doc: add security section to debugging guides #1613
Conversation
| ### Browsers, WebSockets and same-origin policy | ||
|
|
||
| Websites open in a web-browser can make WebSocket and HTTP requests under the | ||
| browser security model. A initial HTTP connection is necessary to obtain a |
There was a problem hiding this comment.
Nit: A initial -> An initial.
| $ node --inspect server.js | ||
| ``` | ||
|
|
||
| Now, on your local machine from where you want initiate a debug client |
There was a problem hiding this comment.
Nit: want initiate -> want to initiate.
| threat. We suggest you ensure appropriate firewalls and access controls in place | ||
| to prevent a security exposure. | ||
|
|
||
| See the section on 'Enabling remote debugging scenarios' on some advice on how |
There was a problem hiding this comment.
Nit: maybe it is worth to add a link to #enabling-remote-debugging-scenarios?
|
I think a discussion of the security risks needs to be up-front in the debugging guide. It might be possible have a summary section and link to a detailed document elsewhere. Let me take a look at refactoring. |
|
@marswong I took a deeper look at refactoring this PR into two document, and I don't think there is a refactor into two documents that would be satisfactory:
In summary, I think we should keep this a single doc. Even though this doc is called the 'Debugging Getting Started' guide, in reality it is actually the 'Debugging Guide'. I think security implications should stay in this doc. I would like to land this as-is. WDYT? |
|
@ofrobots Can you please fix the little nits @vsemozhetbyt mentioned, and I think we are good to go. If we feel the need to restructure the document, we can do so at a later point. |
|
Thank you! |
|
@ofrobots good job :) |
This talks about the security implications a bit more, in light of https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160