All geek questions in one place

How to get the body of an object from a request in Node.js / Express (for CSP violation reports)?

I am interested in implementing a Content Security Policy (CSP) for my Node.js. Mozilla docs are quite useful, but I'm stuck on how to include abuse reports . I understand the basic premise of how they work (the browser sends a POST request to the specified URL to notify the site of the violation), but could not figure out where to find the JSON document describing the violation in the HTTP request. Perhaps this would be obvious to someone more familiar with the HTTP specification.

Looking at the W3C project for CSP, I found that JSON is contained in the part of HTTP called the "body entity". I still don't know what the purpose of the entity is (the only moderately useful page I could find on this was one of the HTTP specs). I accept this request body.

Perhaps more importantly, I cannot find a way to get the contents of the entity body. I was thinking about using req.header('entity-body') , but this does not work as the object is not an HTTP header. What is it and how to get it?

(Also, I tried to find a tutorial on how to implement a CSP violation report in Node.js and found nothing. I found it for PHP, but it was not particularly useful, referring to file_get_contents('php://input') , which I find doesn't have something similar in Node.js / Express.)

Any help would be greatly appreciated.

+4
source share
2 answers

It turns out I was too versed in things. All you have to do is enable express.bodyParser() middleware for express, and then extract req.body in the POST event handler. This returns the body of an HTTP request containing a JSON violation report.

Enable middleware:

 var server = express.createServer( // other middleware here express.bodyParser() );

Receive violation report:

 server.post('/csp/', function(req, res) { console.log(req.body); });
+4
source

I ran into some difficulties getting my Express application coming out with Nginx to report csp violations , and two things I learned from the above answer:

  • There must be a POST method, not a GET method
  • req.body contains a report

But the above was not enough, and all the time I became empty req.body , and I could not find another message to describe how to fix it. After some research, I came across this post , as well as a completely isolated github issue , where dougwilson give tips on where to put the route that the csp report handles.

The reason req.body was empty for me was because I put the csp report route handler after the following configurations:

 app.use(bodyParser.json()); app.use(bodyParser.urlencoded({ extended: true })); app.use(cookieParser());

I moved the csp report route handler over them, but I still kept getting req.body empty, then I added the csp report route handler above to get the report in req.body

 app.use(bodyParser.json({ type: 'application/csp-report' }));

After adding the above line to the csp report request handler, Express realized that it should parse requests that have a Content-type like application/csp-report .

Maybe, by default, Express does not parse application/csp-report and add a resolved problem for me. I also googled if Express parses application/csp-report by default, and I came across this gist , claiming Chrome sends application/csp-report , while Firefox sends application/json (and I use Chrome - you can enable application/json if you run into problems with FF ).

So this is how it looks in my app.js

 // without following csp-report don't get parsed. app.use(bodyParser.json({ type: 'application/csp-report' })); app.get('/vehicle/cspreport', function(req, res) { res.status(403); }); app.post('/vehicle/cspreport', function(req, res) { console.log('csp report > ' + JSON.stringify(req.body)); }); app.use(bodyParser.json()); app.use(bodyParser.urlencoded({ extended: true })); app.use(cookieParser()); ...

The accepted answer sent by the OP is from 2011 , and I was thinking of adding an answer to show how I solved this problem in 2016 with the following versions of Node.js, Express and Nginx

 Node: v4.2.4 Express: 4.13.1 Nginx: 1.8.1
0
source

Source: https://habr.com/ru/post/1384799/

More articles:


All Articles