From 9612c5ba741843fb48e5692f7424d8bef40b0752 Mon Sep 17 00:00:00 2001 From: mrugesh <1884376+raisedadead@users.noreply.github.com> Date: Wed, 23 Oct 2019 21:35:34 +0530 Subject: [PATCH] fix: HSTS test in Infosec curriculum (#37469) Co-authored-by: Wocanilo Co-authored-by: Oliver Eyton-Williams --- ...ur-site-via-https-only-with-helmet.hsts.arabic.md | 2 +- ...r-site-via-https-only-with-helmet.hsts.chinese.md | 4 ++-- ...r-site-via-https-only-with-helmet.hsts.english.md | 6 +++--- ...ite-via-https-only-with-helmet.hsts.portuguese.md | 4 ++-- ...r-site-via-https-only-with-helmet.hsts.russian.md | 12 +++++------- ...r-site-via-https-only-with-helmet.hsts.spanish.md | 4 ++-- 6 files changed, 15 insertions(+), 17 deletions(-) diff --git a/curriculum/challenges/arabic/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.arabic.md b/curriculum/challenges/arabic/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.arabic.md index 8d3f108796..4e8f407d59 100644 --- a/curriculum/challenges/arabic/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.arabic.md +++ b/curriculum/challenges/arabic/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.arabic.md @@ -20,7 +20,7 @@ tests: - text: '' testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "hsts"); assert.property(data.headers, "strict-transport-security"); }, xhr => { throw new Error(xhr.responseText); })' - text: '' - testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); })' + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })' ``` diff --git a/curriculum/challenges/chinese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.chinese.md b/curriculum/challenges/chinese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.chinese.md index 76500aab27..ba9d22b3da 100644 --- a/curriculum/challenges/chinese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.chinese.md +++ b/curriculum/challenges/chinese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.chinese.md @@ -7,7 +7,7 @@ localeTitle: 要求浏览器通过HTTPS访问您的站点仅限于使用helmet.h --- ## Description -
提醒一下,这个项目是基于Glitch的以下入门项目构建的,或者是从GitHub克隆的。 HTTP严格传输安全(HSTS)是一种Web安全策略,可帮助保护网站免受协议降级攻击和cookie劫持。如果您的网站可以通过HTTPS访问,您可以要求用户的浏览器避免使用不安全的HTTP。通过设置标头Strict-Transport-Security,您可以告诉浏览器在指定的时间内对将来的请求使用HTTPS。这将适用于初始请求之后的请求。配置helmet.hsts()以在接下来的90天内使用HTTPS。传递配置对象{maxAge:timeInMilliseconds,force:true}。 Glitch已经启用了hsts。要覆盖其设置,您需要在配置对象中将字段“force”设置为true。在检查Glitch标头进行测试后,我们将拦截并恢复Glitch标头。注意:在自定义网站上配置HTTPS需要获取域和SSL / TSL证书。
+
提醒一下,这个项目是基于Glitch的以下入门项目构建的,或者是从GitHub克隆的。 HTTP严格传输安全(HSTS)是一种Web安全策略,可帮助保护网站免受协议降级攻击和cookie劫持。如果您的网站可以通过HTTPS访问,您可以要求用户的浏览器避免使用不安全的HTTP。通过设置标头Strict-Transport-Security,您可以告诉浏览器在指定的时间内对将来的请求使用HTTPS。这将适用于初始请求之后的请求。配置helmet.hsts()以在接下来的90天内使用HTTPS。传递配置对象{maxAge:timeInSeconds,force:true}。 Glitch已经启用了hsts。要覆盖其设置,您需要在配置对象中将字段“force”设置为true。在检查Glitch标头进行测试后,我们将拦截并恢复Glitch标头。注意:在自定义网站上配置HTTPS需要获取域和SSL / TSL证书。
## Instructions
@@ -21,7 +21,7 @@ tests: - text: helmet.hsts()中间件应正确安装 testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "hsts"); assert.property(data.headers, "strict-transport-security"); }, xhr => { throw new Error(xhr.responseText); })' - text: maxAge应该等于7776000毫秒(90天) - testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); })' + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })' ``` diff --git a/curriculum/challenges/english/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.english.md b/curriculum/challenges/english/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.english.md index 4caaf7ee66..c4a08923cc 100644 --- a/curriculum/challenges/english/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.english.md +++ b/curriculum/challenges/english/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.english.md @@ -13,7 +13,7 @@ HTTP Strict Transport Security (HSTS) is a web security policy which helps to pr ## Instructions
-Configure helmet.hsts() to use HTTPS for the next 90 days. Pass the config object {maxAge: timeInMilliseconds, force: true}. Glitch already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Glitch header, after inspecting it for testing. +Configure helmet.hsts() to use HTTPS for the next 90 days. Pass the config object {maxAge: timeInSeconds, force: true}. Glitch already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Glitch header, after inspecting it for testing. Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TSL Certificate.
@@ -24,8 +24,8 @@ Note: Configuring HTTPS on a custom website requires the acquisition of a domain tests: - text: helmet.hsts() middleware should be mounted correctly testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.include(data.appStack, 'hsts'); assert.property(data.headers, 'strict-transport-security'); }, xhr => { throw new Error(xhr.responseText); }) - - text: maxAge should be equal to 7776000 ms (90 days) - testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.match(data.headers['strict-transport-security'], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); }) + - text: maxAge should be equal to 7776000 s (90 days) + testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.match(data.headers['strict-transport-security'], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); }) ``` diff --git a/curriculum/challenges/portuguese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.portuguese.md b/curriculum/challenges/portuguese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.portuguese.md index 1978f6476b..f6a251d768 100644 --- a/curriculum/challenges/portuguese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.portuguese.md +++ b/curriculum/challenges/portuguese/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.portuguese.md @@ -7,7 +7,7 @@ localeTitle: Peça aos navegadores que acessem seu site via HTTPS somente com he --- ## Description -
Como lembrete, este projeto está sendo construído sobre o seguinte projeto inicial no Glitch , ou clonado a partir do GitHub . A Segurança de Transporte Rígido HTTP (HSTS) é uma política de segurança da Web que ajuda a proteger sites contra ataques de downgrade de protocolo e sequestro de cookies. Se o seu site pode ser acessado via HTTPS, você pode pedir aos navegadores do usuário para evitar o uso de HTTP inseguro. Ao definir o cabeçalho Strict-Transport-Security, você indica aos navegadores que usem HTTPS para as solicitações futuras em um período de tempo especificado. Isso funcionará para as solicitações após a solicitação inicial. Configure helmet.hsts () para usar HTTPS nos próximos 90 dias. Passe o objeto de configuração {maxAge: timeInMilliseconds, force: true}. Glitch já tem hsts habilitado. Para sobrescrever suas configurações, você precisa definir o campo "force" como true no objeto de configuração. Vamos interceptar e restaurar o cabeçalho Glitch, depois de inspecioná-lo para teste. Nota: A configuração de HTTPS em um site personalizado requer a aquisição de um domínio e um certificado SSL / TSL.
+
Como lembrete, este projeto está sendo construído sobre o seguinte projeto inicial no Glitch , ou clonado a partir do GitHub . A Segurança de Transporte Rígido HTTP (HSTS) é uma política de segurança da Web que ajuda a proteger sites contra ataques de downgrade de protocolo e sequestro de cookies. Se o seu site pode ser acessado via HTTPS, você pode pedir aos navegadores do usuário para evitar o uso de HTTP inseguro. Ao definir o cabeçalho Strict-Transport-Security, você indica aos navegadores que usem HTTPS para as solicitações futuras em um período de tempo especificado. Isso funcionará para as solicitações após a solicitação inicial. Configure helmet.hsts () para usar HTTPS nos próximos 90 dias. Passe o objeto de configuração {maxAge: timeInSeconds, force: true}. Glitch já tem hsts habilitado. Para sobrescrever suas configurações, você precisa definir o campo "force" como true no objeto de configuração. Vamos interceptar e restaurar o cabeçalho Glitch, depois de inspecioná-lo para teste. Nota: A configuração de HTTPS em um site personalizado requer a aquisição de um domínio e um certificado SSL / TSL.
## Instructions
@@ -21,7 +21,7 @@ tests: - text: O middleware helmet.hsts () deve ser montado corretamente testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "hsts"); assert.property(data.headers, "strict-transport-security"); }, xhr => { throw new Error(xhr.responseText); })' - text: maxAge deve ser igual a 7776000 ms (90 dias) - testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); })' + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })' ``` diff --git a/curriculum/challenges/russian/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.russian.md b/curriculum/challenges/russian/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.russian.md index 32789635cc..466f43e0a7 100644 --- a/curriculum/challenges/russian/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.russian.md +++ b/curriculum/challenges/russian/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.russian.md @@ -7,9 +7,7 @@ localeTitle: Попросите Браузеры получить доступ --- ## Description -
-Напомним, что этот проект строится на следующем стартовом проекте Glitch или клонируется из GitHub . HTTP Strict Transport Security (HSTS) - это политическая политика веб-безопасности, которая помогает защитить веб-сайты от атак с понижением протокола и захвата файлов cookie. Если ваш веб-сайт можно получить через HTTPS, вы можете попросить браузеры пользователей избегать использования небезопасного HTTP. Установив заголовок Strict-Transport-Security, вы указываете браузерам использовать HTTPS для будущих запросов за определенное время. Это будет работать для запросов, поступивших после первоначального запроса. Настройте helmet.hsts (), чтобы использовать HTTPS в течение следующих 90 дней. Передайте объект конфигурации {maxAge: timeInMilliseconds, force: true}. У глюка уже включен hsts. Чтобы переопределить свои настройки, вам нужно установить для поля «значение силы» значение true в объекте конфигурации. Мы будем перехватывать и восстанавливать заголовок Glitch, после проверки его на тестирование. Примечание. Для настройки HTTPS на пользовательском веб-сайте требуется получение домена и сертификат SSL / TSL. -
+
Напомним, что этот проект строится на следующем стартовом проекте Glitch или клонируется из GitHub . HTTP Strict Transport Security (HSTS) - это политическая политика веб-безопасности, которая помогает защитить веб-сайты от атак с понижением протокола и захвата файлов cookie. Если ваш веб-сайт можно получить через HTTPS, вы можете попросить браузеры пользователей избегать использования небезопасного HTTP. Установив заголовок Strict-Transport-Security, вы указываете браузерам использовать HTTPS для будущих запросов за определенное время. Это будет работать для запросов, поступивших после первоначального запроса. Настройте helmet.hsts (), чтобы использовать HTTPS в течение следующих 90 дней. Передайте объект конфигурации {maxAge: timeInSeconds, force: true}. У глюка уже включен hsts. Чтобы переопределить свои настройки, вам нужно установить для поля «значение силы» значение true в объекте конфигурации. Мы будем перехватывать и восстанавливать заголовок Glitch, после проверки его на тестирование. Примечание. Для настройки HTTPS на пользовательском веб-сайте требуется получение домена и сертификат SSL / TSL.
## Instructions
@@ -22,10 +20,10 @@ Note: Configuring HTTPS on a custom website requires the acquisition of a domain ```yml tests: - - text: helmet.hsts() middleware should be mounted correctly - testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.include(data.appStack, 'hsts'); assert.property(data.headers, 'strict-transport-security'); }, xhr => { throw new Error(xhr.responseText); }) - - text: maxAge should be equal to 7776000 ms (90 days) - testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.match(data.headers['strict-transport-security'], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); }) + - text: Средство шлема helmet.hsts () должно быть правильно установлено + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "hsts"); assert.property(data.headers, "strict-transport-security"); }, xhr => { throw new Error(xhr.responseText); })' + - text: maxAge должно быть равно 7776000 мс (90 дней) + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })' ``` diff --git a/curriculum/challenges/spanish/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.spanish.md b/curriculum/challenges/spanish/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.spanish.md index f5ae280664..6a3a776f29 100644 --- a/curriculum/challenges/spanish/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.spanish.md +++ b/curriculum/challenges/spanish/06-information-security-and-quality-assurance/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.spanish.md @@ -7,7 +7,7 @@ localeTitle: Pida a los navegadores que accedan a su sitio a través de HTTPS so --- ## Description -
Como recordatorio, este proyecto se está construyendo sobre el siguiente proyecto de inicio en Glitch , o clonado desde GitHub . HTTP Strict Transport Security (HSTS) es una política de seguridad web que ayuda a proteger los sitios web contra ataques de degradación del protocolo y el secuestro de cookies. Si se puede acceder a su sitio web a través de HTTPS, puede solicitar a los navegadores de los usuarios que eviten el uso de HTTP inseguro. Al establecer el encabezado Strict-Transport-Security, le indica a los navegadores que utilicen HTTPS para las futuras solicitudes en un período de tiempo específico. Esto funcionará para las solicitudes que vienen después de la solicitud inicial. Configure helmet.hsts () para usar HTTPS durante los próximos 90 días. Pase el objeto de configuración {maxAge: timeInMilliseconds, force: true}. La falla ya tiene hsts habilitados. Para anular su configuración, debe establecer el campo "forzar" en verdadero en el objeto de configuración. Interceptaremos y restauraremos el encabezado de Glitch, después de inspeccionarlo para realizar pruebas. Nota: la configuración de HTTPS en un sitio web personalizado requiere la adquisición de un dominio y un certificado SSL / TSL.
+
Como recordatorio, este proyecto se está construyendo sobre el siguiente proyecto de inicio en Glitch , o clonado desde GitHub . HTTP Strict Transport Security (HSTS) es una política de seguridad web que ayuda a proteger los sitios web contra ataques de degradación del protocolo y el secuestro de cookies. Si se puede acceder a su sitio web a través de HTTPS, puede solicitar a los navegadores de los usuarios que eviten el uso de HTTP inseguro. Al establecer el encabezado Strict-Transport-Security, le indica a los navegadores que utilicen HTTPS para las futuras solicitudes en un período de tiempo específico. Esto funcionará para las solicitudes que vienen después de la solicitud inicial. Configure helmet.hsts () para usar HTTPS durante los próximos 90 días. Pase el objeto de configuración {maxAge: timeInSeconds, force: true}. La falla ya tiene hsts habilitados. Para anular su configuración, debe establecer el campo "forzar" en verdadero en el objeto de configuración. Interceptaremos y restauraremos el encabezado de Glitch, después de inspeccionarlo para realizar pruebas. Nota: la configuración de HTTPS en un sitio web personalizado requiere la adquisición de un dominio y un certificado SSL / TSL.
## Instructions
@@ -21,7 +21,7 @@ tests: - text: casco.hsts () middleware debe ser montado correctamente testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.include(data.appStack, "hsts"); assert.property(data.headers, "strict-transport-security"); }, xhr => { throw new Error(xhr.responseText); })' - text: maxAge debe ser igual a 7776000 ms (90 días) - testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=777600000;?/); }, xhr => { throw new Error(xhr.responseText); })' + testString: 'getUserInput => $.get(getUserInput("url") + "/_api/app-info").then(data => { assert.match(data.headers["strict-transport-security"], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })' ```