I'm using a simple cookie session with hashing for the password. For Express 3.x I was using the following code with a custom middleware in order to avoid that a non logged user is allowed to see not authorized data:
res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');
res.header('Pragma', 'no-cache');
res.header('Expires', 0);
The above code is not working with Express 4.3.0. It means if a user log out and use the back button, then this user is allowed to see old data that need authorization. Any idea?
Related
I am trying to avoid clickjacking for the application. So, I set the x-frame-options header to deny but it is still opening iframes and any clickjack testing sites.
app.all('*', (req, res, next) => {
console.log('Before processing - ', req.url, req.method);
res.header('Access-Control-Allow-Credentials', true);
res.header('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0');
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Strict-Transport-Security', 'maxAge=100000');
res.header('X-Frame-Options', 'DENY');
res.header('Content-Security-Policy', "frame-ancestors 'none'");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Cookies, cookies, x-access-token, Origin, Content-Type, Accept');
return next();
});
Try to set your X-Frame-Options header using npm package helmet. Run npm install helmet --save in your app. And in your server file make these changes:
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
Now to set X-Frame-Options as DENY, Add:
app.use(helmet.frameguard({ action: 'deny' }));
For more details, see https://helmetjs.github.io/docs/frameguard/. This setting denies all <iframe> content.
Sorry for interfere, but all works as intented, see https://repl.it/#egranty/Test-for-Anita.
After push green start button the NodeJS sanbox is started. Test page can be opened in a separate tab and be insetred into https://www.lookout.net/test/clickjack.html or https://clickjacker.io/test?url=https://test-for-anita--egranty.repl.co/.
Here is results in Chrome:
Note that if are published both X-Frame-Options and Content-Security-Policy: frame-ancestors at the same time, the last one overrides the X-Frame-Options in the modern browsers except Safari.
That's why browser console shows lock in the frame-ancestors 'none', but not in the X-Frame-Options.
So, you have a work NodeJS code, a work clickjacking test tools and as we can observe, X-FRAME-OPTIONS / CSP frame-ancestors definitely prohibits embedding pages.
May be some browser plugins interfere or it need to clear browser cache. But I think your nodeJS installation is broken and you need to reinstall it.
I'm trying to update my SailsJs application to fix the blank page wich I'm geting on Heroku, but I'm getting the status 304 not modified from browser.
I think I did everything I need to fix the blank page on my app, but I dont know why the page is not updating on Heroku
My Procfile:
web: node app.js
I appreciate if anyone can help.
Thanks!
I don't think that you need to fix anything. If you try to call the same url using POSTMAN or different browser you should get status 200.
You can add this to a policy instead and then just apply it to the specific pages/requests you want - if you do not want to set this for the entire application.
/api/policies/nocache.js:
/**
* Sets no-cache header in response.
*/
module.exports = function (req, res, next) {
sails.log.info("Applying disable cache policy");
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Expires', '-1');
res.header('Pragma', 'no-cache');
next();
};
Don't forget to include nocatche into config/policy.js
'*': 'nocatche'
I'm using Express and Node to build a web, where the client uses RESTful API to get Json response to show a list of objects.
After creating a new object, the app should request a new json response of the updated object list. Chrome works fine - new json response returned with status code 200 OK. However, things are not good in IE and Edge - it seems the browser just fetch the json response from cache (with status code 304), instead of making a new request. If I manually clear the browser cache data things will be fine.
I tried this solution: using a middleware to set max-age of cache-control res.header to be 0
function headerSet(req, res, next) {
res.header('Cache-Control', 'public, max-age=0');
return next();
}
And in the response header I can see accordant settings taking effect, however, IE and Edge still refuse to make a new request - I'm still getting the unupdated json response with 304.
What possibly have I done wrong?
Instead of setting max age try with the following.
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
I have an application on node.js using sails.js as a framework. For displaying the informations to the user I have implemented some .ejs files.
When navigating using links within the app menu, I receive a "304 - Nod Modified" response. Also, within headers in the response I see Etag, If-None-Match or Expires.
After reading some posts, I have added the "app.disable('etag')" statement within /config/express.js file in the customMiddleware function and etag and if-none-match are not sent anymore.
Anyway, now I do not see any request made to the server (just the first one is made) when accessing different pages (not even 304 response).
How can I tell sails.js to stop caching my pages?
You can add this to a policy instead and then just apply it to the specific pages/requests you want - if you do not want to set this for the entire application.
/api/policies/nocache.js:
/**
* Sets no-cache header in response.
*/
module.exports = function (req, res, next) {
sails.log.info("Applying disable cache policy");
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Expires', '-1');
res.header('Pragma', 'no-cache');
next();
};
It seems that adding the code below solved my problem:
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Expires', '-1');
res.header('Pragma', 'no-cache');
These line should be included in the customMiddleware function from the /config/express.js file.
If there is a cleaner way to achieve the same result, please reply.
I use node-formidable to process a form via POST at http://127.0.0.1/upload. After processing, I want to redirect the user to http://127.0.0.1/. Currently, I need to reload http://127.0.0.1/ in order to see the uploaded data. I assume I need to tweak a cache setting.
How can I do this in Node.js? Do I set Cache-Control: no-cache on http://127.0.0.1/ or /upload?
you set it on http://127.0.0.1.
try something like this:
res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');