All geek questions in one place

Using express.json instead of express.bodyparser

I am creating a simple REST API and I only want to accept JSON input. I prefer to use app.use(express.json({strict: true})); instead of app.use(express.bodyParser()); . I go through strict: true , thinking that this will add a security layer against invalid json. Anyone else do something like this? Seek an opinion from someone who has experience with this setting. Thanks

+4
source share
1 answer

Your approach is great as you potentially reduce the attack area of ​​your application. But I'm not sure if there is any evidence that using bodyParser (which would allow some malformed JSON as well as url encoded and multiphase encoded data) would be any significant risk.

You can determine exactly what strict: true means:

http://www.senchalabs.org/connect/json.html

 if (strict && '{' != buf[0] && '[' != buf[0]) return next(utils.error(400, 'invalid json'));

It just ensures that JSON starts with {or a. You still rely on Google to not spoil the implementation of JSON.parse in V8, like Rails with YAML, which in my opinion is a relatively safe bet.

+2
source

Source: https://habr.com/ru/post/1492910/

More articles:


All Articles