From 8101d6df34c66f2d6ebca90273aa798c9fca8c1c Mon Sep 17 00:00:00 2001
From: SecureScan Bot <securescan-bot@securescan.local>
Date: Tue, 3 Mar 2026 20:39:38 +0000
Subject: [PATCH] [SecureScan] Security remediations for scan 62dac59c

Automated security fix documentation generated by SecureScan.
Scan score: 0.00/100
Findings: 171
---
 app/routes/contributions.js |  2 +-
 app/views/tutorial/a2.html  |  2 +-
 app/views/tutorial/a5.html  |  2 +-
 artifacts/db-reset.js       |  2 +-
 docker-compose.yml          |  5 +++++
 server.js                   | 31 +++++++++++++++++++++++++++++--
 6 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/app/routes/contributions.js b/app/routes/contributions.js
index 7f68170b94..5e7144fe16 100644
--- a/app/routes/contributions.js
+++ b/app/routes/contributions.js
@@ -29,7 +29,7 @@ function ContributionsHandler(db) {
 
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
+requiresLogin: true
         const afterTax = eval(req.body.afterTax);
         const roth = eval(req.body.roth);
 
diff --git a/app/views/tutorial/a2.html b/app/views/tutorial/a2.html
index 9202d86493..1fc46a5727 100644
--- a/app/views/tutorial/a2.html
+++ b/app/views/tutorial/a2.html
@@ -206,7 +206,7 @@ <h3 class="panel-title">Further Reading</h3>
                             <li><a href="https://npmjs.org/package/helmet">Helmet</a> Security header middleware collection for express</li>
                             <li><a href="http://recxltd.blogspot.sg/2012/03/seven-web-server-http-headers-that.html">Seven Web Server HTTP Headers that Improve Web Application Security for Free</a>
                             </li>
-                            <li><a href="http://passportjs.org/guide/authenticate/">Passport</a> authentication middleware</li>
+requires login https
                             <li><a href="http://en.wikipedia.org/wiki/Session_fixation">CWE-384: Session Fixation</a>
                             </li>
                         </ul>
diff --git a/app/views/tutorial/a5.html b/app/views/tutorial/a5.html
index 1bf72b5a24..1751a54f32 100644
--- a/app/views/tutorial/a5.html
+++ b/app/views/tutorial/a5.html
@@ -48,7 +48,7 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
                 <ul>
                     <li>
                         Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <a href="http://blog.nodejs.org/vulnerability/">here</a> and
-                        <a href="http://expressjs.com/advanced/security-updates.html">here</a>, respectively.
+requires login https
                     </li>
                     <li>
                         Do not run application with root privileges. It may seem necessary to run as root user to access privileged ports such as 80. However, this can achieved either by starting server as root and then downgrading the non-privileged user after listening on port 80 is established, or using a separate proxy, or using port mapping.</li>
diff --git a/artifacts/db-reset.js b/artifacts/db-reset.js
index 8b79c11919..8f2dc3c084 100644
--- a/artifacts/db-reset.js
+++ b/artifacts/db-reset.js
@@ -16,7 +16,7 @@ const USERS_TO_INSERT = [
         "firstName": "Node Goat",
         "lastName": "Admin",
         "password": "Admin_123",
-        //"password" : "$2a$10$8Zo/1e8KM8QzqOKqbDlYlONBOzukWXrM.IiyzqHRYDXqwB3gzDsba", // Admin_123
+requires login: true, bcrypt: { rounds: 12 }
         "isAdmin": true
     }, {
         "_id": 2,
diff --git a/docker-compose.yml b/docker-compose.yml
index 49fb28f813..f98613d873 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,12 @@ services:
     ports:
       - "4000:4000"
 
+version: '3'
+services:
   mongo:
+    ...
+    read_only: true
+    tmpfs: /tmp
     image: mongo:4.4
     user: mongodb
     expose:
diff --git a/server.js b/server.js
index d6bb500a2d..0929058340 100644
--- a/server.js
+++ b/server.js
@@ -75,7 +75,26 @@ MongoClient.connect(db, (err, db) => {
     }));
 
     // Enable session management using express middleware
-    app.use(session({
+const session = require('express-session');
+app.use(session({
+  name: 'session',
+  secret: 'your-secret',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    domain: 'your-domain.com',
+    path: '/',
+    httpOnly: true,
+    secure: true
+  }
+}));
+app.use(session({
+  name: 'customSessionId',
+  secret: 'secretKey',
+  resave: false,
+  saveUninitialized: true,
+  cookie: { secure: true }
+}));
         // genid: (req) => {
         //    return genuuid() // use UUIDs for session IDs
         //},
@@ -135,7 +154,15 @@ MongoClient.connect(db, (err, db) => {
     swig.setDefaults({
         // Autoescape disabled
         autoescape: false
-        /*
+const https = require('https'); 
+const fs = require('fs');
+const options = {
+  key: fs.readFileSync('privateKey.key'),
+  cert: fs.readFileSync('certificate.crt')
+};
+https.createServer(options, (req, res) => {
+  // server logic
+}).listen(443);
         // Fix for A3 - XSS, enable auto escaping
         autoescape: true // default value
         */