gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix(curriculum): helmet install and csp lessons (#40904)

Browse Source
This commit is contained in:
Tom
2021-02-06 10:36:40 -06:00
committed by GitHub
parent 8a42bbdf62
commit 15227a0148
2 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
View File

@ -16,7 +16,7 @@ Helmet helps you secure your Express apps by setting various HTTP headers.
All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you. All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
Install Helmet version `3.21.3`, then require it. Install Helmet version `3.21.3`, then require it. You can install a specific version of a package with `npm install --save-exact package@version`, or by adding it to your `package.json` directly.
# --hints-- # --hints--
@ -26,8 +26,9 @@ Install Helmet version `3.21.3`, then require it.
(getUserInput) => (getUserInput) =>
$.get(getUserInput('url') + '/_api/package.json').then( $.get(getUserInput('url') + '/_api/package.json').then(
(data) => { (data) => {
var packJson = JSON.parse(data); const packJson = JSON.parse(data);
assert(packJson.dependencies.helmet === '3.21.3'); const helmet = packJson.dependencies.helmet;
assert(helmet === '3.21.3' || helmet === '^3.21.3');
}, },
(xhr) => { (xhr) => {
throw new Error(xhr.responseText); throw new Error(xhr.responseText);

6
curriculum/challenges/english/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md
View File

@ -16,13 +16,13 @@ By default, directives are wide open, so its important to set the defaultSrc
# --instructions-- # --instructions--
In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'. In this exercise, use `helmet.contentSecurityPolicy()`. Configure it by adding a `directives` object. In the object, set the `defaultSrc` to `["'self'"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Also set the `scriptSrc` directive so that you only allow scripts to be downloaded from your website (`'self'`), and from the domain `'trusted-cdn.com'`.
Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working. Hint: in the `'self'` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
# --hints-- # --hints--
helmet.csp() middleware should be mounted correctly helmet.contentSecurityPolicy() middleware should be mounted correctly
```js ```js
(getUserInput) => (getUserInput) =>