I'm pretty familiar with security in Apache/Nginx + PHP setups.
In Apache I can set DocumentRoot
and in PHP I can use open_basedir
to restrict access parts of the file system that shouldn't be accessible to the web server and/or PHP.
However, now that I've created an application run by Node and Express, I'm finding it difficult to secure it. I've searched the web and SO but without finding anything but small scope security tips.
So, does Node/Express have an equivalent to open_basedir
or something similar?
Express will not share any file without your consent. Also does not allow routes with double dots (
..
) in the received path.Just use the
static
middleware and take care of not give access to folders with stuff that you don't want to share: