gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

chore(i18n,chn): manually downloaded curriculum (#42858)

Browse Source
This commit is contained in:
Mrugesh Mohapatra
2021-07-15 13:04:11 +05:30
committed by GitHub
parent eef1805fe6
commit 7eb0630f2d
248 changed files with 5645 additions and 2149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
View File

@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3c
title: Ask Browsers to Access Your Site via HTTPS Only with helmet.hsts()
title: 用 helmet.hsts() 使浏览器只能通过 HTTPS 访问你的网站。
challengeType: 2
forumTopicId: 301573
dashedName: ask-browsers-to-access-your-site-via-https-only-with-helmet-hsts
@ -8,19 +8,19 @@ dashedName: ask-browsers-to-access-your-site-via-https-only-with-helmet-hsts
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks and cookie hijacking. If your website can be accessed via HTTPS you can ask users browsers to avoid using insecure HTTP. By setting the header Strict-Transport-Security, you tell the browsers to use HTTPS for the future requests in a specified amount of time. This will work for the requests coming after the initial request.
HTTP 严格传输安全HSTS是一种网络安全策略有助于保护网站免受协议降级攻击和 cookie 劫持。 如果你的网站可以通过 HTTPS 访问,你可以要求用户的浏览器避免使用不安全的 HTTP。 通过设置标头 Strict-Transport-Security你告诉浏览器在指定时间内对未来的请求使用 HTTPS。 这将对初始请求之后的请求起作用。
# --instructions--
Configure `helmet.hsts()` to use HTTPS for the next 90 days. Pass the config object `{maxAge: timeInSeconds, force: true}`. You can create a variable `ninetyDaysInSeconds = 90*24*60*60;` to use for the `timeInSeconds`. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
配置 `helmet.hsts()` 以在未来 90 天内使用 HTTPS。 传递配置对象 `{maxAge: timeInSeconds, force: true}`。 你可以创建一个变量 `ninetyDaysInSeconds = 90*24*60*60;` 来用于 `timeInSeconds` Replit 已经启用了 hsts。 要覆盖它的设置,你需要在配置对象中把 “force” 字段设置为 true。 我们将拦截并在对其进行检查测试后恢复 Replit 请求头。
Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TLS Certificate.
注意:在自定义网站上配置 HTTPS 需要获得一个域名,以及一个 SSL/TLS 证书。
# --hints--
helmet.hsts() middleware should be mounted correctly
helmet.hsts() 中间件应该被正确安装。
```js
(getUserInput) =>
@ -35,7 +35,7 @@ helmet.hsts() middleware should be mounted correctly
);
```
maxAge should be equal to 7776000 s (90 days)
maxAge 应该等于 7776000 秒90 天)。
```js
(getUserInput) =>

8
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md
View File

@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3a
title: Avoid Inferring the Response MIME Type with helmet.noSniff()
title: 用 helmet.noSniff() 避免推断出响应的 MIME 类型。
challengeType: 2
forumTopicId: 301574
dashedName: avoid-inferring-the-response-mime-type-with-helmet-nosniff
@ -8,15 +8,15 @@ dashedName: avoid-inferring-the-response-mime-type-with-helmet-nosniff
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/). Browsers can use content or MIME sniffing to override response `Content-Type` headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to `nosniff`, instructing the browser to not bypass the provided `Content-Type`.
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。 浏览器可以使用内容或 MIME 嗅探来覆盖响应的 `Content-Type` 头,猜测并使用隐含的内容类型来处理数据。 虽然这在某些情况下可能很方便,但也可能导致一些危险的攻击。 该中间件将 X-Content-Type-Options 头设置为 `nosniff`,指示浏览器不要绕过所提供的 `Content-Type`
# --instructions--
Use the `helmet.noSniff()` method on your server.
在你的服务器上使用 `helmet.noSniff()` 方法。
# --hints--
helmet.noSniff() middleware should be mounted correctly
helmet.noSniff() 中间件应该被正确安装
```js
(getUserInput) =>

14
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/configure-helmet-using-the-parent-helmet-middleware.md
View File

@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c40
title: Configure Helmet Using the parent helmet() Middleware
title: 使用 helmet() 中间件来配置 Helmet
challengeType: 2
forumTopicId: 301575
dashedName: configure-helmet-using-the-parent-helmet-middleware
@ -8,11 +8,11 @@ dashedName: configure-helmet-using-the-parent-helmet-middleware
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
`app.use(helmet())` will automatically include all the middleware introduced above, except `noCache()`, and `contentSecurityPolicy()`, but these can be enabled if necessary. You can also disable or configure any other middleware individually, using a configuration object.
`app.use(helmet())` 将自动包括上面介绍的所有中间件,除了 `noCache()` `contentSecurityPolicy()`,但如果有必要,这些可以被启用。 你也可以使用配置对象,单独禁用或配置任何其他中间件。
**Example:**
**例如:**
```js
app.use(helmet({
@ -21,7 +21,7 @@ app.use(helmet({
},
contentSecurityPolicy: { // enable and configure
directives: {
defaultSrc: ["self"],
defaultSrc: ["'self'"],
styleSrc: ['style.com'],
}
},
@ -29,11 +29,11 @@ app.use(helmet({
}))
```
We introduced each middleware separately for teaching purposes and for ease of testing. Using the parent `helmet()` middleware is easy to implement in a real project.
为了教学目的和便于测试,我们分别介绍了每个中间件。 使用“父”`helmet()` 中间件很容易在真实项目中实现。
# --hints--
no tests - it's a descriptive challenge
没有测试 - 这是一个描述性的挑战
```js
assert(true);

10
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md
View File

@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c3e
title: Disable Client-Side Caching with helmet.noCache()
title: 使用 helment.noCache() 禁用客户端缓存
challengeType: 2
forumTopicId: 301576
dashedName: disable-client-side-caching-with-helmet-nocache
@ -8,17 +8,17 @@ dashedName: disable-client-side-caching-with-helmet-nocache
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。 你也可以从[GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/)上克隆。
If you are releasing an update for your website, and you want the users to always download the newer version, you can (try to) disable caching on clients browser. It can be useful in development too. Caching has performance benefits, which you will lose, so only use this option when there is a real need.
如果你正在为你的网站发布更新,而你希望用户总是下载较新的版本,你可以(尝试)在客户的浏览器上禁用缓存。 它在开发中也很有用。 缓存具有性能优势,你将失去这些优势,因此只有在真正需要时才使用此选项。
# --instructions--
Use the `helmet.noCache()` method on your server.
在你的服务器上使用 `helmet.noCache()` 方法。
# --hints--
helmet.noCache() middleware should be mounted correctly
应正确加载 helmet.noCache() 中间件
```js
(getUserInput) =>

10
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md
View File

@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3d
title: Disable DNS Prefetching with helmet.dnsPrefetchControl()
title: 使用 helmet.dnsPrefetchControl() 禁用 DNS 预获取
challengeType: 2
forumTopicId: 301577
dashedName: disable-dns-prefetching-with-helmet-dnsprefetchcontrol
@ -8,17 +8,17 @@ dashedName: disable-dns-prefetching-with-helmet-dnsprefetchcontrol
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
To improve performance, most browsers prefetch DNS records for the links in a page. In that way the destination ip is already known when the user clicks on a link. This may lead to over-use of the DNS service (if you own a big website, visited by millions people…), privacy issues (one eavesdropper could infer that you are on a certain page), or page statistics alteration (some links may appear visited even if they are not). If you have high security needs you can disable DNS prefetching, at the cost of a performance penalty.
为了提高性能,大部分浏览器都会为页面上的链接预先加载 DNS 记录。 这样当用户点击一个链接的时候浏览器已经知道其 IP 地址了。 但这也会造成 DNS 服务的过度使用(如果你有一个百万用户数量级的大型网站)、隐私问题(窃听者可以借此推测出你在访问哪个页面)、页面统计数据准确性(有些没访问过的链接会被标记成已访问)。 如果你对安全性要求比较高,你应该禁用 DNS 预加载。 当然,这样做会让你损失一些性能。
# --instructions--
Use the `helmet.dnsPrefetchControl()` method on your server.
应正确加载 helmet.dnsPrefetchControl() 中间件
# --hints--
helmet.dnsPrefetchControl() middleware should be mounted correctly
应正确加载 helmet.dnsPrefetchControl() 中间件
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hash-and-compare-passwords-asynchronously.md
View File

@ -1,6 +1,6 @@
---
id: 58a25bcff9fc0f352b528e7d
title: Hash and Compare Passwords Asynchronously
title: 哈希和异步比较密码
challengeType: 2
forumTopicId: 301578
dashedName: hash-and-compare-passwords-asynchronously
@ -8,9 +8,9 @@ dashedName: hash-and-compare-passwords-asynchronously
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。 你也可以从[GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/)上克隆。
As hashing is designed to be computationally intensive, it is recommended to do so asynchronously on your server as to avoid blocking incoming connections while you hash. All you have to do to hash a password asynchronous is call
由于哈希运算会占用很大计算机资源,并且会耗费比较多时间,因此比较推荐的做法是异步调用哈希算法,这样就不会因此阻止其它连接或请求了。 异步调用哈希方法非常简单,只需要:
```js
bcrypt.hash(myPlaintextPassword, saltRounds, (err, hash) => {
@ -20,9 +20,9 @@ bcrypt.hash(myPlaintextPassword, saltRounds, (err, hash) => {
# --instructions--
Add this hashing function to your server(we've already defined the variables used in the function for you to use) and log it to the console for you to see! At this point you would normally save the hash to your database.
把这段哈希方法添加到你的服务器(我们已经定义好这个方法的变量给你直接使用了),然后你可以尝试在控制台输出。 之后,我们通常需要把哈希的结果保存到数据库。
Now when you need to figure out if a new input is the same data as the hash you would just use the compare function.
当你需要对比用户输入的值是否和之前哈希过的值一样的时候,只需要调用对比函数:
```js
bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
@ -30,7 +30,7 @@ bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
});
```
Add this into your existing hash function(since you need to wait for the hash to complete before calling the compare function) after you log the completed hash and log 'res' to the console within the compare. You should see in the console a hash then 'true' is printed! If you change 'myPlaintextPassword' in the compare function to 'someOtherPlaintextPassword' then it should say false.
当控制台输出生成的哈希并在对比的回调中输出结果后,我们就可以将其添加到现有的哈希函数中。 控制台中会首先输出一个哈希结果,然后输出 true。 如果将比较函数中的 “myPlaintextPassword” 更改为 “someOtherPlaintextPassword”,则比较的结果应显示 false
```js
bcrypt.hash('passw0rd!', 13, (err, hash) => {
@ -43,11 +43,11 @@ bcrypt.hash('passw0rd!', 13, (err, hash) => {
```
Submit your page when you think you've got it right.
请在完成挑战后提交你的页面。
# --hints--
Async hash should be generated and correctly compared.
应生成异步散列并正确比较。
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hash-and-compare-passwords-synchronously.md
View File

@ -1,6 +1,6 @@
---
id: 58a25bcff9fc0f352b528e7e
title: Hash and Compare Passwords Synchronously
title: 哈希和同步比较密码
challengeType: 2
forumTopicId: 301579
dashedName: hash-and-compare-passwords-synchronously
@ -8,31 +8,31 @@ dashedName: hash-and-compare-passwords-synchronously
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
请注意,本项目在 [这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-bcrypt) 的基础上进行开发。 你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/) 上克隆。
Hashing synchronously is just as easy to do but can cause lag if using it server side with a high cost or with hashing done very often. Hashing with this method is as easy as calling
同步执行哈希运算是非常简单的,但这会在哈希计算量大并且次数多的情况下造成延迟。 用这个方法哈希就像调用函数一样简单。
```js
var hash = bcrypt.hashSync(myPlaintextPassword, saltRounds);
```
Add this method of hashing to your code and then log the result to the console. Again, the variables used are already defined in the server so you won't need to adjust them. You may notice even though you are hashing the same password as in the async function, the result in the console is different- this is due to the salt being randomly generated each time as seen by the first 22 characters in the third string of the hash. Now to compare a password input with the new sync hash, you would use the compareSync method:
把同步哈希的方法添加到你的代码,并在控制台输出。 和之前一样,我们已经为你定义好了你需要使用的变量,你不需要做任何改动。 你可能会注意到即使你使用与异步函数相同的密码进行哈希处理,控制台中的结果也不同,这是由于每次哈希值随机生成,如第三个哈希字符串中的前 22 个字符所示。 现在,为了比较一个密码输入和新的同步哈希值,你将使用 compareSync 方法。
```js
var result = bcrypt.compareSync(myPlaintextPassword, hash);
```
with the result being a boolean true or false.
返回的结果为 true false
# --instructions--
Add the function in and log the result to the console to see it working.
请添加这个方法,并把结果输出到控制台,以此来验证同步哈希操作是否成功。
Submit your page when you think you've got it right.
请在完成挑战后提交你的页面。
# --hints--
Sync hash should be generated and correctly compared.
应同步地进行哈希并正确地执行对比
```js
(getUserInput) =>

8
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hide-potentially-dangerous-information-using-helmet.hidepoweredby.md
View File

@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c37
title: Hide Potentially Dangerous Information Using helmet.hidePoweredBy()
title: 使用 helmet.hidePoweredBy() 隐藏潜在的危险信息
challengeType: 2
forumTopicId: 301580
dashedName: hide-potentially-dangerous-information-using-helmet-hidepoweredby
@ -8,13 +8,13 @@ dashedName: hide-potentially-dangerous-information-using-helmet-hidepoweredby
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
Hackers can exploit known vulnerabilities in Express/Node if they see that your site is powered by Express. X-Powered-By: Express is sent in every request coming from Express by default. The `helmet.hidePoweredBy()` middleware will remove the X-Powered-By header. You can also explicitly set the header to something else, to throw people off. e.g. `app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))`
如果黑客发现你的网站是用 Express 搭建的,那么他们就可以利用 Express 或 Node 现存的漏洞来攻击你的网站。 `X-Powered-By: Express` 默认在来自 Express 的每个请求中被发送。 使用 `helmet.hidePoweredBy()` 中间件来移除 X-Powered-By 头。
# --hints--
helmet.hidePoweredBy() middleware should be mounted correctly
应正确地安装 helmet.hidePoweredBy() 中间件
```js
(getUserInput) =>

23
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
View File

@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c36
title: Install and Require Helmet
title: 安装和引入 Helmet
challengeType: 2
forumTopicId: 301581
dashedName: install-and-require-helmet
@ -8,26 +8,33 @@ dashedName: install-and-require-helmet
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
你可以采用下面的任意一种编写代码的方式来完成这些挑战:
Helmet helps you secure your Express apps by setting various HTTP headers.
- 克隆 [这个 GitHub 仓库](https://github.com/freeCodeCamp/boilerplate-infosec/) 并在本地完成这些挑战。
- 使用[我们在 Repl.it 上的初始化项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)来完成这些挑战。
- 使用你选择的网站生成器来完成项目。 需要包含我们 GitHub 仓库的所有文件。
完成本项目后,请将一个正常运行的 demo项目演示托管在可以公开访问的平台。 然后在 `Solution Link` 字段中提交它的 URL。
Helmet 通过设置各种 HTTP 头来保护你的 Express 应用程序。
# --instructions--
All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
你在这些课程中写的所有代码都在 `myApp.js` 文件中,在初始代码之间。 不要改变或删除我们为你添加的代码。
Install Helmet version `3.21.3`, then require it.
安装 Helmet `3.21.3` 版本,然后引入它。 你可以用 `npm install --save-exact package@version` 来安装一个特定版本的软件包,或者直接将其添加到你的 `package.json` 中。
# --hints--
`helmet` version `3.21.3` should be in `package.json`
`helmet` 版本 `3.21.3` 应该在 `package.json` 中。
```js
(getUserInput) =>
$.get(getUserInput('url') + '/_api/package.json').then(
(data) => {
var packJson = JSON.parse(data);
assert(packJson.dependencies.helmet === '3.21.3');
const packJson = JSON.parse(data);
const helmet = packJson.dependencies.helmet;
assert(helmet === '3.21.3' || helmet === '^3.21.3');
},
(xhr) => {
throw new Error(xhr.responseText);

14
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-clickjacking-with-helmet.frameguard.md
View File

@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c38
title: Mitigate the Risk of Clickjacking with helmet.frameguard()
title: 使用 helmet.frameguard() 降低点击劫持的风险
challengeType: 2
forumTopicId: 301582
dashedName: mitigate-the-risk-of-clickjacking-with-helmet-frameguard
@ -8,19 +8,19 @@ dashedName: mitigate-the-risk-of-clickjacking-with-helmet-frameguard
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在 [这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。 你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
Your page could be put in a `<frame>` or `<iframe>` without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.
你的网页可能在未经你同意的情况下被放在 `<frame>` `<iframe>` 中。 这可能会导致点击劫持攻击等情况。 点击劫持是一种欺骗用户的技术,使其与用户认为不同的页面进行互动。 这可以通过使用 iframe 的方式,在一个恶意的环境中执行你的页面而获得。 在这种情况下,黑客可以在你的页面上设置一个隐藏层。 隐藏的按钮可以被用来运行坏的脚本。 该中间件设置 X-Frame-Options 头。 它限制了谁可以把你的网站放在一个框架里。 它有三种模式:DENYSAMEORIGIN ALLOW-FROM
We dont need our app to be framed.
我们不需要让我们的应用程序可以被嵌入。
# --instructions--
Use `helmet.frameguard()` passing with the configuration object `{action: 'deny'}`.
使用 `helmet.frameguard()` 时应传递配置对象 `{action: 'deny'}`
# --hints--
helmet.frameguard() middleware should be mounted correctly
应正确加载 helmet.frameguard() 中间件
```js
(getUserInput) =>
@ -38,7 +38,7 @@ helmet.frameguard() middleware should be mounted correctly
);
```
helmet.frameguard() 'action' should be set to 'DENY'
helmet.frameguard() 'action' 应该设置为 “DENY
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md
View File

@ -1,7 +1,7 @@
---
id: 587d8247367417b2b2512c39
title: >-
Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter()
使用 helmet.xssFilter() 降低跨站点脚本XSS攻击的风险
challengeType: 2
forumTopicId: 301583
dashedName: mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet-xssfilter
@ -9,23 +9,23 @@ dashedName: mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet-xs
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在 [这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
Cross-site scripting (XSS) is a frequent type of attack where malicious scripts are injected into vulnerable pages, with the purpose of stealing sensitive data like session cookies, or passwords.
跨站脚本XSS是一种常见的攻击类型恶意脚本被注入到易受攻击的页面目的是窃取敏感数据如会话 cookies 或密码。
The basic rule to lower the risk of an XSS attack is simple: “Never trust users input”. As a developer you should always sanitize all the input coming from the outside. This includes data coming from forms, GET query urls, and even from POST bodies. Sanitizing means that you should find and encode the characters that may be dangerous e.g. &lt;, >.
降低 XSS 攻击风险的基本规则很简单:"永远不要相信用户的输入"。 作为一个开发者,你应该始终对所有来自外部的输入进行消毒。 这包括来自表单、GET 查询URL甚至来自 POST 请求体的数据。 净化意味着你应该找到并编码可能有危险的字符,例如 &lt;, >
Modern browsers can help mitigating the risk by adopting better software strategies. Often these are configurable via http headers.
现代浏览器通过采用更好的软件策略来帮助降低风险。 通常情况下,这些都是可以通过 http 头文件来配置的。
The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it. It still has limited support.
X-XSS-Protection HTTP 消息头是一种基本的保护。 浏览器使用启发式过滤器检测潜在的注入脚本。 如果请求头被启用,浏览器会改变脚本代码,使其失效。 它得到的支持仍然有限。
# --instructions--
Use `helmet.xssFilter()` to sanitize input sent to your server.
使用 `helmet.xssFilter()` 来净化发送到服务器的输入。
# --hints--
helmet.xssFilter() middleware should be mounted correctly
helmet.xssFilter() 中间件应正确安装。
```js
(getUserInput) =>

10
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md
View File

@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3b
title: Prevent IE from Opening Untrusted HTML with helmet.ieNoOpen()
title: 使用 helment.ieNoOpen() 防止 IE 打开不受信任的 HTML
challengeType: 2
forumTopicId: 301584
dashedName: prevent-ie-from-opening-untrusted-html-with-helmet-ienoopen
@ -8,17 +8,17 @@ dashedName: prevent-ie-from-opening-untrusted-html-with-helmet-ienoopen
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在[这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec)的基础上进行开发。 你也可以从[GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/)上克隆。
Some web applications will serve untrusted HTML for download. Some versions of Internet Explorer by default open those HTML files in the context of your site. This means that an untrusted HTML page could start doing bad things in the context of your pages. This middleware sets the X-Download-Options header to noopen. This will prevent IE users from executing downloads in the trusted sites context.
有些网站会下载不安全的 HTML 文件。 某些版本的 IE 默认情况下还会在你网站的作用域下打开这些 HTML 文件。 换句话说,这些不安全的 HTML 页面可以在你的网站做恶意行为。 我们可以通过中间件来设置 header 中的 X-Download-Options 字段,让它的值为 noopen。 这样就可以防止 IE 在不信任的网站下执行下载的文件。
# --instructions--
Use the `helmet.ieNoOpen()` method on your server.
应正确加载 `helmet.ieNoOpen()` 中间件
# --hints--
helmet.ieNoOpen() middleware should be mounted correctly
helmet.ieNoOpen() 中间件应正确安装。
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md
View File

@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c3f
title: Set a Content Security Policy with helmet.contentSecurityPolicy()
title: 使用 helment.contentSecurityPolicy() 设置内容安全策略
challengeType: 2
forumTopicId: 301585
dashedName: set-a-content-security-policy-with-helmet-contentsecuritypolicy
@ -8,21 +8,21 @@ dashedName: set-a-content-security-policy-with-helmet-contentsecuritypolicy
# --description--
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
请注意,本项目在 [这个 Repl.it 项目](https://replit.com/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
This challenge highlights one promising new defense that can significantly reduce the risk and impact of many type of attacks in modern browsers. By setting and configuring a Content Security Policy you can prevent the injection of anything unintended into your page. This will protect your app from XSS vulnerabilities, undesired tracking, malicious frames, and much more. CSP works by defining an allowed list of content sources which are trusted. You can configure them for each kind of resource a web page may need (scripts, stylesheets, fonts, frames, media, and so on…). There are multiple directives available, so a website owner can have a granular control. See HTML 5 Rocks, KeyCDN for more details. Unfortunately CSP is unsupported by older browser.
在这个挑战中,我们要重点讨论现代浏览器中一种能有效减轻安全风险和防御很多种类型常见攻击的安全防护。 通过设置和配置内容安全策略,你可以防止在页面中无意中注入任何内容。 这会让你的应用远离 XSS 漏洞、恶意追踪、恶意 frames 和很多其他攻击。 CSP 通过配置资源白名单来避免这些问题。 你可以给任何一种类型的页面资源脚本、样式文件、字体、frames、媒体文件等做这个配置。 它支持很多指令,所以网站管理员可以做细致的控制。 更多详情请参考 HTML 5 Rocks KeyCDN。 不幸的是,一些旧的浏览器不支持 CSP。
By default, directives are wide open, so its important to set the defaultSrc directive as a fallback. Helmet supports both defaultSrc and default-src naming styles. The fallback applies for most of the unspecified directives.
默认的指令很容易受到攻击, 所以设置 defaultSrc 指令作为降级方案很重要。 Helmet 同时支持 defaultSrc default-src 命名规范。 降级方案可以应用在大部分指令上。
# --instructions--
In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'.
在这个练习中,使用 `helmet.contentSecurityPolicy()`。 通过添加一个 `directives` 对象来配置它。 在该对象中,将 `defaultSrc` 设置为 `["'self'"]`(允许的来源列表必须是一个数组),以便默认只信任你的网站地址。 同时设置 `scriptSrc` 指令,以便你只允许从你的网站(`'self'`)和域名 `'trusted-cdn.com'` 下载脚本。
Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
提示:在 `'self'` 关键词中,单引号也是关键词的一部分,所以你应该用双引号来包起它才能正常工作。
# --hints--
helmet.csp() middleware should be mounted correctly
应正确安装 helmet.contentSecurityPolicy() 中间件。
```js
(getUserInput) =>
@ -36,7 +36,7 @@ helmet.csp() middleware should be mounted correctly
);
```
Your csp config is not correct. defaultSrc should be ["'self'"] and scriptSrc should be ["'self'", 'trusted-cdn.com']
你的 csp 配置不正确。 defaultSrc 应为 ["'self'"],并且 scriptSrc 应为 ["'self'", 'trusted-cdn.com']
```js
(getUserInput) =>

18
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md
View File

@ -1,6 +1,6 @@
---
id: 58a25bcef9fc0f352b528e7c
title: Understand BCrypt Hashes
title: 了解 BCrypt 的哈希加密
challengeType: 2
forumTopicId: 301586
dashedName: understand-bcrypt-hashes
@ -8,23 +8,23 @@ dashedName: understand-bcrypt-hashes
# --description--
For the following challenges, you will be working with a new starter project that is different from the previous one. You can find the new starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or clone it from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
在下面的挑战中,你将启动一个新的项目,这个项目与之前的项目不同。 你可以在 [Replit](https://replit.com/github/freeCodeCamp/boilerplate-bcrypt)上找到新的启动项目,或者从 [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/) 上克隆它。
BCrypt hashes are very secure. A hash is basically a fingerprint of the original data- always unique. This is accomplished by feeding the original data into an algorithm and returning a fixed length result. To further complicate this process and make it more secure, you can also *salt* your hash. Salting your hash involves adding random data to the original data before the hashing process which makes it even harder to crack the hash.
BCrypt 哈希值是非常安全的。 哈希值基本上是原始数据的指纹,总是唯一的。 这是通过将原始数据输入一个算法并返回一个固定长度的结果来实现的。 为了使这一过程更加复杂和安全,你还可以向你的哈希值 *加盐*。 对你的散列加盐处理包含了在散列过程之前向原始数据添加随机数据,这使得破解散列更加困难。
BCrypt hashes will always looks like `$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm` which does have a structure. The first small bit of data `$2a` is defining what kind of hash algorithm was used. The next portion `$13` defines the *cost*. Cost is about how much power it takes to compute the hash. It is on a logarithmic scale of 2^cost and determines how many times the data is put through the hashing algorithm. For example, at a cost of 10 you are able to hash 10 passwords a second on an average computer, however at a cost of 15 it takes 3 seconds per hash... and to take it further, at a cost of 31 it would takes multiple days to complete a hash. A cost of 12 is considered very secure at this time. The last portion of your hash `$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm`, looks like one large string of numbers, periods, and letters but it is actually two separate pieces of information. The first 22 characters is the salt in plain text, and the rest is the hashed password!
BCrypt 哈希值总是看起来有像`$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm` 的结构。 它遵循固定的结构,第一小节 `$2a` 说明了该哈希采用什么算法。 接下来的部分 `$13` 定义了 *成本*。 成本是指计算哈希值需要多少能量。 它在 2^cost 的对数尺度上,决定了数据要通过散列算法计算多少次。 例如,当 cost 10 时,你能够在普通计算机上每秒散列 10 个密码,然而当 cost 15 时,每次散列需要 3 秒...... 进一步说,当 cost 31 时,完成一次散列需要好几天。 通常 cost 12 的哈希运算就已经足够安全。 哈希结果的最后一部分 `$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm` 看起来像是由随机数字、点和字母组成的字符串,但实际上它有两部分内容。 前面 22 个字符是加入的盐,剩下的就是加密过的密码!
# --instructions--
To begin using BCrypt, add it as a dependency in your project and require it as 'bcrypt' in your server.
要开始使用 BCrypt只需将它添加到你的依赖列表然后在你的服务器引入 “bcrypt”。
Add all your code for these lessons in the `server.js` file between the code we have started you off with. Do not change or delete the code we have added for you.
`server.js` 文件中加入这些课程的所有代码,放在我们提供的代码之间。 不要改变或删除我们为你添加的代码。
Submit your page when you think you've got it right.
请在完成挑战后提交你的页面。
# --hints--
BCrypt should be a dependency.
BCrypt 应该是一个依赖项。
```js
(getUserInput) =>
@ -43,7 +43,7 @@ BCrypt should be a dependency.
);
```
BCrypt should be properly required.
应正确引入 BCrypt。
```js
(getUserInput) =>