Best Practices Document #819
Comments
|
@nodejs/tsc We're about to create a pull request for the final review of this document. However, I'm not quite sure in which part of our documentation it would fit. Any advice? While the Threat Model will take place on |
We try to keep the top-level md files to a minimum. It might be better to either put the threat model in |
It probably doesn't belong in the API reference docs but that's the one place we have user-facing documentation in the core repo. Maybe there's a sensible place withing @nodejs/documentation @nodejs/website @nodejs/nodejs-dev |
|
At the first moment, I'm thinking to include it into |
|
Is this supposed to be a security guide for end users? Interesting. It could be added within the Suppose this is going to be actively maintained, then sure. Also, @RafaelGSS, we're deprecating the guides from nodejs.org, as they're not even indexed at all/there's no navigation/reference. |
|
Yes, that's supposed to be a security guide for end users.
Wow, that's good to know. We're actively sending content there on the Diagnostics WG (see nodejs/diagnostics#502). How can I include it in the Learn pages? Is there a similar PR I can use as a base? |
I think the recently-updated and actively-maintained stuff is safe. This can be added there as well. If/when we completely eliminate the guides section, we'll move the few actively-maintained things somewhere else and put in a redirect. (Pinging @nodejs/build to confirm that adding a redirect in our nginx or whatever would be No Big Deal™.) |
|
Alright, so I'll create the content there for now (nodejs.org/guides). Happy to help in the migration when the time comes. |
https://github.com/nodejs/nodejs.dev/tree/main/content/learn |
|
I was looking at the 'Learn' content and it doesn't seem to fit there. The main reason is that all the content there looks like a real tutorial (for instance, how to manipulate files), and the Security Best Practices should be used as a reference/guide. It's not a tutorial at all. |
I'd agree with that assessment. I want to definitely avoid scope creep in both places, so if it definitely fits in one and not the other, let's put it where it fits. |
|
@Trott let's figure out during the next meeting about how to fit guides on nodejs.dev, we need somehow to be able to grab the essentials. |
It's also possible that it lives someplace that isn't the website, but yeah, we need to figure out what that correct, official, authoritative place would be. (Seems like the website or maybe the GitHub repo are the two logical places.) |
|
Maybe we end up mashing the tutorial and the guides into one section, with a very small number of tutorials in one subsection and a very small number of guides in the other subsection. Just an idea, though. Open to other ideas, of course. |
This issue is just to keep tracking the work we've been doing in the Security WG. We've created a Best practices document targeting Node.js users.
This document intends to extend the current threat model and provide extensive guidelines (attacks explained, mitigations, etc..) on how to secure a Node.js application. It may change over releases.
Normally, the discussion around this document happens in the OpenJS Foundation slack (#nodejs-discussion-security-model and nodejs-security-wg). Feel free to contribute.
The text was updated successfully, but these errors were encountered: