Strapi Security Checklist - Securing your Strapi App

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up I'm Alex the entrepreneur and this video is your strappy security check list I've been extremely far oh and I like to take a safe approach when it comes to security you know especially when it comes to deploying strapped into production so in this video I'm gonna be as exhaustive as I can covering all the angles so I want you to watch this entire video so that you have a full perspective as to your security options and then when it comes to actually implementing them use your best judgment and take action on the items that you think are reasonable so we're going to be covering a bunch of stuff specifically we're gonna be covering the credentials being injected so we're gonna make sure you avoid leaking any development credentials then we're gonna talk about validation then sanitization then we're going to talk about the roles and permissions policy usage which i think is a huge deal and then data leakage which is the most subtle the subtlest of the problems you may be facing we're dealing with strapping let's get started right now so the first thing is the credential injected as of strap you release you actually have legally strap is already compatible with dot EMB files so you have no excuse not to use them you should be using dot EMB at all times additionally you should be avoiding this example that I'm showing you here in the bottom right corner you should avoid this this is a bad example of leaking your development credentials whenever you're working with your development even if you're working in our development environment just use injected variables anyway it's very simple to setup through a shared EMV file so make sure to do that next up is validation studies or M provides a thin layer of validation that means that even though there is no real validation strapy as of now strappy the way the internals of strapping works and the way the database works will make it so that most of the times whenever you're making a write with data that are not corresponding strappy will try to cast them to a type that actually works but most of the time especially if you working with a PostgreSQL those little writes will actually fail that means that if you try and insert a string into a number type you will actually get an exception however you're gonna get a very generic you're just gonna get a 500 from the server you're not gonna get please use a specific type kind of error messages in order to app those you could use joy this is something that I've don't cover in this video but I would highly recommend you looking into joy which is the de facto standard way to validate data types especially when it comes to NPM so you can check it out at at happy slash joy you simply define a scheme as you can see here on the left and then you validate it and the validate will also generate an error object which you can use to send back straight as a as an answer from your endpoint so it's a very convenient tool highly recommended next up we got sanitization it's a fact that strapy provides sanitization a DRM level that's because both Mongoose and bookshelf provides sanitization of your data through for example prepared statements and all sort of escaping automatically so technically speaking sanitization is already provided at your RM level however especially when I have to deal with user HTML inputs I actually prefer to run my data through this package which is called sanitize that's - HTML which is also used for other CMS's and it's a package that I highly highly highly recommend and so if you want to take that extra step you can always just use some it as HTML you sanitize your entity and then you throw it in the database and you're good to go so this is my recommendation when it comes to that roles and permissions are kind of a flaky flaky compromise when it comes to how strap is set up the problem is that drawers operational are stored in the database which makes it a little hard to migrate them that's why I put this in the checklist and basically whenever you redeploy your strap install you just have to open up your roles and permission and you have to check that they're all set up properly so my recommendation will be to have a document that may contain for example pictures or a list of all of your roles and permissions or how you set them up and you most likely want to periodically check on that and ensure that everything works and so browser permission actually typically ends up looking a little something like this which is a very unfortunate scenario but it's also very practical one you will end up you should not be doing this this is like a red flag but this is most likely what's going to happen if you work with a lot of developers because nobody's gonna want to spend an hour trying to figure out what's going on they're just gonna approve all of the end points in order to counteract that which which I still avoid doing this but in order to counteract it I actually have an extremely strong approach by using policies and the reason why use policies is because you can commit policies to your source control which means that you can have an image or evolve your routes and I'm gonna preview that in a second but basically you can have an image of all of your routes all set up with proper policies so that you can have an immediate high-level overview of what what is required in order to interact with any endpoint in my opinion this is the proper way to set it up because you can commit all of it to source control and that's why I highly recommend it I go over policies in a separate video in the complete scrappy course and if you're not part of the complete shopping course I highly recommend you check that out it's very inexpensive and it's basically a 20 plus hours course based on extreme practice in which you practice all of the things that I teach you and it also asked theory snippets such as this video that I'm showing you right now but that said I'm gonna go briefly over the policies one of the policies that your sue can get from the documentation is a policy that checks if the user is logged in this will ensure that even if for somebody by mistake they just activate all of the rules and permission will ensure that only a logged in user will be able to access the route for more critical route I like to use this policy called always fail which makes it so that the route is completely unusable this gives me the confidence that nobody can tamper with the route but it still leaves administrator users the one that access the strap admin panel able to delete and edit content types so it's typically a good idea especially if you're dealing with payments logs any kind of event to just use this always fail policy which will always return a failure and so that you just as an extra security measure that's what I found additionally other policies that I cover are the in Stargate user logged in which basically ensures that you can only view your own data and it's a great policy when it comes to showing orders private data basically that has to do with a separate collection type so a collection type that is not user type on the other end if your if you have to write a similar policy to show your own user profile data you're gonna have to write a profile a policy called is my profile the checks that you that you're checking only your own specific profile and I show you how to set this up and use them in the complete sharpie course however the the quick rundown the quick security tip that I have to give you is that you can just use these policies you can put them in your roster JSON and that way your gonna be sure that all of your data is properly set up the last thing the last topic that I want to cover is called data leakage and it's actually the most subtle one and if you're interested in a consultation you can take a consultation call with me on code mentor to talk about data leakage because unfortunately it's very subtle and a case-by-case issue but I'm gonna try my best to show you an example so I have a strappy install which is a strappy policies demo which is a publicly available example that I published in a complete story course and on github and basically you have your articles collection type which is basically an article and it belongs to a user and then I have my users and my users are associated with articles so users may also have secret credentials so let's say this is an ash of a credit card ash off credit card this is something that you don't want to share or an address you don't want to share your address this is supposed to be private right so this is a classic example of data leakage what I'm gonna do is I'm gonna go on postman I'm gonna try and make a get request to the articles and if I do you'll see that whenever I retrieve the article in this case I only one article we've associated with this user you can see that I'm getting all of the info for my user which means that the articles endpoint is leaking my user data and this is a huge deal this is basically putting you in violation of any European privacy law by default and it's also probably putting you in a lot of trouble with your customers so you definitely wanna do a security audit for the linkage and let's show you how to solve this specific issue so I'm gonna go on my code and I'm gonna show you where I am where I'm at so basically let's look at the API folder for a second we're gonna have the API folder and we're gonna have the extensions folder due to the fact that we extended the user profile the extensions folder will contain a subfolder called users - permission which contains the user profile inside of the models so we're gonna have users - permissions and the model subfolder and the user dot static so JSON which represents the user and you can see that a couple of data fields that I don't necessarily want to be showing okay the secret and the address additionally so this is the user profile additionally if I go in API slash article slash config slash on my bad in in API slash article slash models slash articles or settings to JSON you can see that my user profile data here so what I can do in the article settings of JSON is I can set this user object by going here on line 19 adding a comma and going around your line and I can set that to be private I can type literally private call and true and if I do that there are this single line change the single change of one line of code makes it so that if I request my articles I no longer am able to retrieve the user data which basically makes it so that the articles are not leaking the users however I will still be able to use filters that are related to user so I can still do all of the convenient stuff the strapping rule offers I can tap users equals to one and I will still be able to fetch the articles that the user wrote so it is still gonna work additionally whenever you're working with the articles collection type in strapping side of the back end you will still have access to the user data in its entirety you still gonna be able to manipulate all of it but simply you're not gonna be leaking that when you send it back as a API response the same thing can be done so I'm just gonna set it again to public just for the sake of demonstration the same approach could be done by cleaning up the user object so you can go in the user dot setting so JSON and you can set only any of this credentials so let's say that this secret credit card info can be set to private as well and perhaps even the address could be set to private and from my experience addresses are best used as a relationship so that way you have a little more granular settings in the security but that basically means that if I make a new request I'm not gonna be able to get that secret and that address which a malicious attacker may be interested in so at this point you have your tools to defend yourself you clearly are gonna have to go through every single content tab every single relationship typically relationships are where you want to be very very careful with using the private field but especially with the user object that's that if you need a security consultation or security audit when it comes to strapy we can arrange that on codementor for a live session it should be as simple as setting up a screen share and just going through your code together through a screen share that said let me know if you have any question related to security I appreciate your time very much and I wish you an amazing day
Info
Channel: Alex the Entreprenerd
Views: 3,351
Rating: undefined out of 5
Keywords: strapi, stapijs, strapi.js, strapi.io, strapi notes, strapi course, strapi tutorial
Id: yMobhhCLl_I
Channel Id: undefined
Length: 12min 1sec (721 seconds)
Published: Wed Jun 10 2020
Related Videos
Strapi.js Crash Course | Headless CMS
Traversy Media
256K
Configurando projeto Gatsby | Behind the Code #09
Rocketseat
45K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.4M
Hackers Hate It! Secure Your Web App with These 6 Weird HTTP Headers
StormWind Studios
4.8K
How to Build an Effective API Security Strategy
Nordic APIs
15K
Introduction to Software Architecture
George Fairbanks
259K
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
290K
Yearn V1 Code Review - Solidity Code Review
Alex the Entreprenerd
457
I bought 1000 meters of wire to settle a physics debate
AlphaPhoenix
584K
Hacking IIS (Recon) (Part 1)
Assetnote
15K
Deploy Strapi and NextJS to Heroku and Vercel
Alex the Entreprenerd
11K
Getting Started With Strapi - Episode 1: Introduction & Setup
CodingTheSmartWay.com
11K
JWT: Where to store JWT in the browser frontend?
7urtle JavaScript
408
Using And Operator with Strapi Endpoint by using Custom Controller
Alex the Entreprenerd
7.1K
Advent of Code 2021 - Day 20
Jonathan Paulson
1.2K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
The 3 projects you need for your portfolio - Build your FullStack Web Developer Portfolio
Alex the Entreprenerd
16K
How To HACK A Node App
Coding Tech
54K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.