gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

chore(i8n,learn): processed translations

Browse Source
This commit is contained in:
Crowdin Bot
2021-02-06 04:42:36 +00:00
committed by Mrugesh Mohapatra
parent 15047f2d90
commit e5c44a3ae5
3274 changed files with 172122 additions and 14164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3c
title: 要求浏览器通过HTTPS访问您的站点仅限于使用helmet.hsts
title: Ask Browsers to Access Your Site via HTTPS Only with helmet.hsts()
challengeType: 2
forumTopicId: 301573
dashedName: ask-browsers-to-access-your-site-via-https-only-with-helmet-hsts
@@ -8,19 +8,19 @@ dashedName: ask-browsers-to-access-your-site-via-https-only-with-helmet-hsts
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
HTTP 严格安全传输HSTS是一个能帮助我们抵御协议 [降级攻击](https://en.wikipedia.org/wiki/Downgrade_attack) 和 [Cookie 挟持](https://en.wikipedia.org/wiki/Session_hijacking) 的 WEB 安全协议。如果你的网站能够通过 HTTPS 访问,那么你就可以让你的用户避免使用不安全的 HTTP 协议访问。为此,你只需要在 header 中设置 Strict-Transport-Security 字段,以此来告诉浏览器在今后的一段时间内使用 HTTPS 来请求网站内容。这一设置对首次请求之后所以的后续请求都适用。
HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks and cookie hijacking. If your website can be accessed via HTTPS you can ask users browsers to avoid using insecure HTTP. By setting the header Strict-Transport-Security, you tell the browsers to use HTTPS for the future requests in a specified amount of time. This will work for the requests coming after the initial request.
# --instructions--
通过 `helmet.hsts()`网站会在未来的90天内使用 HTTPS。我们还可以传入配置对象 `{maxAge: timeInSeconds, force: true}`。Repl.it 默认已经开启 hsts但你仍然可以通过添加 `{force: true}` 来覆盖它。我们会拦截 Glitch 请求的 header 来进行此挑战的测试,然后恢复此项配置。
Configure `helmet.hsts()` to use HTTPS for the next 90 days. Pass the config object `{maxAge: timeInSeconds, force: true}`. You can create a variable `ninetyDaysInSeconds = 90*24*60*60;` to use for the `timeInSeconds`. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
注意: 配置 HTTPS 需要域名以及 SSL/TSL 证书。
Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TLS Certificate.
# --hints--
应正确加载 helmet.hsts() 中间件
helmet.hsts() middleware should be mounted correctly
```js
(getUserInput) =>
@@ -35,7 +35,7 @@ HTTP 严格安全传输HSTS是一个能帮助我们抵御协议 [降级攻
);
```
应将 maxAge 设置为 7776000 ms90 天)
maxAge should be equal to 7776000 s (90 days)
```js
(getUserInput) =>

10
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3a
title: 使用 helment.noSniff() 来避免推断响应的 MIME 类型
title: Avoid Inferring the Response MIME Type with helmet.noSniff()
challengeType: 2
forumTopicId: 301574
dashedName: avoid-inferring-the-response-mime-type-with-helmet-nosniff
@@ -8,13 +8,15 @@ dashedName: avoid-inferring-the-response-mime-type-with-helmet-nosniff
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/). Browsers can use content or MIME sniffing to override response `Content-Type` headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to `nosniff`, instructing the browser to not bypass the provided `Content-Type`.
浏览器可以通过 content 或者 MIME 嗅探来判断不同的响应内容。这两个的优先级比 header 中的 Content-Type 高。这在一些情况下非常方便,但也会造成一定的安全风险。我们可以通过中间件来把 header 中的 X-Content-Type-Options 字段设置为 nosniff这样浏览器就不会绕过 header 中的 Content-Type 了。
# --instructions--
Use the `helmet.noSniff()` method on your server.
# --hints--
应正确加载 helmet.noSniff() 中间件
helmet.noSniff() middleware should be mounted correctly
```js
(getUserInput) =>

18
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/configure-helmet-using-the-parent-helmet-middleware.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c40
title: 使用 helmet() 中间件来配置 Helmet
title: Configure Helmet Using the parent helmet() Middleware
challengeType: 2
forumTopicId: 301575
dashedName: configure-helmet-using-the-parent-helmet-middleware
@@ -8,32 +8,32 @@ dashedName: configure-helmet-using-the-parent-helmet-middleware
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
`app.use(helmet())` 会自动加载除了 `noCache()` `contentSecurityPolicy()` 以外的,上面所有提到的中间件。但如果需要的话,我们也可以手动加入这两个中间件。通过修改配置对象,你还可以启用或禁用其它中间件。
`app.use(helmet())` will automatically include all the middleware introduced above, except `noCache()`, and `contentSecurityPolicy()`, but these can be enabled if necessary. You can also disable or configure any other middleware individually, using a configuration object.
<h3>示例:</h3>
**Example:**
```js
app.use(helmet({
frameguard: { // 配置
frameguard: { // configure
action: 'deny'
},
contentSecurityPolicy: { // 启用并配置
contentSecurityPolicy: { // enable and configure
directives: {
defaultSrc: ["self"],
styleSrc: ['style.com'],
}
},
dnsPrefetchControl: false // 禁用
dnsPrefetchControl: false // disable
}))
```
为了方便教学和测试,我们会一个一个地引入中间件。但在实际项目中,通过使用父级的 `helmet()` 来实现是最清晰和简洁的。
We introduced each middleware separately for teaching purposes and for ease of testing. Using the parent `helmet()` middleware is easy to implement in a real project.
# --hints--
没有测试—这是一个介绍关卡
no tests - it's a descriptive challenge
```js
assert(true);

12
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c3e
title: 使用 helment.noCache() 禁用客户端缓存
title: Disable Client-Side Caching with helmet.noCache()
challengeType: 2
forumTopicId: 301576
dashedName: disable-client-side-caching-with-helmet-nocache
@@ -8,13 +8,17 @@ dashedName: disable-client-side-caching-with-helmet-nocache
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
如果你为你的网站发布了一个更新,此时你一定想要用户看到最新的版本。为此,你可以通过禁用浏览器缓存来实现。而且,这个功能在开发环境中也非常有用。但另一方面,缓存可以为你的网站带来性能方面的提升,因此你应该只在必要的时候禁用缓存。
If you are releasing an update for your website, and you want the users to always download the newer version, you can (try to) disable caching on clients browser. It can be useful in development too. Caching has performance benefits, which you will lose, so only use this option when there is a real need.
# --instructions--
Use the `helmet.noCache()` method on your server.
# --hints--
应正确加载 helmet.noCache() 中间件
helmet.noCache() middleware should be mounted correctly
```js
(getUserInput) =>

12
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3d
title: 使用 helmet.dnsPrefetchControl() 禁用 DNS 预获取
title: Disable DNS Prefetching with helmet.dnsPrefetchControl()
challengeType: 2
forumTopicId: 301577
dashedName: disable-dns-prefetching-with-helmet-dnsprefetchcontrol
@@ -8,13 +8,17 @@ dashedName: disable-dns-prefetching-with-helmet-dnsprefetchcontrol
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
为了提高性能,大部分浏览器都会为页面上的链接预先加载 DNS 记录。这样当用户点击一个链接的时候浏览器已经知道其 IP 地址了。但这也会造成 DNS 服务的过度使用(如果你有一个百万用户数量级的大型网站)、隐私问题(窃听者可以借此推测出你在访问哪个页面)、页面统计数据准确性(有些没访问过的链接会被标记成已访问)。如果你对安全性要求比较高,你应该禁用 DNS 预加载。当然,这样做会让你损失一些性能。
To improve performance, most browsers prefetch DNS records for the links in a page. In that way the destination ip is already known when the user clicks on a link. This may lead to over-use of the DNS service (if you own a big website, visited by millions people…), privacy issues (one eavesdropper could infer that you are on a certain page), or page statistics alteration (some links may appear visited even if they are not). If you have high security needs you can disable DNS prefetching, at the cost of a performance penalty.
# --instructions--
Use the `helmet.dnsPrefetchControl()` method on your server.
# --hints--
应正确加载 helmet.dnsPrefetchControl() 中间件
helmet.dnsPrefetchControl() middleware should be mounted correctly
```js
(getUserInput) =>

18
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hash-and-compare-passwords-asynchronously.md
View File

@@ -1,6 +1,6 @@
---
id: 58a25bcff9fc0f352b528e7d
title: 哈希和异步比较密码
title: Hash and Compare Passwords Asynchronously
challengeType: 2
forumTopicId: 301578
dashedName: hash-and-compare-passwords-asynchronously
@@ -8,21 +8,21 @@ dashedName: hash-and-compare-passwords-asynchronously
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
由于哈希运算会占用很大计算机资源并且会耗费比较多时间,因此比较推荐的做法是异步调用哈希算法,这样就不会因此阻止其它连接或请求了。异步调用哈希方法非常简单,只需要:
As hashing is designed to be computationally intensive, it is recommended to do so asynchronously on your server as to avoid blocking incoming connections while you hash. All you have to do to hash a password asynchronous is call
```js
bcrypt.hash(myPlaintextPassword, saltRounds, (err, hash) => {
/* 在数据库中存储 hash */
/*Store hash in your db*/
});
```
# --instructions--
把这段哈希方法添加到你的服务器(我们已经定义好这个方法的变量给你直接使用了),然后你可以尝试在控制台输出。之后,我们通常需要把哈希的结果保存到数据库。
Add this hashing function to your server(we've already defined the variables used in the function for you to use) and log it to the console for you to see! At this point you would normally save the hash to your database.
当你需要对比用户输入的值是否和之前哈希过的值一样的时候,只需要调用对比函数:
Now when you need to figure out if a new input is the same data as the hash you would just use the compare function.
```js
bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
@@ -30,7 +30,7 @@ bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
});
```
当控制台输出生成的哈希并在对比的回调中输出结果后,我们就可以将其添加到现有的哈希函数中。控制台中会首先输出一个哈希结果,然后输出 `true`。如果将比较函数中的 "myPlaintextPassword" 更改为 "someOtherPlaintextPassword",则比较的结果应显示 `false`
Add this into your existing hash function(since you need to wait for the hash to complete before calling the compare function) after you log the completed hash and log 'res' to the console within the compare. You should see in the console a hash then 'true' is printed! If you change 'myPlaintextPassword' in the compare function to 'someOtherPlaintextPassword' then it should say false.
```js
bcrypt.hash('passw0rd!', 13, (err, hash) => {
@@ -43,11 +43,11 @@ bcrypt.hash('passw0rd!', 13, (err, hash) => {
```
请在完成挑战后提交你的页面。
Submit your page when you think you've got it right.
# --hints--
应异步地进行哈希并正确地执行对比
Async hash should be generated and correctly compared.
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hash-and-compare-passwords-synchronously.md
View File

@@ -1,6 +1,6 @@
---
id: 58a25bcff9fc0f352b528e7e
title: 哈希和同步比较密码
title: Hash and Compare Passwords Synchronously
challengeType: 2
forumTopicId: 301579
dashedName: hash-and-compare-passwords-synchronously
@@ -8,31 +8,31 @@ dashedName: hash-and-compare-passwords-synchronously
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
同步执行哈希运算是非常简单的,但这会在哈希计算量大并且次数多的情况下造成延迟。如果想要同步执行哈希运算,只需要这样调用:
Hashing synchronously is just as easy to do but can cause lag if using it server side with a high cost or with hashing done very often. Hashing with this method is as easy as calling
```js
var hash = bcrypt.hashSync(myPlaintextPassword, saltRounds);
```
把同步哈希的方法添加到你的代码并在控制台输出。和之前一样,我们已经为你定义好了你需要使用的变量,你不需要做任何改动。你可能注意到,即使你对同一个密码进行哈希运算,同步哈希和异步哈希的结果也是不一样的。这是因为每次哈希的盐都是随机生成的,这种随机反映在前 22 个字符的不同上。 当你需要对比用户输入的值是否和之前哈希过的值一样的时候,只需要调用对比函数:
Add this method of hashing to your code and then log the result to the console. Again, the variables used are already defined in the server so you won't need to adjust them. You may notice even though you are hashing the same password as in the async function, the result in the console is different- this is due to the salt being randomly generated each time as seen by the first 22 characters in the third string of the hash. Now to compare a password input with the new sync hash, you would use the compareSync method:
```js
var result = bcrypt.compareSync(myPlaintextPassword, hash);
```
返回的结果为 `true``false`
with the result being a boolean true or false.
# --instructions--
请添加这个方法,并把结果输出到控制台,以此来验证同步哈希操作是否成功。
Add the function in and log the result to the console to see it working.
请在完成挑战后提交你的页面。
Submit your page when you think you've got it right.
# --hints--
应同步地进行哈希并正确地执行对比
Sync hash should be generated and correctly compared.
```js
(getUserInput) =>

8
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/hide-potentially-dangerous-information-using-helmet.hidepoweredby.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c37
title: 使用 helmet.hidePoweredBy() 隐藏潜在的危险信息
title: Hide Potentially Dangerous Information Using helmet.hidePoweredBy()
challengeType: 2
forumTopicId: 301580
dashedName: hide-potentially-dangerous-information-using-helmet-hidepoweredby
@@ -8,13 +8,13 @@ dashedName: hide-potentially-dangerous-information-using-helmet-hidepoweredby
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
如果黑客发现你的网站是用 Express 搭建的,那么他们就可以利用 Express 或 Node 现存的漏洞来攻击你的网站。`X-Powered-By: Express` 默认情况下会添加到所有响应的 header。不过 `helmet.hidePoweredBy()` 中间件可以帮你把 header 中的 X-Powered-By 字段移除。你甚至可以把它设置成其它的值来骗过黑客,比如 `app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))`
Hackers can exploit known vulnerabilities in Express/Node if they see that your site is powered by Express. X-Powered-By: Express is sent in every request coming from Express by default. The `helmet.hidePoweredBy()` middleware will remove the X-Powered-By header. You can also explicitly set the header to something else, to throw people off. e.g. `app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))`
# --hints--
应正确地加载 helmet.hidePoweredBy() 中间件
helmet.hidePoweredBy() middleware should be mounted correctly
```js
(getUserInput) =>

12
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c36
title: 安装和引入 Helmet
title: Install and Require Helmet
challengeType: 2
forumTopicId: 301581
dashedName: install-and-require-helmet
@@ -8,17 +8,19 @@ dashedName: install-and-require-helmet
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
Helmet 通过配置不同的 HTTP header 信息来使你的 Express 应用更加安全。
Helmet helps you secure your Express apps by setting various HTTP headers.
# --instructions--
安装版本号为 `3.21.3` 的 Helmet,并引入它。
All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
Install Helmet version `3.21.3`, then require it.
# --hints--
`package.json` 中应存在版本号为 `3.21.3``helmet` 依赖项
`helmet` version `3.21.3` should be in `package.json`
```js
(getUserInput) =>

14
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-clickjacking-with-helmet.frameguard.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8247367417b2b2512c38
title: 使用 helmet.frameguard() 降低点击劫持的风险
title: Mitigate the Risk of Clickjacking with helmet.frameguard()
challengeType: 2
forumTopicId: 301582
dashedName: mitigate-the-risk-of-clickjacking-with-helmet-frameguard
@@ -8,17 +8,19 @@ dashedName: mitigate-the-risk-of-clickjacking-with-helmet-frameguard
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
黑客可能会不经过你的允许,把你的页面嵌套在 \``或者`</code> 标签里,用以实现“点击劫持”。点击劫持是一种视觉上的欺骗手段,让用户误以为自己在与所看到的网页交互。通过 iframe黑客可以在你的页面上添加一个透明的“层”然后把自己的恶意代码放在一个用户看不到的按钮中。这样一来你网站的执行环境就被黑客设置成了他想要的效果。helmet 中间件可以设置 header 中的 X-Frame-Options 字段,这样我们就能设置哪些人才可以通过 frame/iframe 引入我们的页面了。这个配置有三个选项:DENYSAMEORIGINALLOW-FROM。 在这个挑战中,我们的应用不需要被 iframe 引用。 </section>\`
Your page could be put in a `<frame>` or `<iframe>` without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.
We dont need our app to be framed.
# --instructions--
请调用 `helmet.frameguard()`,并传入配置对象 `{action: 'deny'}`
Use `helmet.frameguard()` passing with the configuration object `{action: 'deny'}`.
# --hints--
应正确加载 helmet.frameguard() 中间件
helmet.frameguard() middleware should be mounted correctly
```js
(getUserInput) =>
@@ -36,7 +38,7 @@ dashedName: mitigate-the-risk-of-clickjacking-with-helmet-frameguard
);
```
应将 helmet.frameguard() 中的 action 值设置为 'DENY'
helmet.frameguard() 'action' should be set to 'DENY'
```js
(getUserInput) =>

19
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md
View File

@@ -1,6 +1,7 @@
---
id: 587d8247367417b2b2512c39
title: 使用 helmet.xssFilter() 降低跨站点脚本XSS攻击的风险
title: >-
Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter()
challengeType: 2
forumTopicId: 301583
dashedName: mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet-xssfilter
@@ -8,21 +9,23 @@ dashedName: mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet-xs
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
跨站脚本攻击XSS是一种比较常见的攻击手段通过给页面注入恶意脚本来获取用户的 session cookie 和密码等信息。
Cross-site scripting (XSS) is a frequent type of attack where malicious scripts are injected into vulnerable pages, with the purpose of stealing sensitive data like session cookies, or passwords.
防止这类型的攻击也非常简单“永远不要相信用户的输入”。作为一名开发人员你一定要对所有外部的输入进行审查其中包括来自表单、GET 请求的 URL、POST 请求主体的内容等。审核的意思是,你需要查找并给有潜在风险的字符进行编码,比如 &lt; >
The basic rule to lower the risk of an XSS attack is simple: “Never trust users input”. As a developer you should always sanitize all the input coming from the outside. This includes data coming from forms, GET query urls, and even from POST bodies. Sanitizing means that you should find and encode the characters that may be dangerous e.g. &lt;, >.
现代浏览器中已经存在有效的策略来应对这一类问题。通常是通过配置 HTTP 请求的 header 来实现。
Modern browsers can help mitigating the risk by adopting better software strategies. Often these are configurable via http headers.
HTTP header 的 X-XSS-Protection 字段就可以为我们提供最基本的保护。浏览器通过启发式过滤法则来检测有潜在风险的注入脚本,如果这个 header 字段被启用,浏览器就会改变脚本中存在风险的代码,从而使恶意代码不再生效。
The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it. It still has limited support.
但是浏览器对这个功能的支持十分有限。
# --instructions--
Use `helmet.xssFilter()` to sanitize input sent to your server.
# --hints--
应正确加载 helmet.xssFilter() 中间件
helmet.xssFilter() middleware should be mounted correctly
```js
(getUserInput) =>

12
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8248367417b2b2512c3b
title: 使用 helment.ieNoOpen() 防止 IE 打开不受信任的 HTML
title: Prevent IE from Opening Untrusted HTML with helmet.ieNoOpen()
challengeType: 2
forumTopicId: 301584
dashedName: prevent-ie-from-opening-untrusted-html-with-helmet-ienoopen
@@ -8,13 +8,17 @@ dashedName: prevent-ie-from-opening-untrusted-html-with-helmet-ienoopen
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
有些网站会下载不安全的 HTML 文件,某些版本的 IE 默认情况下还会在你网站的作用域下打开这些 HTML 文件。换句话说,这些不安全的 HTML 页面可以在你的网站做恶意行为。我们可以通过中间件来设置 header 中的 X-Download-Options 字段,让它的值为 noopen。这样就可以防止 IE 在不信任的网站下执行下载的文件。
Some web applications will serve untrusted HTML for download. Some versions of Internet Explorer by default open those HTML files in the context of your site. This means that an untrusted HTML page could start doing bad things in the context of your pages. This middleware sets the X-Download-Options header to noopen. This will prevent IE users from executing downloads in the trusted sites context.
# --instructions--
Use the `helmet.ieNoOpen()` method on your server.
# --hints--
应正确加载 helmet.ieNoOpen() 中间件
helmet.ieNoOpen() middleware should be mounted correctly
```js
(getUserInput) =>

16
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md
View File

@@ -1,6 +1,6 @@
---
id: 587d8249367417b2b2512c3f
title: 使用 helment.contentSecurityPolicy() 设置内容安全策略
title: Set a Content Security Policy with helmet.contentSecurityPolicy()
challengeType: 2
forumTopicId: 301585
dashedName: set-a-content-security-policy-with-helmet-contentsecuritypolicy
@@ -8,21 +8,21 @@ dashedName: set-a-content-security-policy-with-helmet-contentsecuritypolicy
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
As a reminder, this project is being built upon the following starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-infosec), or cloned from [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/).
在这个挑战中,我们要重点讨论现代浏览器中一种有效并且能大幅度减轻安全风险和很多种类型常见攻击的安全防护。通过配置内容安全策略,你可以防止很多类型的脚本恶意注入。这会让你的应用远离 XSS 漏洞、恶意追踪、恶意 frames 和很多其他攻击。CSP 通过配置资源白名单来避免这些问题。你可以给任何一种类型的页面资源脚本、样式文件、字体、frames、媒体文件等做这个配置。它支持很多指令所以网站管理员可以做细致的控制。更多详情请参考 HTML 5 Rocks KeyCDN。不幸的是,一些旧的浏览器不支持 CSP。
This challenge highlights one promising new defense that can significantly reduce the risk and impact of many type of attacks in modern browsers. By setting and configuring a Content Security Policy you can prevent the injection of anything unintended into your page. This will protect your app from XSS vulnerabilities, undesired tracking, malicious frames, and much more. CSP works by defining an allowed list of content sources which are trusted. You can configure them for each kind of resource a web page may need (scripts, stylesheets, fonts, frames, media, and so on…). There are multiple directives available, so a website owner can have a granular control. See HTML 5 Rocks, KeyCDN for more details. Unfortunately CSP is unsupported by older browser.
默认的指令很容易受到攻击, 所以设置 defaultSrc 指令作为降级方案很重要。Helmet 同时支持 defaultSrc default-src 命名规范。降级方案可以应用在大部分指令上。
By default, directives are wide open, so its important to set the defaultSrc directive as a fallback. Helmet supports both defaultSrc and default-src naming styles. The fallback applies for most of the unspecified directives.
# --instructions--
在这个练习中,我们使用 `helmet.contentSecurityPolicy()` 并配置 `defaultSrc` `["self"]`(允许的资源列表必须在一个数组当中)。这样做表示只信任自己网站的域名。另外,配置 `scriptSrc` 指令可以限制脚本只能本网站域名上或者信任的域名 'trusted-cdn.com' 上下载。
In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'.
提示: 在 `self` 关键词中, 单引号也是关键词的一部分, 所以你应该用双引号来包起它才能正常工作。
Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
# --hints--
应正确加载 helmet.csp() 中间件
helmet.csp() middleware should be mounted correctly
```js
(getUserInput) =>
@@ -36,7 +36,7 @@ dashedName: set-a-content-security-policy-with-helmet-contentsecuritypolicy
);
```
你的 csp 配置不正确,defaultSrc 应为 ["'self'"] 并且 scriptSrc 应为 ["'self'", 'trusted-cdn.com']
Your csp config is not correct. defaultSrc should be ["'self'"] and scriptSrc should be ["'self'", 'trusted-cdn.com']
```js
(getUserInput) =>

18
curriculum/challenges/chinese/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md
View File

@@ -1,6 +1,6 @@
---
id: 58a25bcef9fc0f352b528e7c
title: 了解 BCrypt 的哈希加密
title: Understand BCrypt Hashes
challengeType: 2
forumTopicId: 301586
dashedName: understand-bcrypt-hashes
@@ -8,21 +8,23 @@ dashedName: understand-bcrypt-hashes
# --description--
请注意,本项目在 [这个 Repl.it 项目](https://repl.it/github/freeCodeCamp/boilerplate-infosec) 的基础上进行开发。你也可以从 [GitHub](https://github.com/freeCodeCamp/boilerplate-infosec/) 上克隆。
For the following challenges, you will be working with a new starter project that is different from the previous one. You can find the new starter project on [Repl.it](https://repl.it/github/freeCodeCamp/boilerplate-bcrypt), or clone it from [GitHub](https://github.com/freeCodeCamp/boilerplate-bcrypt/).
BCrypt 哈希非常安全。哈希其实就是原数据的加密形式,结果唯一;通过把原始数据放进哈希算法然后返回固定长度的字符串实现。为了让这个过程更加复杂和安全,你还可以加你的哈希添加 *盐*。加盐其实就是给在哈希算法执行前给源数据添加随机的字符串数据,这会让破解哈希结果更加复杂
BCrypt hashes are very secure. A hash is basically a fingerprint of the original data- always unique. This is accomplished by feeding the original data into an algorithm and returning a fixed length result. To further complicate this process and make it more secure, you can also *salt* your hash. Salting your hash involves adding random data to the original data before the hashing process which makes it even harder to crack the hash.
BCrypt 的哈希结果会是这样 `$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm`。它遵循固定的结构,前面一小节 `$2a` 说明了该哈希采用什么算法。下一部分 `$13` 定义了 *cost*。cost 就是生成此哈希结果所用到的资源数量级;它是 2^cost 的对数,可以表说单位时间内数据放入哈希算法的次数。举个例子,cost 10 的意思就是说你能够在一个普通的计算机上每秒钟计算出 10 个密码的哈希结果。然而,如果 cost 15,那计算每个哈希结果就要 3 秒钟。再举例子,如果 cost 31,那每次哈希运算需要话费好几天才能完成。通常 cost 12 的哈希运算就已经足够安全。哈希结果的最后一部分 `$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm` 看起来像是由随机数字、点和字母组成的字符串,但实际上它有两部分内容。前面 22 个字符是加入的盐,剩下的就是加密过的密码!
BCrypt hashes will always looks like `$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm` which does have a structure. The first small bit of data `$2a` is defining what kind of hash algorithm was used. The next portion `$13` defines the *cost*. Cost is about how much power it takes to compute the hash. It is on a logarithmic scale of 2^cost and determines how many times the data is put through the hashing algorithm. For example, at a cost of 10 you are able to hash 10 passwords a second on an average computer, however at a cost of 15 it takes 3 seconds per hash... and to take it further, at a cost of 31 it would takes multiple days to complete a hash. A cost of 12 is considered very secure at this time. The last portion of your hash `$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uUUtcbqloU0yvzavOm`, looks like one large string of numbers, periods, and letters but it is actually two separate pieces of information. The first 22 characters is the salt in plain text, and the rest is the hashed password!
# --instructions--
要开始使用 BCrypt, 只需将它添加到你的依赖列表,然后在你的服务器引入 'bcrypt'。
To begin using BCrypt, add it as a dependency in your project and require it as 'bcrypt' in your server.
请在完成挑战后提交你的页面。
Add all your code for these lessons in the `server.js` file between the code we have started you off with. Do not change or delete the code we have added for you.
Submit your page when you think you've got it right.
# --hints--
应添加 BCyrpt 至依赖列表
BCrypt should be a dependency.
```js
(getUserInput) =>
@@ -41,7 +43,7 @@ BCrypt 的哈希结果会是这样 `$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1Q8QO.uU
);
```
应正确引入 BCrypt
BCrypt should be properly required.
```js
(getUserInput) =>