monkyz · October 17, 2012 03:43
diff --git a/gistfile1.txt b/gistfile1.txt
 Add app.enable('trust proxy') as I have express running behind nginx:
 ------------------------------------------------------------------------------------------------------------
 Express behind proxies
 Using Express behind a reverse proxy such as Varnish or Nginx is trivial, however it does require configuration. By enabling the "trust proxy" setting via app.enable('trust proxy'), Express will have knowledge that it's sitting behind a proxy and that the X-Forwarded-* header fields may be trusted, which otherwise may be easily spoofed.

 Enabling this setting has several subtle effects. The first of which is that X-Forwarded-Proto may be set by the reverse proxy to tell the app that it is https or simply http. This value is reflected by req.protocol.

 The second change this makes is the req.ip and req.ips values will be populated with X-Forwarded-For's list of addresses.

 http://expressjs.com/guide.html
 ------------------------------------------------------------------------------------------------------------
 csrf protection on forms:
 -----------------------------------------------------------------------------------------------------------
 csrf
 lib/middleware/csrf.js

 CRSF protection middleware.

 By default this middleware generates a token named "_csrf" which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's req.session._csrf property which is re-generated per request.

 The default value function checks req.body generated by the bodyParser() middleware, req.query generated by query(), and the "X-CSRF-Token" header field.

 This middleware requires session support, thus should be added somewhere below session() and cookieParser().

 http://www.senchalabs.org/connect/middleware-csrf.html
 ---------------------------------------------------------------------------------------------------------
 hemet:
 https://github.com/evilpacket/helmet
	Add app.enable('trust proxy') as I have express running behind nginx:
	------------------------------------------------------------------------------------------------------------
	Express behind proxies
	Using Express behind a reverse proxy such as Varnish or Nginx is trivial, however it does require configuration. By enabling the "trust proxy" setting via app.enable('trust proxy'), Express will have knowledge that it's sitting behind a proxy and that the X-Forwarded-* header fields may be trusted, which otherwise may be easily spoofed.

	Enabling this setting has several subtle effects. The first of which is that X-Forwarded-Proto may be set by the reverse proxy to tell the app that it is https or simply http. This value is reflected by req.protocol.

	The second change this makes is the req.ip and req.ips values will be populated with X-Forwarded-For's list of addresses.

	http://expressjs.com/guide.html
	------------------------------------------------------------------------------------------------------------
	csrf protection on forms:
	-----------------------------------------------------------------------------------------------------------
	csrf
	lib/middleware/csrf.js

	CRSF protection middleware.

	By default this middleware generates a token named "_csrf" which should be added to requests which mutate state, within a hidden form field, query-string etc. This token is validated against the visitor's req.session._csrf property which is re-generated per request.

	The default value function checks req.body generated by the bodyParser() middleware, req.query generated by query(), and the "X-CSRF-Token" header field.

	This middleware requires session support, thus should be added somewhere below session() and cookieParser().

	http://www.senchalabs.org/connect/middleware-csrf.html
	---------------------------------------------------------------------------------------------------------
	hemet:
	https://github.com/evilpacket/helmet