WisarWisar
Dasturlash kitobi/5-QISM — Nodejs16 daqiqa

5.20-bob: Xavfsizlik — Rate limiting, helmet, CORS

5-QISM — Node.js Backend · 20-mavzu


1. Kirish va motivatsiya

Backend qurishni o'rgandik: server, REST, auth, email/SMS (5.5–5.19). Lekin barchasi xavfsiz bo'lishi shart. Bu bobda har Express ilovaning majburiy himoya qatlamini — uch asosiy vositani — o'rganamiz: helmet (xavfsizlik HTTP header'lari), CORS (qaysi domenlar API'ga murojaat qila olishi), va rate limiting (so'rovlar sonini cheklash). Bular bir-birining o'rnini bosmaydi — har uchovi birga kerak (har biri boshqa muammoni hal qiladi).

Internet — xavfli joy (14). Sizning API'ng ochiq bo'lishi bilan, unga botlar, hackerlar, suiiste'molchilar keladi: parolni minglab marta sinash (brute-force), serverni so'rovlar bilan to'ldirish (DoS), boshqa saytdan ma'lumotni o'g'irlash (CSRF/XSS), header orqali hujum. Bu hujumlar — nazariy emas, real va doimiy. Himoyasiz API — ochiq eshik.

Yaxshi xabar: bu uch vosita oddiy va kuchli. helmet() — bitta qator, o'nlab hujumdan himoya. cors() — bir necha qator, cross-origin nazorati. rateLimit() — brute-force/DoS to'sig'i. Bu — OWASP (xavfsizlik standarti — 14) tavsiyalarining amaliy qismi. To'liq xavfsizlik 14-QISM'da; bu yerda backend'ning kundalik himoyasini quramiz.

O'xshatish: API — do'kon. helmet — do'kondagi xavfsizlik kameralari va qulflar (har xil himoya bir vaqtda). CORS — kim ichkariga kira olishini nazorat qiluvchi qorovul ("faqat ushbu hamkorlar"). Rate limiting — bir odam do'konga kuniga necha marta kira olishini cheklash (bir kishi 1000 marta kirib-chiqsa — shubhali, to'xtatiladi). Uchovi birga — xavfsiz do'kon.

Nega muhim?

  • Majburiy himoya (14) — har production API'da bo'lishi shart (OWASP).
  • Real hujumlar — brute-force, DoS, CSRF, XSS — doimiy.
  • Oddiy, kuchli — kam kod, katta himoya.
  • Auth himoyasi — login brute-force'ni rate limiting to'xtatadi 5.15-bob.

2. Nazariya — chuqur tushuntirish

2.1. Uch vosita — uch muammo (birga kerak)

text
  helmet           xavfsizlik HTTP HEADER'lari (XSS, clickjacking, MIME sniffing)
  CORS             qaysi DOMENLAR API'ga murojaat qila oladi (cross-origin)
  rate limiting    so'rovlar SONINI cheklash (brute-force, DoS, spam)

   Bir-birining o'rnini BOSMAYDI — har uchovi BIRGA (pkgpulse/owasp)

2.2. Helmet nima va nega kerak

Helmet — Express javoblariga xavfsizlik HTTP header'lari qo'shadigan middleware (helmetjs). Brauzer bu header'larni o'qib, himoya choralarini qo'llaydi:

js
import helmet from "helmet";
app.use(helmet());                    // bitta qator — o'nlab himoya (14)

Nega muhim: brauzer xavfsizligi ko'p jihatdan header'larga bog'liq. Helmet'siz — bu header'lar yo'q, brauzer himoyani qo'llamaydi (XSS, clickjacking ochiq). helmet() — "majburiy, bir qator, hech qanday zarari yo'q" (helmetjs).

2.3. Helmet qaysi header'larni qo'yadi

Helmet o'rnatadigan asosiy header'lar (har biri bir hujumga qarshi):

text
  Content-Security-Policy (CSP)  — qaysi manbalardan resurs yuklanishi (XSS himoyasi)
  X-Frame-Options                — saytni <iframe>ga solishni taqiqlash (clickjacking)
  X-Content-Type-Options         — MIME sniffing'ni to'xtatish
  Strict-Transport-Security (HSTS) — faqat HTTPS (shifrlangan)
  X-DNS-Prefetch-Control, va boshqalar

CSP (Content-Security-Policy) — eng kuchli, lekin eng murakkab header (XSS'ning asosiy himoyasi). U "skript faqat shu manbalardan yuklansin" deydi. Sozlash nozik (noto'g'ri — sayt buziladi); shuning uchun bosqichma-bosqich sozlanadi.

2.4. CORS — muammo nimadan kelib chiqadi

Brauzerda Same-Origin Policy (bir manba siyosati) bor: sahifa faqat o'z manbasiga (domen+port+protokol) so'rov yubora oladi (0.5, 14). Boshqa manbaga (cross-origin) — bloklanadi:

text
  Sahifa: https://mana.uz
   https://mana.uz/api ga so'rov:  (bir manba)
   https://api.boshqa.uz ga so'rov:  BLOKLANADI (boshqa manba — xavfsizlik)

Nega bu himoya: agar har sahifa istalgan API'ga so'rov yubora olsa, zararli sayt sizning bank API'ngga (sizning cookie'ng bilan) so'rov yuborardi (14). Same-Origin Policy buni to'xtatadi. Lekin — ba'zan kerakli cross-origin (frontend mana.uz, API api.mana.uz) ham bloklanadi. Yechim — CORS.

2.5. CORS nima (yechim)

CORS (Cross-Origin Resource Sharing) — server "qaysi boshqa manbalarga ruxsat beraman" deb header orqali aytadi. Brauzer shu header'ni ko'rib, ruxsat beradi:

js
import cors from "cors";
app.use(cors({ origin: "https://mana.uz" }));   // faqat mana.uz ruxsat

Muhim tushunish: CORS — server'da sozlanadi, lekin brauzer majburlaydi. CORS — "kim brauzerdan mening API'mga murojaat qila oladi" nazorati. (Postman/server-to-server — CORS ta'sir qilmaydi; u faqat brauzer himoyasi.)

2.6. CORS sozlash (origin, credentials, methods)

js
app.use(cors({
  origin: ["https://mana.uz", "https://admin.mana.uz"],   // ruxsatli domenlar (14)
  credentials: true,                  // cookie/auth header yuborishga ruxsat (5.15)
  methods: ["GET", "POST", "PUT", "DELETE"],              // ruxsatli metodlar (5.7)
  allowedHeaders: ["Content-Type", "Authorization"],
}));

origin: "*" ISHLATMA (auth bilan — 14): "har domen ruxsat" — auth (cookie/token — 5.15) ishlatadigan API uchun xavfli. Aniq domenlarni ko'rsat. credentials: true bo'lsa, origin: "*" umuman ishlamaydi (brauzer rad etadi). Ochiq, public API (auth'siz) uchun * mumkin.

2.7. Preflight so'rovi (OPTIONS)

Ba'zi cross-origin so'rovlardan oldin brauzer "preflight" (oldindan tekshirish) so'rovi yuboradi — OPTIONS metodi 5.7-bob bilan: "men bu so'rovni yuborsam bo'ladimi?":

text
  Brauzer: OPTIONS /api/users (preflight)  "POST, Authorization bilan mumkinmi?"
  Server (CORS): "ha, ruxsat" (Access-Control-Allow-* header'lari)
  Brauzer: endi haqiqiy POST /api/users yuboradi

cors middleware preflight'ni avtomatik hal qiladi. Bilish kerak: ba'zan "CORS xatosi" — preflight muvaffaqiyatsizligi (OPTIONS'ga server javob bermagani).

2.8. Rate limiting nima va nega kerak

Rate limiting — bir client (IP) ma'lum vaqtda necha so'rov yubora olishini cheklash (express-rate-limit). Himoya qiladi:

text
  Brute-force  — login parolni minglab marta sinash 5.15-bob  cheklab to'xtatish
  DoS          — serverni so'rov bilan to'ldirish  cheklab himoya
  API abuse    — bepul API'ni suiiste'mol  adolatli ishlatish
  Scraping     — ma'lumotni ommaviy yuklab olish  sekinlatish
js
import rateLimit from "express-rate-limit";
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });   // 15min'da 100 so'rov
app.use(limiter);

2.9. Rate limiting sozlash (window, max)

js
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,           // vaqt oynasi (15 daqiqa)
  max: 100,                            // shu oynada IP'dan max 100 so'rov
  standardHeaders: true,               // RateLimit-* header'lari (qancha qoldi)
  legacyHeaders: false,
  message: { error: "Juda ko'p so'rov. Keyinroq urinib ko'ring" },   // 429 javobi
});
// Cheklov oshsa  429 Too Many Requests (5.7)

429 Too Many Requests 5.7-bob — rate limit oshganda qaytariladigan status. standardHeaders — clientga "qancha so'rov qoldi, qachon tiklanadi" header'larini beradi.

2.10. Turli endpoint'ga turli chegara

Hamma endpoint bir xil emas: login (sezgir) — qattiq chegara; oddiy GET — yumshoq (pkgpulse):

text
  Global (barcha /api)      max 100 / 15min (umumiy)
  Login/register/OTP        max 5 / 15min (brute-force — qattiq, 5.15, 5.18)
  Parol tiklash             max 3 / soat (qattiq)
  Public GET                yumshoqroq

Eng muhim: auth route'lariga (login, register, OTP, parol tiklash) qattiq rate limit (brute-force'ning asosiy himoyasi — 5.15, 14). Global limit — qo'shimcha.

2.11. Rate limit store (ko'p server — Redis)

Default'da express-rate-limit xotirada hisoblaydi. Bir nechta server bo'lsa (10.2: load balancer), har server o'z hisobini yuritadi — chegara ishlamaydi:

text
   Xotira store + 3 server  har server 100 ta = jami 300 (chegara buzildi)
   Redis store 5.21-bob  barcha serverlar bitta hisob (umumiy chegara)

Production'da (ko'p instansiya) — Redis store (rate-limit-redis — 5.21). Bitta server — xotira yetadi.

2.12. Boshqa xavfsizlik vositalari (qisqacha)

Helmet/CORS/rate limit'dan tashqari (14):

text
  express-mongo-sanitize  — NoSQL injection himoyasi (MongoDB — 6, 14)
  hpp                     — HTTP Parameter Pollution himoyasi
  express.json({ limit }) — body hajmini cheklash (DoS — 5.6)
  compression             — javobni siqish (xavfsizlik emas, performance)
  Validatsiya 5.9-bob       — kirish ma'lumoti (XSS/injection — 14)

2.13. HTTPS — hammasining asosi (14)

Bu vositalar HTTPS'siz to'liq ishlamaydi (14):

text
  HTTP  — ma'lumot OCHIQ ketadi (parol, token tarmoqda ko'rinadi — 14)
  HTTPS — shifrlangan (TLS); Secure cookie 5.15-bob, HSTS (helmet — 2.3) ishlaydi

  Production'da HTTPS MAJBURIY (nginx/reverse proxy + SSL sertifikat — 10.2)

2.14. Middleware tartibi (xavfsizlik — eng oldinda)

Xavfsizlik middleware'lari eng oldinda (route'lardan oldin — 5.6):

text
  app.use(helmet())             1. xavfsizlik header'lari
  app.use(cors(...))            2. CORS
  app.use(rateLimit(...))       3. rate limiting
  app.use(express.json(...))    4. body parser (limit bilan)
  app.use("/api", routes)       5. route'lar
  app.use(errorHandler)         6. error handler (oxirda — 5.10)

Nega oldinda: xavfsizlik so'rovni darvozada to'xtatishi kerak (route'ga yetishidan oldin). Rate limit — keraksiz so'rovni darrov rad etadi (resurs tejaydi).

2.15. OWASP Top 10 — bu bobning o'rni (14)

OWASP Top 10 — veb-ilovalardagi eng xavfli 10 zaiflik ro'yxati (xavfsizlik standarti — 14). Bu bobdagi vositalar aynan shu ro'yxatdagi muammolarni hal qiladi:

text
  Broken Access Control     — CORS + auth (qaysi domen/kim — 2.5, 5.15)
  Injection (SQL/NoSQL/XSS) — sanitize + validatsiya (mongo-sanitize — 2.12, 5.9)
  Security Misconfiguration — helmet (xavfsizlik header'lari sozlanmagani — 2.2)
  Identification failures   — login rate limit (brute-force — 2.10, 5.15)
  Cryptographic failures    — HTTPS/HSTS (shifrlanmagan trafik — 2.13)

Eslatma: bu bob — OWASP'ning backend'dagi amaliy qismi. To'liq ro'yxat va chuqur tahlil 14-QISM'da; bu yerda har production API'da bo'lishi shart bo'lgan minimal himoya qatlamini quramiz.


3. Sintaksis — tez ma'lumotnoma

js
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";

app.use(helmet());                                       // header'lar (2.2)
app.use(cors({ origin: [...], credentials: true }));     // CORS (2.6)
app.use(rateLimit({ windowMs: 15*60*1000, max: 100 }));  // rate limit (2.9)

// Auth uchun qattiq (2.10)
const authLimiter = rateLimit({ windowMs: 15*60*1000, max: 5 });
app.post("/api/auth/login", authLimiter, login);

// Tartib: helmet  cors  rateLimit  json  routes  errorHandler (2.14)

4. Batafsil kod namunalari

Misol 1 — Asosiy xavfsizlik sozlamasi (2.14)

js
import express from "express";
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
import { config } from "./config/index.js";             // (5.8)

const app = express();

// 1. Helmet — xavfsizlik header'lari (2.2)
app.use(helmet());

// 2. CORS — ruxsatli domenlar (2.6)
app.use(cors({
  origin: config.corsOrigins,                            // .env'dan ro'yxat (14)
  credentials: true,                                     // cookie (5.15)
}));

// 3. Global rate limit (2.9)
app.use(rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  standardHeaders: true,
  message: { error: "Juda ko'p so'rov" },
}));

// 4. Body parser (limit bilan — DoS — 2.12)
app.use(express.json({ limit: "10kb" }));                // body max 10kb

// 5. Route'lar
app.use("/api", routes);

Misol 2 — CORS to'liq sozlash (2.6)

js
import cors from "cors";

// Ruxsatli domenlar (.env'dan — 5.8, 14)
const RUXSAT = config.isProd
  ? ["https://mana.uz", "https://admin.mana.uz"]         // production (aniq)
  : ["http://localhost:5173", "http://localhost:3000"];  // dev

app.use(cors({
  origin: (origin, callback) => {
    // origin yo'q (Postman/server-to-server) yoki ruxsatlilar
    if (!origin || RUXSAT.includes(origin)) {
      callback(null, true);
    } else {
      callback(new Error("CORS: ruxsat etilmagan domen"));   // rad (14)
    }
  },
  credentials: true,                                     // cookie/auth (5.15)
  methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],     // (5.7)
  allowedHeaders: ["Content-Type", "Authorization"],
}));

Misol 3 — Turli endpoint'ga turli rate limit (2.10)

js
import rateLimit from "express-rate-limit";

// Global (yumshoq — 2.9)
const globalLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });

// Auth (qattiq — brute-force — 2.10, 5.15)
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5,                                                // 15min'da 5 urinish
  message: { error: "Juda ko'p urinish. 15 daqiqa kuting" },
  skipSuccessfulRequests: true,                          // muvaffaqiyatli login hisoblanmaydi
});

// OTP (juda qattiq — SMS pul — 2.10, 5.18)
const otpLimiter = rateLimit({ windowMs: 60 * 60 * 1000, max: 10 });

app.use("/api", globalLimiter);                          // hammaga
app.post("/api/auth/login", authLimiter, login);         // login'ga qo'shimcha (5.15)
app.post("/api/auth/register", authLimiter, register);
app.post("/api/auth/send-otp", otpLimiter, sendOtp);     // (5.18)

Misol 4 — Helmet CSP sozlash (2.3)

js
import helmet from "helmet";

// Default helmet (ko'p holatda yetarli)
app.use(helmet());

// Yoki CSP'ni moslash (frontend resurslari uchun — 2.3)
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],                            // faqat o'z domen
      scriptSrc: ["'self'"],                             // skript faqat o'zidan (XSS — 14)
      imgSrc: ["'self'", "data:", "https://cdn.mana.uz"], // rasm manbalari
      connectSrc: ["'self'", "https://api.mana.uz"],     // API so'rovlari
    },
  },
}));
//  CSP nozik — noto'g'ri sozlasa, sayt resurslari bloklanadi 2.3-bob. Test qiling!

Misol 5 — Redis store (ko'p server — 2.11)

js
import rateLimit from "express-rate-limit";
import { RedisStore } from "rate-limit-redis";
import { redis } from "./config/redis.js";              // (5.21)

// Barcha serverlar bitta hisob (Redis — 2.11)
const limiter = rateLimit({
  store: new RedisStore({
    sendCommand: (...args) => redis.sendCommand(args),
  }),
  windowMs: 15 * 60 * 1000,
  max: 100,
});
app.use("/api", limiter);
// Endi 3 server bo'lsa ham, jami 100 (umumiy chegara — 2.11)

Misol 6 — Qo'shimcha himoya (mongo-sanitize, hpp — 2.12)

js
import mongoSanitize from "express-mongo-sanitize";     // NoSQL injection (6, 14)
import hpp from "hpp";                                   // parameter pollution

app.use(helmet());
app.use(cors({...}));
app.use(express.json({ limit: "10kb" }));               // DoS (2.12)
app.use(mongoSanitize());                                // { $gt: "" } kabi injection'ni tozalaydi (14)
app.use(hpp());                                          // ?sort=a&sort=b dublikat himoyasi
app.use(rateLimit({...}));
// Ko'p qatlamli himoya (14)

Misol 7 — To'liq xavfsiz app.js (2.14)

js
import express from "express";
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
import mongoSanitize from "express-mongo-sanitize";
import cookieParser from "cookie-parser";               // (5.15)
import { config } from "./config/index.js";
import { errorHandler } from "./middleware/errorHandler.js";   // (5.10)

const app = express();

// Production'da reverse proxy ortida ishonch (IP to'g'ri — rate limit uchun — 10.2)
if (config.isProd) app.set("trust proxy", 1);

// XAVFSIZLIK (eng oldinda — 2.14)
app.use(helmet());                                       // 1. header'lar
app.use(cors({ origin: config.corsOrigins, credentials: true }));   // 2. CORS
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));         // 3. rate limit
app.use(express.json({ limit: "10kb" }));               // 4. body (limit)
app.use(cookieParser());                                 // 5. cookie (5.15)
app.use(mongoSanitize());                                 // 6. injection (14)

// Route'lar
app.use("/api/auth", authRoutes);
app.use("/api", apiRoutes);

// Error handler (oxirda — 5.10)
app.use(errorHandler);

export default app;

Misol 8 — CORS xato handling (2.7)

js
// CORS xatosini chiroyli javob qilish (5.10)
app.use((err, req, res, next) => {
  if (err.message?.includes("CORS")) {
    return res.status(403).json({ error: "Bu domenga ruxsat yo'q" });   // 403 (5.7)
  }
  next(err);                                             // boshqa xato (5.10)
});

5. To'g'ri va noto'g'ri holatlar

1) helmet'siz ilova

js
//  xavfsizlik header'lari yo'q (XSS/clickjacking ochiq — 14, 2.2)
const app = express();

//  helmet
app.use(helmet());

2) CORS origin: "*" (auth bilan)

js
//  har domen + cookie  xavfli (14, 2.6)
app.use(cors({ origin: "*", credentials: true }));   // ishlamaydi ham!

//  aniq domenlar
app.use(cors({ origin: ["https://mana.uz"], credentials: true }));

3) Rate limiting'siz auth

js
//  login cheksiz sinaladi (brute-force — 14, 2.10)
app.post("/login", login);

//  qattiq rate limit
app.post("/login", authLimiter, login);

4) Xavfsizlik middleware'i route'lardan keyin

js
//  route'ga yetib, keyin tekshiriladi (kech — 2.14)
app.use("/api", routes);
app.use(helmet());

//  eng oldinda
app.use(helmet());
app.use("/api", routes);

5) Ko'p serverda xotira store

text
 3 server + xotira  chegara 3x buziladi (2.11)
 Redis store (umumiy hisob)

6. Keng tarqalgan xatolar va yechimlari

Xato 1 — CORS policy: No 'Access-Control-Allow-Origin'

Sababi: CORS sozlanmagan yoki origin ro'yxatda yo'q 2.5-bob. Yechimi: cors({ origin: [...] }); frontend domenini qo'shing; preflight (OPTIONS — 2.7).

Xato 2 — Cookie cross-origin kelmaydi

Sababi: credentials: true yo'q (server/frontend), yoki SameSite 5.15-bob. Yechimi: server credentials: true; frontend withCredentials; SameSite=None+Secure (cross-site).

Xato 3 — Rate limit ishlamaydi (hamma so'rov o'tadi)

Sababi: reverse proxy ortida IP noto'g'ri (hammasi bir IP — 10.2). Yechimi: app.set("trust proxy", 1) (Misol 7).

Xato 4 — CSP sayt resurslarini bloklaydi

Sababi: CSP juda qattiq 2.3-bob. Yechimi: kerakli manbalarni qo'sh (directives); test; yoki default helmet.

Xato 5 — Rate limit hammani birga cheklaydi (ko'p server)

Sababi: xotira store 2.11-bob. Yechimi: Redis store (Misol 5).

Xato 6 — Legitim foydalanuvchi 429 oladi

Sababi: chegara juda past, yoki NAT ortida ko'p foydalanuvchi bir IP. Yechimi: chegarani moslash; auth'da skipSuccessfulRequests; foydalanuvchi bo'yicha (IP emas) cheklash.


7. Integratsiya — bu mavzu stack'ning qayerida uchraydi

  • Express 5.6-bob: uchovi ham middleware.
  • Auth (5.15-5.18): login/OTP rate limiting (brute-force).
  • CORS + cookie 5.15-bob: credentials, SameSite.
  • Redis 5.21-bob: rate limit store (ko'p server).
  • Error handling 5.10-bob: CORS/429 xatolar.
  • Validatsiya 5.9-bob: kirish himoyasi (injection/XSS).
  • DevOps 10.2-bob: nginx, HTTPS, trust proxy.
  • Xavfsizlik (14): OWASP — to'liq xavfsizlik.
  • NestJS (8): helmet/cors/throttler — shu g'oya.

8. Eng yaxshi amaliyotlar (best practices)

  • helmet() har ilovada (bir qator, majburiy — 2.2, 14).
  • CORS aniq domenlar (* emas auth bilan — 2.6, 14); credentials kerak bo'lsa to'g'ri.
  • Rate limiting — global + auth route'lariga qattiq (brute-force — 2.10, 14).
  • Xavfsizlik middleware eng oldinda (route'lardan oldin — 2.14).
  • Body hajmini cheklash (express.json({ limit }) — DoS — 2.12).
  • Ko'p serverda Redis store (rate limit — 2.11).
  • Qo'shimcha: mongo-sanitize, hpp (injection — 2.12, 14).
  • trust proxy reverse proxy ortida (IP to'g'ri — 2.11, Misol 7).
  • HTTPS production'da (hammasining asosi — 2.13, 14).
  • CSP'ni ehtiyot sozla (test — 2.3); validatsiya bilan birga 5.9-bob.

9. Amaliy loyiha: "Xavfsiz API Himoya Qatlami"

Backend xavfsizligini professional darajada mustahkamlash.

Maqsad

helmet, CORS va rate limiting bilan to'liq xavfsizlik qatlamini qurish: header himoyasi, cross-origin nazorati, brute-force/DoS himoyasi.

Talablar (requirements)

  1. Helmet: xavfsizlik header'lari; CSP'ni moslash (Misol 1, 4, 2.2, 2.3).
  2. CORS: ruxsatli domenlar (.env); credentials; dev/prod farqi (Misol 2, 2.6).
  3. Global rate limit: barcha /api uchun (Misol 1, 2.9).
  4. Auth rate limit: login/register/OTP'ga qattiq (Misol 3, 2.10).
  5. Body limit: express.json({ limit }) (DoS — 2.12).
  6. Qo'shimcha: mongo-sanitize, hpp (Misol 6, 2.12).
  7. Middleware tartibi: xavfsizlik eng oldinda (Misol 7, 2.14).
  8. trust proxy: production'da (Misol 7, 2.11).
  9. CORS xato handling: chiroyli 403 (Misol 8).
  10. (Bonus) Redis store: rate limit (ko'p server — Misol 5, 2.11).

Maslahatlar (hint)

  • Tartib: helmet cors rateLimit json routes errorHandler 2.14-bob.
  • CORS: origin ro'yxat, credentials: true (2.6, 2-xato).
  • Auth limit: max: 5 + skipSuccessfulRequests 2.10-bob.
  • trust proxy reverse proxy ortida (3-xato).
  • CSP test qiling (resurslar bloklanmasin — 4-xato).
  • Body: express.json({ limit: "10kb" }).

"Tayyor" mezonlari (acceptance criteria)

  • helmet header'lari qo'yiladi.
  • CORS faqat ruxsatli domenlarga (cookie bilan).
  • Global rate limit ishlaydi (429).
  • Login/OTP qattiq cheklangan (brute-force to'xtaydi).
  • Body hajmi cheklangan.
  • mongo-sanitize/hpp qo'shilgan.
  • Middleware tartibi to'g'ri (xavfsizlik oldinda).
  • trust proxy production'da.
  • (Bonus) Redis store / CSP moslangan.

Yechim kodi ataylab berilmagan — bu loyihani o'zingiz yozib ko'ring.


10. Xulosa va keyingi bobga ko'prik

Bu bobda har Express ilovaning majburiy himoyasini — helmet, CORS, rate limiting — o'rgandik:

  • Uch vosita, uch muammo (birga kerak — 2.1): helmet (header), CORS (domen), rate limit (so'rov soni).
  • Helmet — xavfsizlik HTTP header'lari (CSP, X-Frame-Options, HSTS — XSS/clickjacking — 2.2, 2.3).
  • CORS — Same-Origin Policy 2.4-bob; server ruxsat beradi (aniq domenlar, * emas — 2.5, 2.6); preflight 2.7-bob.
  • Rate limiting — so'rov sonini cheklash (brute-force/DoS — 2.8); global + auth qattiq 2.10-bob; Redis store (ko'p server — 2.11).
  • Tartib (xavfsizlik oldinda — 2.14); HTTPS asos 2.13-bob; qo'shimcha (sanitize/hpp — 2.12); OWASP (14).

Keyingi bob — 5.21-bob: Caching — Redis (chuqur). Bir necha bobda Redis'ni eslatdik (session — 5.15, OTP — 5.18, rate limit — 5.20). Endi uni to'liq, chuqur o'rganamiz: Redis nima, ma'lumot tuzilmalari (string, hash, list, set, sorted set), caching strategiyalari, TTL, sessiya va pub/sub. Redis — backend tezligi va masshtabining kaliti.


Foydalanilgan rasmiy/ishonchli manbalar

  • github.com/helmetjs/helmet — Helmet (header'lar, CSP); expressjs.com — Production Security
  • expressjs.com/resources/middleware/cors; MDN — CORS, Same-Origin Policy
  • express-rate-limit (npm); pkgpulse — helmet vs cors vs rate-limit 2026; OWASP

Izohlar (0)

Izoh yozish uchun kiring.

  • Hozircha izoh yo'q. Birinchi bo'ling!
5.20-bob: Xavfsizlik — Rate limiting, helmet, CORS — Wisar