Atila
I'm on a mission to make code simple. When not recording screencasts or courses, you may find me either writing and talking about jamstack, performance, or developer tooling.
2022
@AtilaFassina
Day 4 — Security and Testing
@AtilaFassina
@AtilaFassina
↪ Jest Syntax Compatible
↪ Vite Powered
↪ Amazing DX
/// <reference types="vitest" />
import react from '@vitejs/plugin-react'
import { defineConfig } from 'vitest/config'
// https://vitejs.dev/config/
export default defineConfig({
plugins: [react()],
test: {
environment: 'jsdom',
mockReset: true,
},
})
vite.config.ts
@AtilaFassina
name: Waiting on tests
on: push
jobs:
waiting:
runs-on: ubuntu-latest
steps:
- name: Wait for Vercel Preview
uses: patrickedqvist/wait-for-vercel-preview@v1.2.0
id: waitForVercelPreviewDeployment
with:
token: ${{ secrets.GITHUB_TOKEN }}
max_timeout: 1200
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
- name: Run tests against preview url
id: integration
run: PREVIEW_URL=${{ ... }} npm run test:ci
.github/workflows/test.yml
@AtilaFassina
@AtilaFassina
man in the middle
when the attacker relays and possibly alters the communication between two parties.
client-side
email
password
email
password
@AtilaFassina
cross-site scripting
when external scripts inject malicious code to
the client-side application
client-side
🏴☠️ Keylogging
🏴☠️ Tracking
🏴☠️ Clickjacking
🏴☠️ ...
@AtilaFassina
@AtilaFassina
security in depth
mitigate vulnerabilities in as many ways possible in the case that one way fails
@AtilaFassina
strict-transport-security
expiration time (in seconds)
applies to all subdomains
not part of spec.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Check HSTS Preload List
@AtilaFassina
x-frame-options
X-Frame-Options: SAMEORIGIN
not allowed ever
only for same domain
only for a specificied URI
@AtilaFassina
x-xss-protection
X-XSS-Protection: 1; mode=block
no filter
remove unsafe parts
prevents page for rendering
filters and reports violation
@AtilaFassina
x-content-type-options
X-Content-Type-Options: nosniff
blocks browser from guessing when MIME type is not defined
@AtilaFassina
content-security-policy
'default-src'
'script-src
'connect-src'
'style-src'
'object-src'
'img-src'
'frame-ancestors'
'child-src'
'frame-src'
'base-uri
'form-action'
'worker-src'
'report-uri'
series of directives to secure content and report violations.
↪ Content-Security-Policy-Report-Only
↪ Content-Security-Policy
@AtilaFassina
content-security-policy
<meta http-equiv="Content-Security-Policy" content="default-src 'self' ...">
↪ Meta tag
next.config.mjs
export default {
async headers() {
return [
{
source: '/:path*',
headers: securityHeaders,
}
]
}
}
↪ Middleware
↪
By Atila