Foreword
This is a boilerplate to help quickly throw up "internal use / private" style semi-secure REST api's. It comes packaged with Mongoose, express, helmet, and a whole host of security features. All of this can be configured in the settings file located in src/settings/api_settings.json.
This does not garuntee complete and utter security. This is just a simple boilerplate to throw up a semi-secure api. To achieve absolute security you must take several steps outside of this code such as server hardening, reverse proxies, firewall rules, and many other things. This is strictly a boilerplate if you want to quickly throw up api's without necessarily having to worry about immediate security vulnerabilities presented in express apps.
Security offered
- HelmetJS middleware security for headers which includes these enabled defaultly
-
- ContentSecurityPolicy
-
- dnsPrefetchControl
-
- expectCt
-
- frameguard
-
- hidePoweredBy
-
- hsts
-
- ieNoOpen
-
- noSniff
-
- PermittedCrossDomainPolicies
-
- referrerPolic
-
- xssFilter
- Key authentication if used by private seperate application (optional)
- Packaged with an express-validator in the routes to validate params
- XSS filter middleware to sanitize req.body, req.query, and req.params as well as manual filtration.
- Time based attack protection on the private key
- HaProxy loadbalancing if utilizing docker
Running
To use this download and extract files as normal and navigate to the root folder (not src). Then type npm i in console to install the dependencies. Once they are installed you will want to run the app through the npm start script.
Alternatively you can run the docker-compose up script to utilize haproxy loadbalancing & containers.
Dependencies
- Express (main framework)
- Helmet (some header protection/safe defaults)
- xss-clean (xss filtration)
- Express-validator (route data validating)
- Mongoose (databasing)
- safe-compare (time based comparison protection)
Dev-Dependencies
- Jest (unit testing framework)
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
All code must follow standardjs principles. Keep documentation thorough as well.
-
B站视频: https://www.bilibili.com/video/BV1xz4y1X7cE MongoDB 数据库笔记 教你如何使用 node(Express) + mongoose + mongoDB 创建属于自己的 API 接口 1. mongoose mongoose是nodeJS提供连接 mongodb的一个库. 此外还有mongoskin, mongodb(mongodb官方出品
-
express-rest-api-boilerplate Express REST API with JWT Authentication and support for sqlite, mysql, and postgresql authentication via JWT routes mapping via express-routes-mapper support for sqlite,
-
API RESTful em Express, Mongoose, Mocha e Chai. Scripts Os seguintes scripts estão disponiveis com yarn run SCRIPT ou npm run SCRIPT Script Descrição test Roda o linter, roda os testes unitários e os
-
jackblog api express版 简介 Jackblog 是使用 Node.js + MongoDB + Redis + 其它客户端框架开发的个人博客系统,前后端分离,仿简书模板. 服务端有: express 版 , koa 版 客户端有: angular1.x 版 , angular2.x 版 , react 版 , vue 版 移动端有: react native 版, ionic2
-
express-mongodb-rest-api-boilerplate Also express-graphql-mongodb-boilerplate - GraphQL API Boilerplate Authentication from scratch Sign In, Sign Up, Reset Password, Change Password, Update User E-mai
-
我正在编写一个具有独立前端和后端的Web应用程序。前端用React编写,后端是运行Express终结点的node.js服务器。如何确保只有我的前端可以访问API,而不是其他任何人?我的API URL在我的前端客户端代码中公开,所以任何人都可以看到。 我在我的应用编程接口中添加了JWT身份验证,但是我仍然需要一个不受保护的 /loginendpoint来生成JWT令牌,并且为了登录来生成令牌,我必须
-
Node.js Express API with TypeScript 3 Node.js Express API with TypeScript 3. Supports MongoDB Description This skeleton will help you to build your own Node.js Express Mongodb API using TypeScript 3.