Does Node.js have an equivalent to `open_basedir`?

290 views Asked by At

I'm pretty familiar with security in Apache/Nginx + PHP setups.

In Apache I can set DocumentRoot and in PHP I can use open_basedir to restrict access parts of the file system that shouldn't be accessible to the web server and/or PHP.

However, now that I've created an application run by Node and Express, I'm finding it difficult to secure it. I've searched the web and SO but without finding anything but small scope security tips.

So, does Node/Express have an equivalent to open_basedir or something similar?

1

There are 1 answers

2
durum On BEST ANSWER

Express will not share any file without your consent. Also does not allow routes with double dots (..) in the received path.

Just use the static middleware and take care of not give access to folders with stuff that you don't want to share:

app.use('/images', express.static('/home/user/images');
app.use('/', express.static('/home/user/public'));