Securing Cookies
In the previous exercise, we saw how cookies can be used to steal user’s data. An express server that uses express-session to store cookies has the properties httpOnly and secure to configure how to store and send cookies. Setting httpOnly and secure to true helps mitigate the risk of client-side script accessing the protected cookie.
In order to set up a cookie in an Express server, you can use the library express-session to set up a session and configure the application with specific properties pertaining to cookies:
Setting Security Headers
Moreover, we can include the helmet package to edit HTTP headers. Helmet.js is a collection of 15 Node modules that interface with Express. Each module provides configuration options for securing different HTTP headers. One of them being the contentSecurityPolicy which is an added layer of security that helps to detect and mitigate certain types of attacks. Fortunately, by just including this package in your express app, 11 of these modules (including the content security policy module) will be configured automatically.
You can use helmet by adding the following line of code:
Instructions
Secure the cookie by setting the httpOnly and secure attributes to the correct values.
Automatically enable a number of security headers by adding helmet to this application.
requirethe package and store it in aconstnamedhelmet.- Use
helmetin your application.
Note: If you implement helmet properly, the mini browser may appear broken. This is because of the security headers helmet enables. While inconvenient for this exercise, this is good for real-world security!
