Node.JS Webserver中的安全性 [英] Security in Node.JS Webserver
问题描述
所以,我正在学习Node.JS的方法,到目前为止,我很喜欢它。我已经有几个项目已经在工作,我认为我可以使用nodejs。
So, I'm in the middle of learning my way around Node.JS, and so far I'm loving it. I've got a couple projects already at work that I think I can utilize nodejs in.
但我担心安全问题。如果我使用Node.JS的http模块编写自定义Web服务器,我是否可能极易受到攻击? Apache / IIS已经年(以及数年和数年)的专业团队在他们的网络服务器中构建安全性,但仍然有人继续发现漏洞..我的家庭网站是否有可能网络服务器会更容易受到攻击吗?
I'm worried, though, about security. If I write a custom webserver using Node.JS's http module, am I likely to be super vulnerable to attacks? Apache/IIS have had years (and years and years) of professional teams building security into their webservers, and still people continue to find holes.. Is it likely that my homebrewed webserver will be much more open to attack?
我可以集中精力为我的网络服务器建立一个良好的安全层?是否有任何有关该主题的好文章?
What things can I focus on to build a good layer of security into my webserver? Are there any good articles out there that cover the topic?
推荐答案
我同意anm和schaermu关于使用反向代理以便您的应用程序不会被访问者直接访问,即使这与稳定性有关,也与安全性有关。
I agree with anm and schaermu about using a reverse proxy so that your application is not directly accessed by your visitors, even if that really has more to do with stability than security.
我想补充一点,您还必须安全地考虑安装Node本身及其模块。特别是,从不使用此方法安装npm:
I want to add that you also have to think about safely installing the Node itself and its modules. In particular, never install npm using this method:
curl http://npmjs.org/install.sh | sudo sh
这基本上是使用不安全的HTTP从网络获得的任何内容的root shell验证,甚至不知道你在跟谁说话。这可能导致使用非常基本且广为人知的方法严重损害整个系统,如果您的系统受到损害,那么您的应用程序是否位于反向代理,防火墙或任何其他方面后无关紧要。有关更多信息,请参见此答案全面解释。
This is basically giving root shell to anything that you get from the network using insecure HTTP with no verification at all, not even knowing who are you talking to. This can lead to a serious compromise of your entire system using very basic and widely known methods, and if your system is compromised then it doesn't matter if your application is behind a reverse proxy, firewall or anything. See this answer for a more comprehensive explanation.
这篇关于Node.JS Webserver中的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
