1
00:00:01,090 --> 00:00:02,080
‫{\an8}So, in this video,

2
00:00:02,080 --> 00:00:04,810
‫{\an8}we're gonna use yet another NPM package

3
00:00:04,810 --> 00:00:06,320
‫{\an8}in order to set a couple of

4
00:00:06,320 --> 00:00:09,523
‫{\an8}really important security http headers.

5
00:00:11,150 --> 00:00:12,570
‫So, to set these headers

6
00:00:12,570 --> 00:00:15,530
‫we will yet again use a middleware function

7
00:00:15,530 --> 00:00:17,993
‫which will come again from an NPM package.

8
00:00:18,890 --> 00:00:21,050
‫So, let's install that

9
00:00:21,050 --> 00:00:23,293
‫and it's called helmet.

10
00:00:24,400 --> 00:00:27,800
‫So this is kind of a standard in express development

11
00:00:27,800 --> 00:00:29,980
‫so everyone who's building an express app

12
00:00:29,980 --> 00:00:33,550
‫should always use this helmet package, all right.

13
00:00:33,550 --> 00:00:35,950
‫Because again, express doesn't use

14
00:00:35,950 --> 00:00:39,030
‫all the security best practices out of the box.

15
00:00:39,030 --> 00:00:42,730
‫And so we basically need to manually go ahead

16
00:00:42,730 --> 00:00:45,453
‫and put them there, okay.

17
00:00:46,960 --> 00:00:49,283
‫So, const, helmet,

18
00:00:51,060 --> 00:00:52,053
‫require,

19
00:00:53,780 --> 00:00:54,613
‫helmet.

20
00:00:55,790 --> 00:00:59,253
‫Okay and so let's do this right after this one,

21
00:01:00,720 --> 00:01:02,920
‫and this one couldn't be any easier

22
00:01:02,920 --> 00:01:05,170
‫all we need to do is call helmet here

23
00:01:06,420 --> 00:01:08,810
‫and so that will then produce the middleware function

24
00:01:08,810 --> 00:01:12,520
‫that should be put right here, okay.

25
00:01:12,520 --> 00:01:13,870
‫So in app.use,

26
00:01:13,870 --> 00:01:17,220
‫we always need a function, not a function call, right?

27
00:01:17,220 --> 00:01:19,380
‫So here we are calling this function

28
00:01:19,380 --> 00:01:21,860
‫and this will then in turn return a function

29
00:01:21,860 --> 00:01:25,450
‫that's gonna be sitting here until it's called, all right.

30
00:01:25,450 --> 00:01:28,660
‫And it's best to use this helmet package

31
00:01:28,660 --> 00:01:30,550
‫early in the middleware stack

32
00:01:30,550 --> 00:01:34,180
‫so that these headers are really sure to be set, okay.

33
00:01:34,180 --> 00:01:36,370
‫So don't put it like somewhere at the end

34
00:01:36,370 --> 00:01:37,620
‫put it right in the beginning

35
00:01:37,620 --> 00:01:40,770
‫and actually let's put it really here in the beginning

36
00:01:40,770 --> 00:01:45,550
‫as the first of all middlewares, okay.

37
00:01:45,550 --> 00:01:48,380
‫And we are really growing our middleware stack here

38
00:01:48,380 --> 00:01:50,713
‫let's just give each of them a name.

39
00:01:52,180 --> 00:01:54,713
‫So, security, HTP,

40
00:01:56,210 --> 00:01:57,053
‫headers.

41
00:01:57,053 --> 00:01:59,810
‫That of course, not correct.

42
00:01:59,810 --> 00:02:01,490
‫and too let's actually use a VRP.

43
00:02:01,490 --> 00:02:03,223
‫Set security HTP,

44
00:02:06,170 --> 00:02:07,180
‫limit requests

45
00:02:08,790 --> 00:02:10,363
‫from same API.

46
00:02:11,310 --> 00:02:13,160
‫Now we here we have this one as well.

47
00:02:15,370 --> 00:02:18,893
‫So this is development logging basically.

48
00:02:21,570 --> 00:02:24,953
‫Then this one here is called the body parser.

49
00:02:27,470 --> 00:02:28,740
‫So basically reading

50
00:02:30,660 --> 00:02:35,323
‫data from the body into req.body.

51
00:02:36,880 --> 00:02:37,760
‫Okay.

52
00:02:37,760 --> 00:02:39,360
‫And actually, since we're here,

53
00:02:39,360 --> 00:02:41,560
‫let's implement that thing that I mentioned

54
00:02:41,560 --> 00:02:43,030
‫in the theory lecture

55
00:02:43,030 --> 00:02:45,630
‫where I said that we can limit the amount of data

56
00:02:45,630 --> 00:02:47,940
‫that comes in the body.

57
00:02:47,940 --> 00:02:49,430
‫Remember that?

58
00:02:49,430 --> 00:02:52,740
‫So, here in json, we can actually specify

59
00:02:52,740 --> 00:02:55,170
‫some options and for that as always

60
00:02:55,170 --> 00:02:56,800
‫we pass an object.

61
00:02:56,800 --> 00:02:58,023
‫And so we here can say,

62
00:02:59,230 --> 00:03:04,150
‫limit and let's limit it to 10 kilobyte, okay.

63
00:03:04,150 --> 00:03:06,290
‫And so the package will then understand

64
00:03:06,290 --> 00:03:08,570
‫it will parse this string here

65
00:03:08,570 --> 00:03:10,920
‫into a meaningful data, all right?

66
00:03:10,920 --> 00:03:14,760
‫And so now when we have a body larger than 10 kilobyte

67
00:03:14,760 --> 00:03:17,943
‫it will basically not be accepted, all right?

68
00:03:19,010 --> 00:03:20,040
‫Then finally, this one here

69
00:03:20,040 --> 00:03:21,400
‫is for serving

70
00:03:23,490 --> 00:03:25,780
‫static files, okay.

71
00:03:25,780 --> 00:03:29,373
‫And this is finally just like, some test middleware here.

72
00:03:30,380 --> 00:03:33,450
‫Let's just keep it here because sometimes it's useful.

73
00:03:33,450 --> 00:03:36,330
‫For example, for taking a look at the headers here

74
00:03:36,330 --> 00:03:38,690
‫like we did back then.

75
00:03:38,690 --> 00:03:41,540
‫Okay, so that is helmet.

76
00:03:41,540 --> 00:03:42,820
‫Let's now do a request

77
00:03:42,820 --> 00:03:45,519
‫and then take a look at all the headers

78
00:03:45,519 --> 00:03:47,333
‫that it gives us basically.

79
00:03:48,960 --> 00:03:50,840
‫So let's send it here

80
00:03:50,840 --> 00:03:53,250
‫and then now you see we have 14 headers.

81
00:03:53,250 --> 00:03:55,370
‫So that's a lot more than before

82
00:03:55,370 --> 00:03:58,150
‫and so the new ones are basically this one here,

83
00:03:58,150 --> 00:03:59,803
‫prefetch control off.

84
00:04:00,840 --> 00:04:03,363
‫we have this strict transport security,

85
00:04:04,560 --> 00:04:06,980
‫you have the download options,

86
00:04:06,980 --> 00:04:10,150
‫there's also this one here for XSS protection

87
00:04:10,150 --> 00:04:12,470
‫and so the browser understands these headers

88
00:04:12,470 --> 00:04:15,750
‫and can then act on them basically, all right.

89
00:04:15,750 --> 00:04:17,180
‫Let's quickly actually take a look

90
00:04:17,180 --> 00:04:18,913
‫at the helmet documentation.

91
00:04:23,020 --> 00:04:24,520
‫So of course as always

92
00:04:24,520 --> 00:04:26,680
‫that's on GitHub.

93
00:04:26,680 --> 00:04:29,910
‫And so here you see basically all the middlewares

94
00:04:29,910 --> 00:04:31,160
‫that are included.

95
00:04:31,160 --> 00:04:32,730
‫Because helmet is in fact

96
00:04:32,730 --> 00:04:34,843
‫a collection of multiple middlewares.

97
00:04:37,090 --> 00:04:39,130
‫So that's actually what is says here.

98
00:04:39,130 --> 00:04:42,040
‫So it's a collection of 14 smaller middlewares

99
00:04:42,040 --> 00:04:44,890
‫and some of them are active by default

100
00:04:44,890 --> 00:04:46,470
‫which are these ones here

101
00:04:46,470 --> 00:04:48,620
‫marked like this.

102
00:04:48,620 --> 00:04:49,800
‫And so if you're interested,

103
00:04:49,800 --> 00:04:52,490
‫you can take a look at all of these others

104
00:04:52,490 --> 00:04:54,800
‫and then if you think you need some of them

105
00:04:54,800 --> 00:04:57,770
‫you can of course then turn it on specifically.

106
00:04:57,770 --> 00:05:00,330
‫and it tells you how to do that

107
00:05:00,330 --> 00:05:03,390
‫also up here in the documentation, okay.

108
00:05:03,390 --> 00:05:05,630
‫But I'm fine just with the default options

109
00:05:06,510 --> 00:05:08,520
‫And so...

110
00:05:08,520 --> 00:05:10,630
‫Now, that was actually very simple

111
00:05:10,630 --> 00:05:13,773
‫and so let's now quickly move on to the next video.