stackoom
  简体   繁体   中英

Is it secure to bypass security via NODE_ENV?

 原文  2015-12-23 00:36:20       node.js/ security

Question

Basically what I want to do is : 

if (process.env.NODE_ENV === 'debug') {
    // bypass security check
} else {
    // security check
}

Is it safe ?

1 answers

solution1
 0 ACCPTED  2015-12-23 02:13:15

It's always better to remove security holes from your code, so what you've done is not 100% unsafe, but it's a single point of failure to being unsafe. You should at least use a two level system. 

if (process.env.NODE_ENV === 'debug' && process.env.BYPASS_ALL_SECURITY === 'true') {
    // bypass security check
} else {
    // security check
}

In this way, you'd have to flip two switches. This prevents someone from turning on debug for another random reason and suddenly auth stops working. You have to do TWO whole things to break your security.

But the most secure thing is to not make security optional.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Bypass NODE_ENV with node-config NODE_ENV with Jest Passing the NODE_ENV value using Webpack via DefinePlugin set NODE_ENV variable in production via docker file Is there a NODE_ENV equivalent in Python Modify NODE_ENV accordingly Node.js - NODE_ENV is undefined Dynamic require() on node NODE_ENV with webpack Checking node_env in node.js NODE_ENV variable in Node.js
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM