5.20-bob: Xavfsizlik — Rate limiting, helmet, CORS
5-QISM — Node.js Backend · 20-mavzu
1. Kirish va motivatsiya
Backend qurishni o'rgandik: server, REST, auth, email/SMS (5.5–5.19). Lekin barchasi xavfsiz bo'lishi shart. Bu bobda har Express ilovaning majburiy himoya qatlamini — uch asosiy vositani — o'rganamiz: helmet (xavfsizlik HTTP header'lari), CORS (qaysi domenlar API'ga murojaat qila olishi), va rate limiting (so'rovlar sonini cheklash). Bular bir-birining o'rnini bosmaydi — har uchovi birga kerak (har biri boshqa muammoni hal qiladi).
Internet — xavfli joy (14). Sizning API'ng ochiq bo'lishi bilan, unga botlar, hackerlar, suiiste'molchilar keladi: parolni minglab marta sinash (brute-force), serverni so'rovlar bilan to'ldirish (DoS), boshqa saytdan ma'lumotni o'g'irlash (CSRF/XSS), header orqali hujum. Bu hujumlar — nazariy emas, real va doimiy. Himoyasiz API — ochiq eshik.
Yaxshi xabar: bu uch vosita oddiy va kuchli. helmet() — bitta qator, o'nlab hujumdan himoya. cors() — bir necha qator, cross-origin nazorati. rateLimit() — brute-force/DoS to'sig'i. Bu — OWASP (xavfsizlik standarti — 14) tavsiyalarining amaliy qismi. To'liq xavfsizlik 14-QISM'da; bu yerda backend'ning kundalik himoyasini quramiz.
O'xshatish: API — do'kon. helmet — do'kondagi xavfsizlik kameralari va qulflar (har xil himoya bir vaqtda). CORS — kim ichkariga kira olishini nazorat qiluvchi qorovul ("faqat ushbu hamkorlar"). Rate limiting — bir odam do'konga kuniga necha marta kira olishini cheklash (bir kishi 1000 marta kirib-chiqsa — shubhali, to'xtatiladi). Uchovi birga — xavfsiz do'kon.
Nega muhim?
- Majburiy himoya (14) — har production API'da bo'lishi shart (OWASP).
- Real hujumlar — brute-force, DoS, CSRF, XSS — doimiy.
- Oddiy, kuchli — kam kod, katta himoya.
- Auth himoyasi — login brute-force'ni rate limiting to'xtatadi 5.15-bob.
2. Nazariya — chuqur tushuntirish
2.1. Uch vosita — uch muammo (birga kerak)
helmet xavfsizlik HTTP HEADER'lari (XSS, clickjacking, MIME sniffing)
CORS qaysi DOMENLAR API'ga murojaat qila oladi (cross-origin)
rate limiting so'rovlar SONINI cheklash (brute-force, DoS, spam)
Bir-birining o'rnini BOSMAYDI — har uchovi BIRGA (pkgpulse/owasp)2.2. Helmet nima va nega kerak
Helmet — Express javoblariga xavfsizlik HTTP header'lari qo'shadigan middleware (helmetjs). Brauzer bu header'larni o'qib, himoya choralarini qo'llaydi:
import helmet from "helmet";
app.use(helmet()); // bitta qator — o'nlab himoya (14)Nega muhim: brauzer xavfsizligi ko'p jihatdan header'larga bog'liq. Helmet'siz — bu header'lar yo'q, brauzer himoyani qo'llamaydi (XSS, clickjacking ochiq).
helmet()— "majburiy, bir qator, hech qanday zarari yo'q" (helmetjs).
2.3. Helmet qaysi header'larni qo'yadi
Helmet o'rnatadigan asosiy header'lar (har biri bir hujumga qarshi):
Content-Security-Policy (CSP) — qaysi manbalardan resurs yuklanishi (XSS himoyasi)
X-Frame-Options — saytni <iframe>ga solishni taqiqlash (clickjacking)
X-Content-Type-Options — MIME sniffing'ni to'xtatish
Strict-Transport-Security (HSTS) — faqat HTTPS (shifrlangan)
X-DNS-Prefetch-Control, va boshqalarCSP (Content-Security-Policy) — eng kuchli, lekin eng murakkab header (XSS'ning asosiy himoyasi). U "skript faqat shu manbalardan yuklansin" deydi. Sozlash nozik (noto'g'ri — sayt buziladi); shuning uchun bosqichma-bosqich sozlanadi.
2.4. CORS — muammo nimadan kelib chiqadi
Brauzerda Same-Origin Policy (bir manba siyosati) bor: sahifa faqat o'z manbasiga (domen+port+protokol) so'rov yubora oladi (0.5, 14). Boshqa manbaga (cross-origin) — bloklanadi:
Sahifa: https://mana.uz
https://mana.uz/api ga so'rov: (bir manba)
https://api.boshqa.uz ga so'rov: BLOKLANADI (boshqa manba — xavfsizlik)Nega bu himoya: agar har sahifa istalgan API'ga so'rov yubora olsa, zararli sayt sizning bank API'ngga (sizning cookie'ng bilan) so'rov yuborardi (14). Same-Origin Policy buni to'xtatadi. Lekin — ba'zan kerakli cross-origin (frontend
mana.uz, APIapi.mana.uz) ham bloklanadi. Yechim — CORS.
2.5. CORS nima (yechim)
CORS (Cross-Origin Resource Sharing) — server "qaysi boshqa manbalarga ruxsat beraman" deb header orqali aytadi. Brauzer shu header'ni ko'rib, ruxsat beradi:
import cors from "cors";
app.use(cors({ origin: "https://mana.uz" })); // faqat mana.uz ruxsatMuhim tushunish: CORS — server'da sozlanadi, lekin brauzer majburlaydi. CORS — "kim brauzerdan mening API'mga murojaat qila oladi" nazorati. (Postman/server-to-server — CORS ta'sir qilmaydi; u faqat brauzer himoyasi.)
2.6. CORS sozlash (origin, credentials, methods)
app.use(cors({
origin: ["https://mana.uz", "https://admin.mana.uz"], // ruxsatli domenlar (14)
credentials: true, // cookie/auth header yuborishga ruxsat (5.15)
methods: ["GET", "POST", "PUT", "DELETE"], // ruxsatli metodlar (5.7)
allowedHeaders: ["Content-Type", "Authorization"],
}));
origin: "*"ISHLATMA (auth bilan — 14): "har domen ruxsat" — auth (cookie/token — 5.15) ishlatadigan API uchun xavfli. Aniq domenlarni ko'rsat.credentials: truebo'lsa,origin: "*"umuman ishlamaydi (brauzer rad etadi). Ochiq, public API (auth'siz) uchun*mumkin.
2.7. Preflight so'rovi (OPTIONS)
Ba'zi cross-origin so'rovlardan oldin brauzer "preflight" (oldindan tekshirish) so'rovi yuboradi — OPTIONS metodi 5.7-bob bilan: "men bu so'rovni yuborsam bo'ladimi?":
Brauzer: OPTIONS /api/users (preflight) "POST, Authorization bilan mumkinmi?"
Server (CORS): "ha, ruxsat" (Access-Control-Allow-* header'lari)
Brauzer: endi haqiqiy POST /api/users yuboradi
corsmiddleware preflight'ni avtomatik hal qiladi. Bilish kerak: ba'zan "CORS xatosi" — preflight muvaffaqiyatsizligi (OPTIONS'ga server javob bermagani).
2.8. Rate limiting nima va nega kerak
Rate limiting — bir client (IP) ma'lum vaqtda necha so'rov yubora olishini cheklash (express-rate-limit). Himoya qiladi:
Brute-force — login parolni minglab marta sinash 5.15-bob cheklab to'xtatish
DoS — serverni so'rov bilan to'ldirish cheklab himoya
API abuse — bepul API'ni suiiste'mol adolatli ishlatish
Scraping — ma'lumotni ommaviy yuklab olish sekinlatishimport rateLimit from "express-rate-limit";
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }); // 15min'da 100 so'rov
app.use(limiter);2.9. Rate limiting sozlash (window, max)
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // vaqt oynasi (15 daqiqa)
max: 100, // shu oynada IP'dan max 100 so'rov
standardHeaders: true, // RateLimit-* header'lari (qancha qoldi)
legacyHeaders: false,
message: { error: "Juda ko'p so'rov. Keyinroq urinib ko'ring" }, // 429 javobi
});
// Cheklov oshsa 429 Too Many Requests (5.7)429 Too Many Requests 5.7-bob — rate limit oshganda qaytariladigan status.
standardHeaders— clientga "qancha so'rov qoldi, qachon tiklanadi" header'larini beradi.
2.10. Turli endpoint'ga turli chegara
Hamma endpoint bir xil emas: login (sezgir) — qattiq chegara; oddiy GET — yumshoq (pkgpulse):
Global (barcha /api) max 100 / 15min (umumiy)
Login/register/OTP max 5 / 15min (brute-force — qattiq, 5.15, 5.18)
Parol tiklash max 3 / soat (qattiq)
Public GET yumshoqroqEng muhim: auth route'lariga (login, register, OTP, parol tiklash) qattiq rate limit (brute-force'ning asosiy himoyasi — 5.15, 14). Global limit — qo'shimcha.
2.11. Rate limit store (ko'p server — Redis)
Default'da express-rate-limit xotirada hisoblaydi. Bir nechta server bo'lsa (10.2: load balancer), har server o'z hisobini yuritadi — chegara ishlamaydi:
Xotira store + 3 server har server 100 ta = jami 300 (chegara buzildi)
Redis store 5.21-bob barcha serverlar bitta hisob (umumiy chegara)Production'da (ko'p instansiya) — Redis store (
rate-limit-redis— 5.21). Bitta server — xotira yetadi.
2.12. Boshqa xavfsizlik vositalari (qisqacha)
Helmet/CORS/rate limit'dan tashqari (14):
express-mongo-sanitize — NoSQL injection himoyasi (MongoDB — 6, 14)
hpp — HTTP Parameter Pollution himoyasi
express.json({ limit }) — body hajmini cheklash (DoS — 5.6)
compression — javobni siqish (xavfsizlik emas, performance)
Validatsiya 5.9-bob — kirish ma'lumoti (XSS/injection — 14)2.13. HTTPS — hammasining asosi (14)
Bu vositalar HTTPS'siz to'liq ishlamaydi (14):
HTTP — ma'lumot OCHIQ ketadi (parol, token tarmoqda ko'rinadi — 14)
HTTPS — shifrlangan (TLS); Secure cookie 5.15-bob, HSTS (helmet — 2.3) ishlaydi
Production'da HTTPS MAJBURIY (nginx/reverse proxy + SSL sertifikat — 10.2)2.14. Middleware tartibi (xavfsizlik — eng oldinda)
Xavfsizlik middleware'lari eng oldinda (route'lardan oldin — 5.6):
app.use(helmet()) 1. xavfsizlik header'lari
app.use(cors(...)) 2. CORS
app.use(rateLimit(...)) 3. rate limiting
app.use(express.json(...)) 4. body parser (limit bilan)
app.use("/api", routes) 5. route'lar
app.use(errorHandler) 6. error handler (oxirda — 5.10)Nega oldinda: xavfsizlik so'rovni darvozada to'xtatishi kerak (route'ga yetishidan oldin). Rate limit — keraksiz so'rovni darrov rad etadi (resurs tejaydi).
2.15. OWASP Top 10 — bu bobning o'rni (14)
OWASP Top 10 — veb-ilovalardagi eng xavfli 10 zaiflik ro'yxati (xavfsizlik standarti — 14). Bu bobdagi vositalar aynan shu ro'yxatdagi muammolarni hal qiladi:
Broken Access Control — CORS + auth (qaysi domen/kim — 2.5, 5.15)
Injection (SQL/NoSQL/XSS) — sanitize + validatsiya (mongo-sanitize — 2.12, 5.9)
Security Misconfiguration — helmet (xavfsizlik header'lari sozlanmagani — 2.2)
Identification failures — login rate limit (brute-force — 2.10, 5.15)
Cryptographic failures — HTTPS/HSTS (shifrlanmagan trafik — 2.13)Eslatma: bu bob — OWASP'ning backend'dagi amaliy qismi. To'liq ro'yxat va chuqur tahlil 14-QISM'da; bu yerda har production API'da bo'lishi shart bo'lgan minimal himoya qatlamini quramiz.
3. Sintaksis — tez ma'lumotnoma
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
app.use(helmet()); // header'lar (2.2)
app.use(cors({ origin: [...], credentials: true })); // CORS (2.6)
app.use(rateLimit({ windowMs: 15*60*1000, max: 100 })); // rate limit (2.9)
// Auth uchun qattiq (2.10)
const authLimiter = rateLimit({ windowMs: 15*60*1000, max: 5 });
app.post("/api/auth/login", authLimiter, login);
// Tartib: helmet cors rateLimit json routes errorHandler (2.14)4. Batafsil kod namunalari
Misol 1 — Asosiy xavfsizlik sozlamasi (2.14)
import express from "express";
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
import { config } from "./config/index.js"; // (5.8)
const app = express();
// 1. Helmet — xavfsizlik header'lari (2.2)
app.use(helmet());
// 2. CORS — ruxsatli domenlar (2.6)
app.use(cors({
origin: config.corsOrigins, // .env'dan ro'yxat (14)
credentials: true, // cookie (5.15)
}));
// 3. Global rate limit (2.9)
app.use(rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
standardHeaders: true,
message: { error: "Juda ko'p so'rov" },
}));
// 4. Body parser (limit bilan — DoS — 2.12)
app.use(express.json({ limit: "10kb" })); // body max 10kb
// 5. Route'lar
app.use("/api", routes);Misol 2 — CORS to'liq sozlash (2.6)
import cors from "cors";
// Ruxsatli domenlar (.env'dan — 5.8, 14)
const RUXSAT = config.isProd
? ["https://mana.uz", "https://admin.mana.uz"] // production (aniq)
: ["http://localhost:5173", "http://localhost:3000"]; // dev
app.use(cors({
origin: (origin, callback) => {
// origin yo'q (Postman/server-to-server) yoki ruxsatlilar
if (!origin || RUXSAT.includes(origin)) {
callback(null, true);
} else {
callback(new Error("CORS: ruxsat etilmagan domen")); // rad (14)
}
},
credentials: true, // cookie/auth (5.15)
methods: ["GET", "POST", "PUT", "PATCH", "DELETE"], // (5.7)
allowedHeaders: ["Content-Type", "Authorization"],
}));Misol 3 — Turli endpoint'ga turli rate limit (2.10)
import rateLimit from "express-rate-limit";
// Global (yumshoq — 2.9)
const globalLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });
// Auth (qattiq — brute-force — 2.10, 5.15)
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5, // 15min'da 5 urinish
message: { error: "Juda ko'p urinish. 15 daqiqa kuting" },
skipSuccessfulRequests: true, // muvaffaqiyatli login hisoblanmaydi
});
// OTP (juda qattiq — SMS pul — 2.10, 5.18)
const otpLimiter = rateLimit({ windowMs: 60 * 60 * 1000, max: 10 });
app.use("/api", globalLimiter); // hammaga
app.post("/api/auth/login", authLimiter, login); // login'ga qo'shimcha (5.15)
app.post("/api/auth/register", authLimiter, register);
app.post("/api/auth/send-otp", otpLimiter, sendOtp); // (5.18)Misol 4 — Helmet CSP sozlash (2.3)
import helmet from "helmet";
// Default helmet (ko'p holatda yetarli)
app.use(helmet());
// Yoki CSP'ni moslash (frontend resurslari uchun — 2.3)
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"], // faqat o'z domen
scriptSrc: ["'self'"], // skript faqat o'zidan (XSS — 14)
imgSrc: ["'self'", "data:", "https://cdn.mana.uz"], // rasm manbalari
connectSrc: ["'self'", "https://api.mana.uz"], // API so'rovlari
},
},
}));
// CSP nozik — noto'g'ri sozlasa, sayt resurslari bloklanadi 2.3-bob. Test qiling!Misol 5 — Redis store (ko'p server — 2.11)
import rateLimit from "express-rate-limit";
import { RedisStore } from "rate-limit-redis";
import { redis } from "./config/redis.js"; // (5.21)
// Barcha serverlar bitta hisob (Redis — 2.11)
const limiter = rateLimit({
store: new RedisStore({
sendCommand: (...args) => redis.sendCommand(args),
}),
windowMs: 15 * 60 * 1000,
max: 100,
});
app.use("/api", limiter);
// Endi 3 server bo'lsa ham, jami 100 (umumiy chegara — 2.11)Misol 6 — Qo'shimcha himoya (mongo-sanitize, hpp — 2.12)
import mongoSanitize from "express-mongo-sanitize"; // NoSQL injection (6, 14)
import hpp from "hpp"; // parameter pollution
app.use(helmet());
app.use(cors({...}));
app.use(express.json({ limit: "10kb" })); // DoS (2.12)
app.use(mongoSanitize()); // { $gt: "" } kabi injection'ni tozalaydi (14)
app.use(hpp()); // ?sort=a&sort=b dublikat himoyasi
app.use(rateLimit({...}));
// Ko'p qatlamli himoya (14)Misol 7 — To'liq xavfsiz app.js (2.14)
import express from "express";
import helmet from "helmet";
import cors from "cors";
import rateLimit from "express-rate-limit";
import mongoSanitize from "express-mongo-sanitize";
import cookieParser from "cookie-parser"; // (5.15)
import { config } from "./config/index.js";
import { errorHandler } from "./middleware/errorHandler.js"; // (5.10)
const app = express();
// Production'da reverse proxy ortida ishonch (IP to'g'ri — rate limit uchun — 10.2)
if (config.isProd) app.set("trust proxy", 1);
// XAVFSIZLIK (eng oldinda — 2.14)
app.use(helmet()); // 1. header'lar
app.use(cors({ origin: config.corsOrigins, credentials: true })); // 2. CORS
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 })); // 3. rate limit
app.use(express.json({ limit: "10kb" })); // 4. body (limit)
app.use(cookieParser()); // 5. cookie (5.15)
app.use(mongoSanitize()); // 6. injection (14)
// Route'lar
app.use("/api/auth", authRoutes);
app.use("/api", apiRoutes);
// Error handler (oxirda — 5.10)
app.use(errorHandler);
export default app;Misol 8 — CORS xato handling (2.7)
// CORS xatosini chiroyli javob qilish (5.10)
app.use((err, req, res, next) => {
if (err.message?.includes("CORS")) {
return res.status(403).json({ error: "Bu domenga ruxsat yo'q" }); // 403 (5.7)
}
next(err); // boshqa xato (5.10)
});5. To'g'ri va noto'g'ri holatlar
1) helmet'siz ilova
// xavfsizlik header'lari yo'q (XSS/clickjacking ochiq — 14, 2.2)
const app = express();
// helmet
app.use(helmet());2) CORS origin: "*" (auth bilan)
// har domen + cookie xavfli (14, 2.6)
app.use(cors({ origin: "*", credentials: true })); // ishlamaydi ham!
// aniq domenlar
app.use(cors({ origin: ["https://mana.uz"], credentials: true }));3) Rate limiting'siz auth
// login cheksiz sinaladi (brute-force — 14, 2.10)
app.post("/login", login);
// qattiq rate limit
app.post("/login", authLimiter, login);4) Xavfsizlik middleware'i route'lardan keyin
// route'ga yetib, keyin tekshiriladi (kech — 2.14)
app.use("/api", routes);
app.use(helmet());
// eng oldinda
app.use(helmet());
app.use("/api", routes);5) Ko'p serverda xotira store
3 server + xotira chegara 3x buziladi (2.11)
Redis store (umumiy hisob)6. Keng tarqalgan xatolar va yechimlari
Xato 1 — CORS policy: No 'Access-Control-Allow-Origin'
Sababi: CORS sozlanmagan yoki origin ro'yxatda yo'q 2.5-bob. Yechimi: cors({ origin: [...] }); frontend domenini qo'shing; preflight (OPTIONS — 2.7).
Xato 2 — Cookie cross-origin kelmaydi
Sababi: credentials: true yo'q (server/frontend), yoki SameSite 5.15-bob. Yechimi: server credentials: true; frontend withCredentials; SameSite=None+Secure (cross-site).
Xato 3 — Rate limit ishlamaydi (hamma so'rov o'tadi)
Sababi: reverse proxy ortida IP noto'g'ri (hammasi bir IP — 10.2). Yechimi: app.set("trust proxy", 1) (Misol 7).
Xato 4 — CSP sayt resurslarini bloklaydi
Sababi: CSP juda qattiq 2.3-bob. Yechimi: kerakli manbalarni qo'sh (directives); test; yoki default helmet.
Xato 5 — Rate limit hammani birga cheklaydi (ko'p server)
Sababi: xotira store 2.11-bob. Yechimi: Redis store (Misol 5).
Xato 6 — Legitim foydalanuvchi 429 oladi
Sababi: chegara juda past, yoki NAT ortida ko'p foydalanuvchi bir IP. Yechimi: chegarani moslash; auth'da skipSuccessfulRequests; foydalanuvchi bo'yicha (IP emas) cheklash.
7. Integratsiya — bu mavzu stack'ning qayerida uchraydi
- Express 5.6-bob: uchovi ham middleware.
- Auth (5.15-5.18): login/OTP rate limiting (brute-force).
- CORS + cookie 5.15-bob: credentials, SameSite.
- Redis 5.21-bob: rate limit store (ko'p server).
- Error handling 5.10-bob: CORS/429 xatolar.
- Validatsiya 5.9-bob: kirish himoyasi (injection/XSS).
- DevOps 10.2-bob: nginx, HTTPS, trust proxy.
- Xavfsizlik (14): OWASP — to'liq xavfsizlik.
- NestJS (8): helmet/cors/throttler — shu g'oya.
8. Eng yaxshi amaliyotlar (best practices)
- helmet() har ilovada (bir qator, majburiy — 2.2, 14).
- CORS aniq domenlar (
*emas auth bilan — 2.6, 14); credentials kerak bo'lsa to'g'ri. - Rate limiting — global + auth route'lariga qattiq (brute-force — 2.10, 14).
- Xavfsizlik middleware eng oldinda (route'lardan oldin — 2.14).
- Body hajmini cheklash (
express.json({ limit })— DoS — 2.12). - Ko'p serverda Redis store (rate limit — 2.11).
- Qo'shimcha: mongo-sanitize, hpp (injection — 2.12, 14).
trust proxyreverse proxy ortida (IP to'g'ri — 2.11, Misol 7).- HTTPS production'da (hammasining asosi — 2.13, 14).
- CSP'ni ehtiyot sozla (test — 2.3); validatsiya bilan birga 5.9-bob.
9. Amaliy loyiha: "Xavfsiz API Himoya Qatlami"
Backend xavfsizligini professional darajada mustahkamlash.
Maqsad
helmet, CORS va rate limiting bilan to'liq xavfsizlik qatlamini qurish: header himoyasi, cross-origin nazorati, brute-force/DoS himoyasi.
Talablar (requirements)
- Helmet: xavfsizlik header'lari; CSP'ni moslash (Misol 1, 4, 2.2, 2.3).
- CORS: ruxsatli domenlar (.env); credentials; dev/prod farqi (Misol 2, 2.6).
- Global rate limit: barcha /api uchun (Misol 1, 2.9).
- Auth rate limit: login/register/OTP'ga qattiq (Misol 3, 2.10).
- Body limit:
express.json({ limit })(DoS — 2.12). - Qo'shimcha: mongo-sanitize, hpp (Misol 6, 2.12).
- Middleware tartibi: xavfsizlik eng oldinda (Misol 7, 2.14).
- trust proxy: production'da (Misol 7, 2.11).
- CORS xato handling: chiroyli 403 (Misol 8).
- (Bonus) Redis store: rate limit (ko'p server — Misol 5, 2.11).
Maslahatlar (hint)
- Tartib: helmet cors rateLimit json routes errorHandler 2.14-bob.
- CORS:
originro'yxat,credentials: true(2.6, 2-xato). - Auth limit:
max: 5+skipSuccessfulRequests2.10-bob. trust proxyreverse proxy ortida (3-xato).- CSP test qiling (resurslar bloklanmasin — 4-xato).
- Body:
express.json({ limit: "10kb" }).
"Tayyor" mezonlari (acceptance criteria)
- helmet header'lari qo'yiladi.
- CORS faqat ruxsatli domenlarga (cookie bilan).
- Global rate limit ishlaydi (429).
- Login/OTP qattiq cheklangan (brute-force to'xtaydi).
- Body hajmi cheklangan.
- mongo-sanitize/hpp qo'shilgan.
- Middleware tartibi to'g'ri (xavfsizlik oldinda).
- trust proxy production'da.
- (Bonus) Redis store / CSP moslangan.
Yechim kodi ataylab berilmagan — bu loyihani o'zingiz yozib ko'ring.
10. Xulosa va keyingi bobga ko'prik
Bu bobda har Express ilovaning majburiy himoyasini — helmet, CORS, rate limiting — o'rgandik:
- Uch vosita, uch muammo (birga kerak — 2.1): helmet (header), CORS (domen), rate limit (so'rov soni).
- Helmet — xavfsizlik HTTP header'lari (CSP, X-Frame-Options, HSTS — XSS/clickjacking — 2.2, 2.3).
- CORS — Same-Origin Policy 2.4-bob; server ruxsat beradi (aniq domenlar,
*emas — 2.5, 2.6); preflight 2.7-bob. - Rate limiting — so'rov sonini cheklash (brute-force/DoS — 2.8); global + auth qattiq 2.10-bob; Redis store (ko'p server — 2.11).
- Tartib (xavfsizlik oldinda — 2.14); HTTPS asos 2.13-bob; qo'shimcha (sanitize/hpp — 2.12); OWASP (14).
Keyingi bob — 5.21-bob: Caching — Redis (chuqur). Bir necha bobda Redis'ni eslatdik (session — 5.15, OTP — 5.18, rate limit — 5.20). Endi uni to'liq, chuqur o'rganamiz: Redis nima, ma'lumot tuzilmalari (string, hash, list, set, sorted set), caching strategiyalari, TTL, sessiya va pub/sub. Redis — backend tezligi va masshtabining kaliti.
Foydalanilgan rasmiy/ishonchli manbalar
- github.com/helmetjs/helmet — Helmet (header'lar, CSP); expressjs.com — Production Security
- expressjs.com/resources/middleware/cors; MDN — CORS, Same-Origin Policy
- express-rate-limit (npm); pkgpulse — helmet vs cors vs rate-limit 2026; OWASP
Izohlar (0)
Izoh yozish uchun kiring.
- Hozircha izoh yo'q. Birinchi bo'ling!