2022-12-03
Doubts regarding HomeWork5.
Hello Professor,
We have few doubts regarding HW5 Login Vulnerability Option. Please help us understand the below points.
1) Is it fine if we prevent clickjacking from the front end side or are we expected to solve this issue with backend configuration?
2) Do we need to make just the login-vulnerable page vulnerable for iframe loading, or do we also have to make the whole website accessible through iframe after the user enters credentials in the login-vulnerable page?
Thanks
Hello Professor,
We have few doubts regarding HW5 Login Vulnerability Option. Please help us understand the below points.
1) Is it fine if we prevent clickjacking from the front end side or are we expected to solve this issue with backend configuration?
2) Do we need to make just the login-vulnerable page vulnerable for iframe loading, or do we also have to make the whole website accessible through iframe after the user enters credentials in the login-vulnerable page?
Thanks
You should implement a server side solution.
You only need to have the vulnerability on the login.
Best,
Chris
You should implement a server side solution.
You only need to have the vulnerability on the login.
Best,
Chris
Hello Professor,
Can you please provide few resources, that talks about preventing click jacking in react based applications. There are few options to set the x-frame-options in header for node based applications, but we are finding it hard to get ways(server side solutions) to set x frame options in a front end react.js+ backend node js based application.
Thanks,
Pavan
Hello Professor,
Can you please provide few resources, that talks about preventing click jacking in react based applications. There are few options to set the x-frame-options in header for node based applications, but we are finding it hard to get ways(server side solutions) to set x frame options in a front end react.js+ backend node js based application.
Thanks,
Pavan
Well, as I indicated on the homework you can do the homework using express. If you want to use react, just do a search on "http header served with react application" and look at the stack overflow answers. Scrolling down on the first couple it tells you which packages in the dev server used to serve your app need to be adjusted to serve the appropriate header. That said you probably want to do this part of the assignment in express. You don't want to include the packages your project will depend on with your submission or it will be way too big. As I mentioned in class, installing the packages to get the react dev environment set up is a few hundred megabytes (even if your deployed project is much smaller).
For express, you can do something nice and short like:
(Edited: 2022-12-04)
app.get('/', (req, res) => {
res.setHeader(string_with_header_want_to_send);
})
Well, as I indicated on the homework you can do the homework using express. If you want to use react, just do a search on "http header served with react application" and look at the stack overflow answers. Scrolling down on the first couple it tells you which packages in the dev server used to serve your app need to be adjusted to serve the appropriate header. That said you probably want to do this part of the assignment in express. You don't want to include the packages your project will depend on with your submission or it will be way too big. As I mentioned in class, installing the packages to get the react dev environment set up is a few hundred megabytes (even if your deployed project is much smaller).
For express, you can do something nice and short like:
app.get('/', (req, res) => {
res.setHeader(string_with_header_want_to_send);
})
Just to give a smooth mechanism for people to handle this if they are using React rather than a pure Express app, take a look at the last bullet point on this slide from last day:
https://www.cs.sjsu.edu/faculty/pollett/174.2.22f/Lec20221130.html#(12)I've been tacking on/modifying the slides from last day trying to make things clearer for the next time I try to (if I decide to, I am somewhat underwhelmed by it) teach React.
Best,
Chris
Just to give a smooth mechanism for people to handle this if they are using React rather than a pure Express app, take a look at the last bullet point on this slide from last day:
https://www.cs.sjsu.edu/faculty/pollett/174.2.22f/Lec20221130.html#(12)
I've been tacking on/modifying the slides from last day trying to make things clearer for the next time I try to (if I decide to, I am somewhat underwhelmed by it) teach React.
Best,
Chris
2022-12-05
Hello Professor,
Is it ok to maintain two separate config files, one for react application and another for node application. Or are we expected to use single config file for complete project.
Because react application can only read config files from its home/src folder.
Thanks
Hello Professor,
Is it ok to maintain two separate config files, one for react application and another for node application. Or are we expected to use single config file for complete project.
Because react application can only read config files from its home/src folder.
Thanks
It's okay to have two config files. Just make sure to describe clearly in your README what's needed of the grader to set your project so that it can be graded.
Best,
Chris
It's okay to have two config files. Just make sure to describe clearly in your README what's needed of the grader to set your project so that it can be graded.
Best,
Chris
(c) 2024 Yioop - PHP Search Engine