gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix(curriculum): helmet install and csp lessons (#40904)

Browse Source
This commit is contained in:
Tom
2021-02-06 10:36:40 -06:00
committed by GitHub
parent 8a42bbdf62
commit 15227a0148
2 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
View File

@ -16,7 +16,7 @@ Helmet helps you secure your Express apps by setting various HTTP headers.
All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
Install Helmet version `3.21.3`, then require it.
Install Helmet version `3.21.3`, then require it. You can install a specific version of a package with `npm install --save-exact package@version`, or by adding it to your `package.json` directly.
# --hints--
@ -26,8 +26,9 @@ Install Helmet version `3.21.3`, then require it.
(getUserInput) =>
$.get(getUserInput('url') + '/_api/package.json').then(
(data) => {
var packJson = JSON.parse(data);
assert(packJson.dependencies.helmet === '3.21.3');
const packJson = JSON.parse(data);
const helmet = packJson.dependencies.helmet;
assert(helmet === '3.21.3' || helmet === '^3.21.3');
},
(xhr) => {
throw new Error(xhr.responseText);

6
curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md
View File

@ -16,13 +16,13 @@ By default, directives are wide open, so its important to set the defaultSrc
# --instructions--
In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'.
In this exercise, use `helmet.contentSecurityPolicy()`. Configure it by adding a `directives` object. In the object, set the `defaultSrc` to `["'self'"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Also set the `scriptSrc` directive so that you only allow scripts to be downloaded from your website (`'self'`), and from the domain `'trusted-cdn.com'`.
Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
Hint: in the `'self'` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
# --hints--
helmet.csp() middleware should be mounted correctly
helmet.contentSecurityPolicy() middleware should be mounted correctly
```js
(getUserInput) =>