From 15227a0148d8136aeb082ebb0435f37c8436b47d Mon Sep 17 00:00:00 2001 From: Tom <20648924+moT01@users.noreply.github.com> Date: Sat, 6 Feb 2021 10:36:40 -0600 Subject: [PATCH] fix(curriculum): helmet install and csp lessons (#40904) --- .../install-and-require-helmet.md | 7 ++++--- ...nt-security-policy-with-helmet.contentsecuritypolicy.md | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md index 0a58f1d597..2896bbee59 100644 --- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md +++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md @@ -16,7 +16,7 @@ Helmet helps you secure your Express apps by setting various HTTP headers. All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you. -Install Helmet version `3.21.3`, then require it. +Install Helmet version `3.21.3`, then require it. You can install a specific version of a package with `npm install --save-exact package@version`, or by adding it to your `package.json` directly. # --hints-- @@ -26,8 +26,9 @@ Install Helmet version `3.21.3`, then require it. (getUserInput) => $.get(getUserInput('url') + '/_api/package.json').then( (data) => { - var packJson = JSON.parse(data); - assert(packJson.dependencies.helmet === '3.21.3'); + const packJson = JSON.parse(data); + const helmet = packJson.dependencies.helmet; + assert(helmet === '3.21.3' || helmet === '^3.21.3'); }, (xhr) => { throw new Error(xhr.responseText); diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md index 72aae680a9..a644522eaa 100644 --- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md +++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md @@ -16,13 +16,13 @@ By default, directives are wide open, so it’s important to set the defaultSrc # --instructions-- -In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'. +In this exercise, use `helmet.contentSecurityPolicy()`. Configure it by adding a `directives` object. In the object, set the `defaultSrc` to `["'self'"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Also set the `scriptSrc` directive so that you only allow scripts to be downloaded from your website (`'self'`), and from the domain `'trusted-cdn.com'`. -Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working. +Hint: in the `'self'` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working. # --hints-- -helmet.csp() middleware should be mounted correctly +helmet.contentSecurityPolicy() middleware should be mounted correctly ```js (getUserInput) =>