Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to make it more secure? #106

Open
sakhmedbayev opened this issue Dec 1, 2020 · 2 comments
Open

How to make it more secure? #106

sakhmedbayev opened this issue Dec 1, 2020 · 2 comments

Comments

@sakhmedbayev
Copy link

Thank you for the repo and tutorials!

The readme tells that

Due to its simplicity, aspects such as security must be reconsidered before being used in production.

What would be your recommendations to improve the security of the current approach?

@ItaiAxelrad
Copy link
Contributor

Similar to an express app, adding middlewares can help improve security. I think helmet is a great start, along with a rate limiter like express-rate-limit and maybe cors.

As an example, create a new file for your desired middleware:

// @/middlewares/helmet.js
import helmet from 'helmet';

helmet.contentSecurityPolicy({
  directives: {
    ...helmet.contentSecurityPolicy.getDefaultDirectives(),
    'script-src': ['self', process.env.WEB_URI],
  },
  reportOnly: process.env.NODE_ENV === 'development',
});

export default helmet;

Then add the middleware into the chain of use methods of next-connect:

// middlewares/all.js
const middleWares = nc().use(helmet).use(cors)... // rest of middleswares

Hope that helps!

@ItaiAxelrad
Copy link
Contributor

Forgot to add that having some sort of schema validation can also help with security. Mongoose is a popular Object Data Modeling (ODM) package though MongoDB now offers its own schema validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants