1

I'm running an azure app service that includes both a front end (Vue) and a backend service (express). I was notified that the node_modules folder containing the packages used in the backend was still browsable. Considering the security implications of revealing which (versions of) packages are being used, I would like to prevent access to this folder.

The folder structure of the app looks something like this:

wwwroot

---node_modules

---src (contains built express api)

---static (contains built vue app)

---web.config

I'm using Azure pipelines to build and deploy the app. This pipeline includes node modules in the deployed .zip archive.

The app is deployed on a windows app service, using iisnode to run the app.

What steps can I take to shield the node_modules folder from browsing?

Yeseh
  • 11
  • 2
  • The `node_modules` folder or rather any of your folders can only be browsed by someone with access to the Azure resource. No public user should be able to access it anyways. Who are you trying to protect it from? – PramodValavala Mar 13 '20 at 09:13
  • Thanks for your reaction. As we were testing the app one of the testers told us he could look at our node_modules folder from the chrome dev tools. We couldn't find out why that happened and one day the folder was no longer visible. Its pretty safe to assume I just made an error in the pipeline I think :) – Yeseh Apr 07 '20 at 17:16

0 Answers0