About security

quahfamili

I m not sure but how is NodeBB up against web security issue such as injection and XSS?

quahfamili

Anyone has any view on this topic?

julian

Hi @quahfamili,

Good question! NodeBB is built with security in mind as well as speed and ease of use. Fortunately for us, the Node.js community is very active in maintaining security, and our part is keeping NodeBB up-to-date with the latest Node.js versions.

In addition, we try not to reinvent the wheel by making our own subsystems and modules when another one already exists online. For example, we hash passwords using the well-known bcrypt library, instead of creating our own hashing mechanism. These abstractions are used all over NodeBB to ensure that critical parts of the application are exposed to as much scrutiny as possible. We try to keep these dependencies as up to date as possible.

As for SQL Injection -- we don't use SQL, so there's no risk of that. We also take care to not blindly pass in whatever the user passes in, and use a library that automatically sanitizes anything a user sends in. Again, that is another component (node_redis) that is maintained elsewhere, and is subject to much more rigorous scrutiny than NodeBB itself is.

I hope that answers your questions

Sunil Sheoran

As for SQL Injection -- we don't use SQL, so there's no risk of that. We also take care to not blindly pass in whatever the user passes in, and use a library that automatically sanitizes anything a user sends in. Again, that is another component (node_redis) that is maintained elsewhere, and is subject to much more rigorous scrutiny than NodeBB itself is.

Since we are not using MySQL and using Redis, do we have a provision of taking BACKUP of the redis database!?

julian

Hi @sunil-sheoran!

At the moment, we don't have an admin-only route that returns a gzipped dump of the database, although that is a feature that we are looking to include with release, possibly as an add-on module.

In the meantime, however, as Redis saves its database on-disk, you can simply copy this file to someplace safe. We include instructions as part of our Upgrade Guide

aaron

A couple questions...

1. What security measures do you take when users upload content to the website?
2. I notice that the upload icon in this reply-editing box is an image whereas on the instance I'm hosting, it's an upload icon. Is there any way to specify who can upload what when?

Thanks!