Monday, August 9, 2021

Security with Sails JS

Sails and Express provide built-in, easily configurable protection against most known types of web-application-level attacks.

CORS

DDOS

CSRF

Clickjacking

P3P

Content Security Policy

Socket hijacking

XSS

Strict Transport Security

Above are the major security related topics 

CORS is a mechanism that allows browser scripts on pages served from other domains (e.g. myothersite.com) to talk to your server (e.g. api.mysite.com). Like JSONP, the goal of CORS is to circumvent the same-origin policy, allowing your Sails server to successfully respond to requests from client-side JavaScript code running on a page hosted from some other domain. Unlike JSONP, it works with more than just GET requests, and it allows you to whitelist particular origins (staging.yoursite.com or yourothersite.net) and prevent requests from others (evil.com).

Enabling CORS

For security reasons, CORS is disabled by default in Sails. But enabling it is simple.

To allow cross-origin requests from a whitelist of trusted domains to any route in your app, simply enable allRoutes and provide an origin setting in config/security.js:

cors: {

  allRoutes: true,

  allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888']

}

To allow cross-origin requests from any domain to any route in your app, use allowOrigins: '*':

cors: {

  allRoutes: true,

  allowOrigins: '*',

  allowCredentials: false

}

Configuring CORS for individual routes

In addition to the global CORS configuration in config/security.js, these settings can be configured on a per-route basis in config/routes.js.

If you set allRoutes: true in config/security.js but want to exempt a specific route, set cors: false in the route's target:

'POST /signup': {

   action: 'user/signup',

   cors: false

}

to enable or override global CORS configuration for a particular route, provide cors as a dictionary:

'GET /videos': {

   action: 'video/find',

   cors: {

     allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888'],

     allowCredentials: false

   }

}

CORS support is only relevant for HTTP requests. Requests made via sockets are not subject to cross-origin restrictions. To ensure that your app is secure via sockets, configure the onlyAllowOrigins setting (typically in config/env/production.js).

References:

https://sailsjs.com/documentation/concepts/security

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)