When making an express.js application security, and privacy should be of at least some concern. A good start with express might be to check out helmet.js. This express.js middleware is actually a collection of middleware modules that can be used to set some headers that may help to improve security, and privacy to some extent. It is not an end all solution of course, but it might be a good start to say the least. In this post I will be writing about one of the middleware methods that is used to set a header that will disable dns prefetching.
I used a well known tool called wireshark to help confirm to myself first hand that setting this browser header does have an effect that can help improve privacy. If you wish to do the same you may want to install it yourself as well if you have not done so before hand. It is a very helpful tool to have at the ready if you really want to get into this sort of thing.
To make an example of how this works I quickly put together an index.html file that has a few links to some domains. This index.html file is then served up using express.static, but only after I use helmet to set a header called X-DNS-Prefetch-Control. By doing this it stops the browser from prefetching the DNS of the links before hand so that they do not show up from the perspective of an observer using wireshark.
So to do this I will need to set up a demo folder, and install express, and helmet.
I put the version numbers in to indicate what versions I am using in this demo, so if you run into problems reproducing this check the version numbers.
So In the public folder I put together a simple index.html file that I will serve up using express.static. This file just has some outgoing links to some websites.
So it is true that if I where to click one of these links the dns would have to be resolved for the domain. However the thing about dns prefetching is that the browser will prefetch the dns of these links even if I do not click on them. I have confirmed this by using wireshark, and sure enough that is the case with the late version of chrome that I am using.
I this file I am just using helmet with the app.use method. By doing so it will always set the header to off unless I set the allow option for dns prefect control to false.
When all is done I just stared the app up by the usual way from the command line.
When doing so I then went to localhost:8080 in the browser, to see if it had any effect when looking at what is going on in wireshark. Sure enough setting this header does get chrome to stop preferhing dns, and not it only does so when actually clicking a link as expected.