Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion for Information Security course: update helmet to v5 #45368

Closed
harmonify opened this issue Mar 7, 2022 · 3 comments
Closed

Suggestion for Information Security course: update helmet to v5 #45368

harmonify opened this issue Mar 7, 2022 · 3 comments
Labels
scope: curriculum Lessons, Challenges, Projects and other Curricular Content in curriculum directory. status: discussing Under discussion threads. Closed as stale after 60 days of inactivity. type: feature request Threads classified to be feature requests. Implementation to be considered as a nice to have

Comments

@harmonify
Copy link

harmonify commented Mar 7, 2022
edited
Loading

When following throughout this course on freeCodeCamp, I noticed that the boilerplate challenges use helmet v3. I suggest to update the curriculum to use helmet v5 as I found out the older version has some security issues.
And one of them is about setting the X-XSS-Protection HTTP header. In helmet v3, using helmet.xssFilter() will set the header to X-XSS-Protection: 1; mode=block. This enables browsers' buggy cross-site scripting filter. Meanwhile in v5, it will set X-XSS-Protection: 0 by default.

Affected page

  1. freeCodeCamp's X-XSS-Protection challenge

Expected behavior

  1. Using helmet.xssfilter() middleware set the X-XSS-Protection header to 0.

Additional context

  1. MDN Documentation on X-XSS-Protection
  2. HelmetJS' discussion on X-XSS-Protection
  3. Community discussion on X-XSS-Protection
@harmonify harmonify added scope: curriculum Lessons, Challenges, Projects and other Curricular Content in curriculum directory. status: waiting triage This issue needs help from moderators and users to reproduce and confirm its validity and fix. type: bug Issues that need priority attention. Platform, Curriculum tests (if broken completely), etc. labels Mar 7, 2022
@ShaunSHamilton ShaunSHamilton added type: feature request Threads classified to be feature requests. Implementation to be considered as a nice to have and removed type: bug Issues that need priority attention. Platform, Curriculum tests (if broken completely), etc. status: waiting triage This issue needs help from moderators and users to reproduce and confirm its validity and fix. labels Mar 7, 2022
@naomi-lgbt
Copy link
Member

We have had a lot of discussion re: whether to continually update the curriculum to keep up with package updates.

The challenges here are:

  • The entire block would need to be updated to reflect any breaking changes
  • The certification projects would need to be updated to expect + test the latest version.

@naomi-lgbt naomi-lgbt added the status: discussing Under discussion threads. Closed as stale after 60 days of inactivity. label Mar 8, 2022
@moT01
Copy link
Member

moT01 commented Mar 24, 2022

I don't think it's worth updating this, the project based curriculum will eventually deprecate this. I think our effort is better spent on those.

@naomi-lgbt
Copy link
Member

I'm in agreement with Tom here. I'd be in favour of closing this and continuing to focus our efforts on the redesigned curriculum.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope: curriculum Lessons, Challenges, Projects and other Curricular Content in curriculum directory. status: discussing Under discussion threads. Closed as stale after 60 days of inactivity. type: feature request Threads classified to be feature requests. Implementation to be considered as a nice to have
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@moT01 @ShaunSHamilton @naomi-lgbt @harmonify