317 likes
Β·
2.7K reads
43 comments
This is amazing Lalit. Excellent work done. The feature to protect a page in (<2 mins) is wonderful. Great Idea and implementation. π I'm surely gonna use this, saves a lot of time. Loved the look and simplicity. Well done π Great Job.
Keep up the amazing work Lalit, Keep rocking π₯³
Thanks a lot Savio!
This means a lot. Glad you liked my project.
By the way, your project - CodeHouse is also super awesome π₯
This is next-level work. a password-protected site just in two min. Awesome !!
Thanks a lot Gaurav Tewari
Glad you liked it π
Regarding the security,
const bcryptHashedPassword = bcrypt.hashSync(reversedSHAHash, 5);
Here 5 is the salt round or cost factor.
The total number of rounds/times hashed = 2 ^ (salt rounds). So your implementation hashes the password 32 times. Nowadays, bcrypt libraries use the cost factor of 10 by default, i.e., 1024 rounds.
Oh I did not know about that at all!
Thanks a lot Amal Shaji
This is one product that I had been looking for. I always wanted to created something like this but never got the time.
Congratulations!
Thanks Aditya Mitra
Hope you liked it π
Great thing. Good luck @lalit2005.
This is amazing Lalit I have used this and it is awesome.
Thanks Shyam Ganesh
Hope you liked it :)
Awesome
Thanks Prince Codes
Hope you liked it
Wow! This saved my day!
Loved it
Going to use it to protect our small company's MRR details and analysis. Very handy indeed.
Thanks for the project Lalit!!
Happy to see StaticShield in wild!
Thanks Yafet Shah
This is awesome man!! ππ The UI sure does give the vercel vibe. Great job with the implementation. ππ
This means a lot. Thanks you so much Rutik Wankhade
Now this is a really good product idea good job Lalit π
Thank you so much Andrew Baisden
The idea is really nice, but since this is client-side, it can easily be avoided: https://disk.yandex.com/i/u_yuF6BhxMVF2Q
I can just block the entire staticshield.vercel.app domain and add some custom CSS to bypass staticshield.
This is not a very secure solution.
Also, the page that informs you that you need to enable javascript ( https://staticshield.vercel.app/errors/noscript )... does not work without javascript
Hello Piotr BadeΕek, I am aware that you can bypass now. I am fixing all these issues currently with a greater security in place. This will be out soon. For now, you can use it with apps that has non-developer users.
staticshield.vercel.app/errors/noscript )... does not work without javascript
Yeah, I've noticed it. I'm finding solution to avoid this. I'll be fixing this soon
This is really really awesome. Good luck Lalit
Thanks Jake David π
Lalit Your site and work looks amazing. Keep up the great work. But does it really works ? scripting based security can be manipulated in browser, One can block the script in browser and can access the secured page even without password.
- Block the script in browser.
- Unhide staticshield-div
And there you go you can see the secured page, no matter how many times it is hashed :p
Maybe this can be used as a quick solution but not certainly to make anything secured,
Please let me know if I am missing anything.
Thanks SHOBHIT RASTOGI, glad you liked StaticShield
β One can block the script in browser and can access the secured page even without password.
I have taken that into account - If javascript is blocked from executing, the <noscript> tag instantly gets activated which then redirects the page here which asks the user to enable Javascript (and links them to a guide). Moreover Javascript frameworks like react and vue require js to render and paint the screen itself.
β Unhide staticshield-div
When a password protected site loads, the rendered HTML is not displayed with the help of CSS. And as soon as the javascript script loads, the user is redirected to login page if no valid token exists.
Removing the staticshield-div is practically not possible because the rendering of html and css happens in milliseconds usually, and opening the DevTools and removing the staticshield-div class in this short period of time is practically impossible.
Frameworks like Next.js (version 11) prioritize the execution of client js scripts before the rendering of html and css when the stratergy is set to beforeInteractive. More info here
Please do let me know your queries π
Lalit Request is blocked not in real time, Please check this you might understand what I am trying to say,
Thanks,
Thanks for the response SHOBHIT RASTOGI
The link seems to be broken, can you please check it?
Thanks
SHOBHIT RASTOGI That was a good catch! I did not know that you can block certain requests with Chrome DevTools.
I just pushed a solution for it!! I have updated only the with-html example. I will be updating others soon.
Here's a demo π
SHOBHIT RASTOGI This is an excellent catch. I didn't think of it this way. Another concern is the way security is handled in the backend. In this block of code, the TOKEN_SECRET is manually added to the token.
Now I can mint my own tokens
Amal Shaji That is an excellent observation.
Amal Shaji I do not know why jwt.io shows the signature is verified, but the jwt token is signed with a different key (JWT_TOKEN) and the . is replaced with an other key (TOKEN_SECRET)
Lalit The only way the signature gets verified is only when the tokens are the same. I did not introduce any external factors, all the variables are derived from the token presented to me after a login.
Liked your project idea a lot!!!
Glad you liked my project Candy Tsai π
This is simply amazing. Authorization is a notoriously common thing to do wrong. To just automate it, what a brilliant idea!
What about privacy, though?
Thanks for the kind words Miloslav π³οΈβπ π¦ Voloskov
What about privacy, though?
Do you mean users' privacy? If yes, every user data is handled by Auth0, which is trusted by many companies. StaticShield accesses only email, name, nickname, profile picture and user-id of users.
Please do let me know your queries π
Lalit auth0? Nice! Iβll definitely give it a try then π
I'm looking forward to it π Miloslav π³οΈβπ π¦ Voloskov