I'm using Helmet and CORS packages to my node.js application. But I don't know what's the difference of both packages and the performance impact to the application. Also, by using these packages, will it secure the my node.js application or adds security to the client?
CodePudding user response:
Helmet is a nodejs package that helps protect your server from some well-known web vulnerabilities by setting HTTP response headers appropriately, it comes with a collection of several middleware functions that set security headers that are returned from your express application.
The top-level helmet
function is a wrapper around 15 smaller middlewares.
Some security attacks help secure your express server from common attacks such as clickjacking, and cross-site scripting attacks, it also helps enforce secure HTTPS connections to your server, download options for vulnerable browsers, and a host of other vulnerabilities. As you see it's an important package to have in your express app, it's actually listed among packages to use under production's best practices from the official express website.
Cors on the other hand is a node.js package that provides your express app with middlewares to enable Cross-origin resource sharing (CORS) which is a mechanism that allows resources on your express app from being shared with external domains, its important in making cross-domain requests possible in case it's needed.
A typical use case is developing a full-stack application where the static content like the HTML pages are not located within the domain of your express app, like in the case of local development where an angular or react app running on localhost:4200
needs to access your express app resource served from localhost:3000
, without CORS enabled this request will not be possible.
The Cors package equally exposes a reach interface to restrict access of resources to whitelisted domains, below is an example from the node.js CORS package
var express = require('express')
var cors = require('cors')
var app = express()
var whitelist = ['http://example1.com', 'http://example2.com']
var corsOptions = {
origin: function (origin, callback) {
if (whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('Not allowed by CORS'))
}
}
}
app.get('/products/:id', cors(corsOptions), function (req, res, next) {
res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})
})
Notice the whitelisted domains http://example1.com
and http://example2.com
allowed to access the /products/:id
route of the express server.
Summary
Helmet and Cors are 2 important node.js packages with different purposes. Helmet secures your express app by setting response HTTP headers appropriately, while Cors enables your express application access control to allow restricted resources from being accessed from external domains.
Performance-wise, both helmet and cors bring basic middleware functions with little or no performance effect, setting a couple of important HTTP headers will not negatively impact your server, I don't think so. and as a matter of fact now you know the importance of using this packages in your express app and what it brings.
CodePudding user response:
In my opinion CORS is the best, you can easily eliminate the worst error which is "breaking cors law", and also adding some security to your node.js application, by stricting it to accept connections from origins you want to. So, yes, it will secure your node.js app if you know how to set it right