Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

The instruction actually renders html tags that are meant to be viewed plainly as html tags.

<frame> and <iframe> are both being rendered causing a weird view. Also it doesn’t include full instructions like it does in a glitch template that is being provided for this curriculum. Please fix it!

Thanks

1 Like

I actually decided to create an issue in FCC github.

1 Like

Great work!!!

1 Like

What is the link to the issue?

https://learn.freecodecamp.org/information-security-and-quality-assurance/information-security-with-helmetjs/mitigate-the-risk-of-clickjacking-with-helmet-frameguard

I see. And what about the github issue?

Here it is. Are you a moderator?

Nope. But, I just wanted to see the problem in more detail so I might be able to help more now. Also, now the community can look at your problem in more detail and they might be able to help more too!

Fantastic! I am also looking forward to contribute to the FCC community. :slight_smile:

1 Like

Hi !
To pass this test you can follow your own solution too
Perhaps there is a bug or somethings I don’t get but my solution is to install the package frameguard, to require it and then do deny it like that :

const frameguard = require('frameguard');

app.use(frameguard({ action: 'deny' }));
3 Likes

hi i have issue i am not able to start my first task even here is my code
myApp.js file

/**********************************************
* 4. Applied InfoSec Challenges
* =============================
***********************************************/

var express = require('express'); 
var app = express();              

var helmet = require('helmet');

var ninetyDaysInMilliseconds = 90*24*60*60*1000;

module.exports = app;
var api = require('./server.js');
app.use(express.static('public'));
app.disable('strict-transport-security');
app.use('/_api', api);
app.get("/", function (request, response) {
  response.sendFile(__dirname + '/views/index.html');
});
var listener = app.listen(process.env.PORT || 3000, function () {
  console.log('Your app is listening on port ' + listener.address().port);
});

server.js file

/********************************************
 * DO NOT EDIT THIS FILE
 * the verification process may break
 *******************************************/
 
var express = require('express');
var app = express();
var fs = require('fs');
var path = require('path');

app.use(function(req, res, next) {
  res.set({
    "Access-Control-Allow-Origin" : "*",
    "Access-Control-Allow-Headers" : "Origin, X-Requested-With, content-type, Accept"
  });
  app.disable('x-powered-by');
  next();
});

app.get('/file/*?', function(req, res, next) {
  if(req.params[0] === '.env') { return next({status: 401, message: 'ACCESS DENIED'}) }
  fs.readFile(path.join(__dirname, req.params[0]), function(err, data){
    if(err) { return next(err) }
    res.type('txt').send(data.toString());
  });
});


var main = require('./myApp.js');
app.get('/app-info', function(req, res) {
  
  // list middlewares mounted on the '/' camper's app
  var appMainRouteStack = main._router.stack
    .filter(s => s.path === '')
    .map(l => l.name)
    // filter out express default middlewares
    .filter(n => !(n === 'query' ||
      n === 'expressInit' || n === 'serveStatic'));
    
    // filter out CORS Headers
    var hs = Object.keys(res._headers)
      .filter(h => !h.match(/^access-control-\w+/));
    var hObj = {};
    hs.forEach(h => {hObj[h] = res._headers[h]});
    delete res._headers['strict-transport-security'];
  res.json({headers: hObj, appStack: appMainRouteStack });
});

app.get('/package.json', function(req, res, next) {
	    fs.readFile(__dirname + '/package.json', function(err, data) {
	      if(err) return next(err);
	      res.type('txt').send(data.toString());
	    });
	  });

app.use(function(req, res, next){
  res.status(404).type('txt').send('Not Found');
});

module.exports = app;

/********************************************
 * DO NOT EDIT THIS FILE
 * the verification process may break
 *******************************************/

package.json file

{
  "//1": "describes your app and its dependencies",
  "//2": "https://docs.npmjs.com/files/package.json",
  "//3": "updating this file will download and update your packages",
  "name": "hello-express",
  "version": "0.0.1",
  "description": "A simple Node app built on Express, instantly up and running.",
  "main": "server.js",
  "scripts": {
    "start": "node server.js"
  },
  "dependencies": {
    "express": "^4.16.4",
    "helmet": "^3.15.1"
  },
  "engines": {
    "node": "8.x"
  },
  "repository": {
    "url": "https://glitch.com/edit/#!/hello-express"
  },
  "license": "MIT",
  "keywords": [
    "node",
    "glitch",
    "express"
  ]
}

error is

/rbd/pnpm-volume/00b0132e-118c-4e55-87bb-6fe544b53fec/node_modules/.registry.npmjs.org/express/4.16.4/node_modules/express/lib/router/index.js:458

2:17 PM

throw new TypeError('Router.use() requires a middleware function but got a ’ + gettype(fn))

2:17 PM

^

2:17 PM

2:17 PM

TypeError: Router.use() requires a middleware function but got a Object

2:17 PM

at Function.use (/rbd/pnpm-volume/00b0132e-118c-4e55-87bb-6fe544b53fec/node_modules/.registry.npmjs.org/express/4.16.4/node_modules/express/lib/router/index.js:458:13)

2:17 PM

at Function.<anonymous> (/rbd/pnpm-volume/00b0132e-118c-4e55-87bb-6fe544b53fec/node_modules/.registry.npmjs.org/express/4.16.4/node_modules/express/lib/application.js:220:21)

2:17 PM

at Array.forEach (<anonymous>)

2:17 PM

at Function.use (/rbd/pnpm-volume/00b0132e-118c-4e55-87bb-6fe544b53fec/node_modules/.registry.npmjs.org/express/4.16.4/node_modules/express/lib/application.js:217:7)

2:17 PM

Jump to

at Object.<anonymous> (/app/myApp.js:211:5)

2:17 PM

at Module._compile (module.js:653:30)

2:17 PM

at Object.Module._extensions…js (module.js:664:10)

2:17 PM

at Module.load (module.js:566:32)

2:17 PM

at tryModuleLoad (module.js:506:12)

2:17 PM

at Function.Module._load (module.js:498:3)

2:17 PM

in glitch and when i remove ‘‘line app.use(’/_api’, api);’’ the error resolve but task not found this package.json

Hi guys,

I know it’s a little bit late to respond, but anyway. You can mount middleware and tell your app to use it like:

app.use(helmet.frameguard({action: 'deny'}));

Thanks,

AB

That worked for me. But after passing tests, I changed it back to

app.use(helmet.frameguard({action: 'deny'}));