1
00:00:02,029 --> 00:00:04,160
Now to complete this section,

2
00:00:04,160 --> 00:00:08,220
there are two other aspects that also belong to security.

3
00:00:08,220 --> 00:00:10,840
I showed you some important attacks before,

4
00:00:10,840 --> 00:00:13,760
now I'm not showing attacks to you,

5
00:00:13,760 --> 00:00:16,760
but I'm going to show some mistakes to you,

6
00:00:16,760 --> 00:00:19,360
which you as a developer could make

7
00:00:19,360 --> 00:00:21,173
when you write your backend code.

8
00:00:22,140 --> 00:00:23,790
And these mistakes are

9
00:00:23,790 --> 00:00:27,250
that you might be serving folders statically

10
00:00:27,250 --> 00:00:29,970
that shouldn't be served statically,

11
00:00:29,970 --> 00:00:32,840
and that you actually might be sending

12
00:00:32,840 --> 00:00:35,410
raw error messages to your visitors

13
00:00:35,410 --> 00:00:37,780
because you might not be handling errors

14
00:00:37,780 --> 00:00:40,090
correctly on your backend.

15
00:00:40,090 --> 00:00:41,870
Now, what do I mean with serving

16
00:00:41,870 --> 00:00:43,883
the wrong folders statically?

17
00:00:44,780 --> 00:00:45,870
In our websites,

18
00:00:45,870 --> 00:00:49,480
we sometimes need to serve some content statically.

19
00:00:49,480 --> 00:00:52,680
We often do this with the express static middleware,

20
00:00:52,680 --> 00:00:53,760
and then for example,

21
00:00:53,760 --> 00:00:56,790
I'm serving the content of the public folder statically

22
00:00:56,790 --> 00:00:59,990
so that all of the pages of my website can access

23
00:00:59,990 --> 00:01:02,393
these CSS files without issues.

24
00:01:03,380 --> 00:01:05,069
Now what happens technically there

25
00:01:05,069 --> 00:01:08,650
is that requests are sent to these files.

26
00:01:08,650 --> 00:01:11,720
Now, let me show you what the implications of that are.

27
00:01:11,720 --> 00:01:14,070
If I dive into the XSS folder here

28
00:01:14,070 --> 00:01:17,490
and I start this server there again,

29
00:01:17,490 --> 00:01:20,780
and we then visit local host 3000,

30
00:01:20,780 --> 00:01:22,790
if you open to developer tools

31
00:01:22,790 --> 00:01:25,280
and you open the network tab and reload,

32
00:01:25,280 --> 00:01:28,920
you will see requests for these CSS file there

33
00:01:28,920 --> 00:01:32,270
because the loaded page did include links

34
00:01:32,270 --> 00:01:34,940
to these files in the head section.

35
00:01:34,940 --> 00:01:36,290
And for these links,

36
00:01:36,290 --> 00:01:39,140
requests will be sent for those files

37
00:01:39,140 --> 00:01:41,240
by the browser automatically.

38
00:01:41,240 --> 00:01:43,620
And then once the requests are done,

39
00:01:43,620 --> 00:01:45,720
once the files were returned,

40
00:01:45,720 --> 00:01:48,363
the browser uses them for applying to styling.

41
00:01:49,220 --> 00:01:51,193
That's the wanted behavior here,

42
00:01:52,130 --> 00:01:54,760
but it also means that you can send requests

43
00:01:54,760 --> 00:01:56,440
for these files.

44
00:01:56,440 --> 00:01:59,790
Nothing's stopping you from creating a URL

45
00:01:59,790 --> 00:02:00,980
that looks like this,

46
00:02:00,980 --> 00:02:04,270
the domain slash styles slash base CSS,

47
00:02:04,270 --> 00:02:07,830
because that's the path to these CSS files.

48
00:02:07,830 --> 00:02:11,770
And if you sent this, you can see the CSS code here.

49
00:02:11,770 --> 00:02:14,910
Now that's no problem because that's no information

50
00:02:14,910 --> 00:02:17,500
that shouldn't be viewed and you can view it

51
00:02:17,500 --> 00:02:19,240
with the dev tools anyways,

52
00:02:19,240 --> 00:02:22,630
you can see which styles are affecting which element,

53
00:02:22,630 --> 00:02:24,370
but that is what it means

54
00:02:24,370 --> 00:02:26,850
when you are serving files statically,

55
00:02:26,850 --> 00:02:29,503
they can be requested just like this.

56
00:02:31,600 --> 00:02:34,460
Now, since I'm serving the public folders statically,

57
00:02:34,460 --> 00:02:37,740
that means that anything in the public folder

58
00:02:37,740 --> 00:02:40,920
can be requested just like this.

59
00:02:40,920 --> 00:02:41,870
Hence you of course,

60
00:02:41,870 --> 00:02:45,590
should not put any data or any files in there

61
00:02:45,590 --> 00:02:48,720
that should not be publicly accessible.

62
00:02:48,720 --> 00:02:51,270
You shouldn't store user data in there

63
00:02:51,270 --> 00:02:53,400
in text or adjacent files.

64
00:02:53,400 --> 00:02:56,550
You shouldn't store a password file in there.

65
00:02:56,550 --> 00:02:59,140
You should only have files in the public folder

66
00:02:59,140 --> 00:03:01,303
that may be accessed by the public.

67
00:03:02,300 --> 00:03:03,940
You also, for example,

68
00:03:03,940 --> 00:03:08,420
shouldn't start serving the overall folder

69
00:03:08,420 --> 00:03:10,870
statically like this,

70
00:03:10,870 --> 00:03:12,960
because then all your code files

71
00:03:12,960 --> 00:03:14,490
would be accessible like this

72
00:03:14,490 --> 00:03:17,850
and people could read your backend code.

73
00:03:17,850 --> 00:03:19,460
They normally can't,

74
00:03:19,460 --> 00:03:21,580
but if you start serving all the files

75
00:03:21,580 --> 00:03:23,970
in your project statically like this,

76
00:03:23,970 --> 00:03:26,190
they will be able to do so,

77
00:03:26,190 --> 00:03:28,700
and you definitely don't want that.

78
00:03:28,700 --> 00:03:30,350
And that's what you should keep in mind

79
00:03:30,350 --> 00:03:32,970
when you are serving files statically.

80
00:03:32,970 --> 00:03:35,650
All the statically served files can be requested

81
00:03:35,650 --> 00:03:38,710
without any problems, and hence you want that

82
00:03:38,710 --> 00:03:41,670
for your CSS, for your browser-side JavaScript,

83
00:03:41,670 --> 00:03:42,970
and for some images,

84
00:03:42,970 --> 00:03:45,733
but you do not want that for other files.

85
00:03:46,590 --> 00:03:49,320
So be careful when serving content statically

86
00:03:49,320 --> 00:03:52,113
and don't serve the wrong folders statically.

87
00:03:53,050 --> 00:03:54,593
So what's up with errors.

88
00:03:55,661 --> 00:03:56,950
Well you want to make sure

89
00:03:56,950 --> 00:03:59,080
that whenever something goes wrong

90
00:03:59,080 --> 00:04:01,840
in your backend code, which can happen,

91
00:04:01,840 --> 00:04:05,650
that you are handling this error somehow.

92
00:04:05,650 --> 00:04:06,610
For example,

93
00:04:06,610 --> 00:04:10,170
with that default express error handling function

94
00:04:10,170 --> 00:04:14,280
so that you send back a standardized error message

95
00:04:14,280 --> 00:04:16,920
or page to your users.

96
00:04:16,920 --> 00:04:18,540
Now, therefore you should, for example,

97
00:04:18,540 --> 00:04:22,310
make sure that you do have a custom error handling

98
00:04:22,310 --> 00:04:26,190
functionality in place and that this error object,

99
00:04:26,190 --> 00:04:27,790
which contains all the details,

100
00:04:27,790 --> 00:04:31,810
is not forwarded like that queue the front end.

101
00:04:31,810 --> 00:04:34,750
And you don't want to output all the error details

102
00:04:34,750 --> 00:04:38,510
on your main page because it's nothing your users

103
00:04:38,510 --> 00:04:40,030
should see in status,

104
00:04:40,030 --> 00:04:44,900
simply use a generic error page there as I'm doing it here.

105
00:04:44,900 --> 00:04:46,930
That's also something you should keep in mind.

106
00:04:46,930 --> 00:04:50,300
And that was the last thing I also wanted to cover here

107
00:04:50,300 --> 00:04:54,690
to make sure that you don't add any vulnerabilities

108
00:04:54,690 --> 00:04:57,670
or leaks to your website

109
00:04:57,670 --> 00:05:00,480
where you might be exposing more information

110
00:05:00,480 --> 00:05:02,803
or more access than you want to.