I'm trying to set up some security middleware for my humble little MERN web app, and I'm currently using helmet and express-mongo-sanitize, specifically for protection against NoSQL injection attacks.
I've set it up, however, as below in my server.js file:
const express = require('express')
const helmet = require('helmet')
const mongoSanitize = require('express-mongo-sanitize')
...
app.use(mongoSanitize())
app.use(helmet())
// Routes below
...
I've tried to test it by making a mock sign up like:
username: {"$gt": ""} password: 'TestPassword'
so that req.body would be:
{
username: '{"$gt": ""}',
password: 'TestPassword'
}
but express-mongo-sanitize doesn't seem to be catching it and it goes through to my database. Am I misunderstanding something? The value of the username key is a string, so maybe it's already OK? Please forgive my ignorance, I'm learning.