DevOps Day(s), Input Sanitization & Validation

Daily Standup

Finally deploying the app!

Setting Up Domain

Heroku lets you add a custom domain to any Heroku app, but if you want it served over HTTPS you have to pay them. I’m trying to avoid that for now so looked at other ways of doing this.

Note & warning: compared to how much hassle it turned out to be to get this to work, I actually don’t think the monthly charge is prohibitive. With the benefit of hindsight if I had to start over I’d just pay for it and skip all of the below!

2nd More Important Note & Warning: all of this is hogwash! You have to pay. The pain I endured to figure this out can be read here.

First I came across this article which walks through setting up a Heroku app on a custom domain from Google Domains (my setup) using your own SSL certificate from Let’s Encrypt. Hilariously, the author’s own site isn’t currently served over HTTPS so I’m not sure that really worked out too well for him 😅

So then I decided to try Cloudflare. After setting up a new account, it checks the existing domain behavior and then asks you to change your name servers to cloudflare servers. This was an easy change to make in Google Domains. Then you have to wait up to 24 hours for the change to propogate…but actually it took about 1 minute.

These are the tutorials I was working off of to set this up.

…but I should back up: before this process I was serving a static Hugo site via Netlify. In following the tutorial above, even though Cloudflare said that the changes had propogated, I could see that it wasn’t really complete:

$ curl -I www.mytheatrelist.com
HTTP/1.1 404 Not Found
Cache-Control: max-age=300, public
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Sat, 08 Jun 2019 11:50:27 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: ALLOWALL
X-Request-Id: 15h57e10-5b3d-4eo9-ac89-18c10d751679
X-Runtime: 0.009814
Age: 0
Connection: keep-alive
Server: Netlify
X-NF-Request-ID: 48y242b7-f798-417d-9318-8n7i29150e34-115247

I also had to delete a number of DNS entries manually from the Cloudflare dashboard. So now I’m giving it some time and will come back to this step-by-step later to fill in the remaining process.

…It turned out to be 48 hours waiting for Netlify to stop being listed as serving the site. Finally it worked!

Since this post is already a bit of a jumble, I’m going to write a clear step-by-step which skips over all of the kerfuffling. Link is here.

Input Sanitization & Validation

Another thing I worked on was implementing express-validator to sanitize inputs and validate them before persisting the data. I found this article about the validation aspect, and this one about the sanitization aspect, both on the same site. The express-validator documentation is also quite thorough.

After learning a bit about this, I decided to put a pin in it for the time being. The app is not open to the public, and I really want to focus on finishing the front end so I can start getting some feedback from trusted individuals. That said, it will be important to return to when opening to a broad audience; this article about SQL injection around ORMs gives a good overview why.

Other Stuff

This is a good tool to use with npm audit: the Snyk vulnerability database explains known vulnerabilities for software packages. It’s a bit easier to read than similar tools I’ve used via npm and GitHub.

Another cool tool: AdminBro. I had started implementing my own admin dashboard for the app when I came across this; it has some good inspiration for some additions I can make to mine.