Issue #9: Setup Security

- Install helmet - Install express-rate-limit
codebru · Jul 23, 2019 · 9a7848f · 9a7848f
1 parent 7d6aa26
commit 9a7848f
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -1,13 +1,20 @@
 /* INCLUDES ****************************** */
 const express = require('express');
 const session = require('express-session');
+const rateLimit = require('express-rate-limit');
+const helmet = require('helmet');
 const passport = require('passport');
 const flash = require('flash');
 const bodyParser = require('body-parser');
 const dotenv = require('dotenv');
 const passportConfig = require('./Middleware/Passport/config');
 /* **************************************** */
 
+/* CONSTANTS ****************************** */
+const RATELIMITHITS = 10;
+const RATELIMITINTERVAL = 1 * 60 * 1000; // 1 Min
+/* **************************************** */
+
 /* INCLUDE CONFIGS ************************ */
 dotenv.config();
 /* **************************************** */
@@ -22,10 +29,30 @@ const app = express();
 app.use(bodyParser());
 /* **************************************** */
 
+/* SECURITY SETUP ************************* */
+// Potentiall could run only on production
+
+// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
+// see https://expressjs.com/en/guide/behind-proxies.html
+// app.set('trust proxy', 1);
+
+const limiter = rateLimit({
+  windowMs: RATELIMITINTERVAL,
+  max: RATELIMITHITS,
+});
+
+// only apply to requests that begin with /api/
+app.use(limiter);
+app.use(helmet());
+/* **************************************** */
+
 /* SESSION SETUP ************************** */
 const sesh = {
   secret: 'Oh hi there', // Replaced with proper setup in production
-  cookie: { secure: false },
+  cookie: {
+    secure: false,
+    maxAge: 60000,
+  },
 };
 
 if (app.get('env') === 'production') {

diff --git a/package.json b/package.json
@@ -36,8 +36,10 @@
     "body-parser": "^1.19.0",
     "dotenv": "^8.0.0",
     "express": "^4.17.1",
+    "express-rate-limit": "^5.0.0",
     "express-session": "^1.16.2",
     "flash": "^1.1.0",
+    "helmet": "^3.19.0",
     "node-fetch": "^2.6.0",
     "passport": "^0.4.0",
     "passport-local": "^1.0.0"