- Don't run as root.
- For sessions, set
httpOnly(andsecuretotrueif running over SSL) when setting cookies. - Use the Helmet for secure headers: https://github.com/evilpacket/helmet
- Enable
csrffor preventing Cross-Site Request Forgery: http://expressjs.com/api.html#csrf - Don't use the deprecated
bodyParser()and only use multipart explicitly. To avoid multiparts vulnerability to 'temp file' bloat, use thedeferproperty andpipe()the multipart upload stream to the intended destination.
danharper
/ background.js
Last active
April 29, 2025 04:09
Bare minimum Chrome extension to inject a JS file into the given page when you click on the browser action icon. The script then inserts a new div into the DOM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // this is the background code... | |
| // listen for our browerAction to be clicked | |
| chrome.browserAction.onClicked.addListener(function (tab) { | |
| // for the current tab, inject the "inject.js" file & execute it | |
| chrome.tabs.executeScript(tab.ib, { | |
| file: 'inject.js' | |
| }); | |
| }); |
ethicka
/ localhost-ssl-certificate.md
Last active
March 25, 2025 20:43
Localhost SSL Certificate on Mac OS
🚨 2020 Update: I recommend using mkcert to generate local certificates. You can do everything below by just running the commands brew install mkcert and mkcert -install. Keep it simple!
This gives you that beautiful green lock in Chrome. I'm assuming you're putting your SSL documents in /etc/ssl, but you can put them anywhere and replace the references in the following commands. Tested successfully on Mac OS Sierra and High Sierra.
sudo nano /etc/ssl/localhost/localhost.conf