: [`'self'`, 'sandbox.embed.apollographql.com'],
    },
  },
}));

Fastify bilan foydalanish

Agar FastifyAdapter dan foydalanayotgan bo'lsangiz, @fastify/helmet paketini o'rnating:

Terminal

1$ npm i --save @fastify/helmet

fastify-helmet middleware sifatida emas, balki Fastify plagini sifatida ishlatilishi kerak, ya'ni app.register() orqali:

TypeScript

1import helmet from '@fastify/helmet'
2// somewhere in your initialization file
3await app.register(helmet)

Warning

apollo-server-fastify va @fastify/helmet birga ishlatilganda, GraphQL playgroundda CSP bilan muammo bo'lishi mumkin, bu to'qnashuvni hal qilish uchun CSPni quyida ko'rsatilgandek sozlang:

await app.register(fastifyHelmet, {
   contentSecurityPolicy: {
     directives: {
       defaultSrc: [`'self'`, 'unpkg.com'],
       styleSrc: [
         `'self'`,
         `'unsafe-inline'`,
         'cdn.jsdelivr.net',
         'fonts.googleapis.com',
         'unpkg.com',
       ],
       fontSrc: [`'self'`, 'fonts.gstatic.com', 'data:'],
       imgSrc: [`'self'`, 'data:', 'cdn.jsdelivr.net'],
       scriptSrc: [
         `'self'`,
         `https: 'unsafe-inline'`,
         `cdn.jsdelivr.net`,
         `'unsafe-eval'`,
       ],
     },
   },
 });

// If you are not going to use CSP at all, you can use this:
await app.register(fastifyHelmet, {
  contentSecurityPolicy: false,
});

Shifrlash va hashing

CORS