I have a upcomming pen test in a few weeks. And I'm wondering what is the most important and basic things that I can do to secure my website.
The site is built with React as the front end. It communicates with a Node.js backend with express as a middlewear. The backend sends requests to our companies api, so the api request urls are hidden by the backend.
The frontend is hosted with NGINX on a remote server with the Node.js backend running with PM2. So far I have implemented the npm Helmet to mask that I am using express as a middlewear and protected inputs from SQL-injections. Ist there anyting else I am missing?
Thanks for your time
Related
Hello Experts
My problem is I am developing a react js application with some Axios call, I am connecting my serverside backend (which is an indifferent location like a real IP address) with writing a proxy in package.json which is working on my pc is fine,
But when I am going to deploy my application on AWS in production mode, unfortunately, the backend is not connecting (Maybe proxy is not working as I learn by google search ), in this situation what should I do to connect my react js app with my backend
please help me if you can thanx in advanced
Usually browsers block cross-origin request by default.
Please check cors npm package to whitelist/allow requests from your react app to backend server.
link: https://www.npmjs.com/package/cors
Hope this helps. :)
I have react app and nodejs api server. React app make fetch requests to nodejs server. React app and nodejs server deployed in own containers.
The problem is I can access nodejs server directly in browser, so is there way to 'hide' nodejs backend server, and let access only through frontend.
It should work something like this
React app make fetch request
nginx intercept request and forward to nodejs server
nodejs handles request
I think it can be done with nginx reverse proxy or docker networks or somehow...
yes there is. What you do is run a docker-compose that runs 3 docker containers. One container runs nginx, the second one runs create-react-app host ui, and the 3rd one runs a node js api. You then set the nginx routing rule for all /api/* routes to be reverse proxied to the nodejs api then you make sure all other get requests /* go to the create-react-app being hosted.
Here is a similar example on medium: https://medium.com/#xiaolishen/develop-in-docker-a-node-backend-and-a-react-front-end-talking-to-each-other-5c522156f634
I am using react, graphql and node. Currently, my react codes are on codesandbox, whilst my server codes are on my local computer. How do i link up my frontend with my backend in this case? Do i need to deploy my server codes onto heroku or digital ocean before i can link them? I like to be able to test them first before deploying my codes
I am also thinking of migrating my backend codes to codesandbox. In this case, am i still able to link my frontend and backend codes in order to test them out before deploying to the hosting provider servers?
Thanks
Charlie is correct. I actually build my react frontend on codesandbox and connected to my node graphql backend on codesandbox too. Both must be running for that to work. Must enable cors too for both to connect. As im using apollo server 2, can pass a cors: true to the apollo server constructor.
The frontend is a React SPA and the backend is NodeJs app that exposes an API. The frontend queries the API for data from time to time but other than that it is fairly independent. What is the best way to host an app like this? Should I include the build folder in the NodeJs app and have the express server serve the static contents from a route? Or should I host both separately, set up a Nginx server for the React app on something like DO? I will host the backend on something like Heroku or Google App Engine. So considering this, what is the ideal solution? What are the pros and cons of either approach?
In case of production, include build folder in the nodejs app. Performance increase in case production. You can refer react docs for details.
In case of development, host it separately, so its easier to work on it.
There is no issue b/w establishing connection b/w nodejs & angular. Also the database results are fine. This is the only problem I'm facing now.
I have 2 different ports but same server
0.0.0.0:3000 - for nodejs
0.0.0.0:4200 - for angular
When I make an api request to node(mongodb) from angular it is visible in browser console as well as networks tab when I inpect. How can I overcome this ?
You can't. Angular is an SPA, a framework that works on front-end. Which means once the files of the application downloaded in the browser memory, it then launch the instance of your application.
Afterwhat, when you make a request to an API or any other URL, the browser behaves as it should : it makes the request. You have no real way to prevent this.
That doesn't mean the requests are not secure. Viewing requests made by your app in the console or the network tab doesn't mean it's not secure.
you can use nginx as a proxy server to redirect your all REST call to overcome this.
for detailed use please visit here nginx