Skip to content

koa-modules/koa-lusca

BranchesTags
 
 

Repository files navigation

koa-lusca

NPM version build status Test coverage Gittip David deps npm download

Web application security middleware for koa.

Fork from lusca, krakenjs/lusca#26.

Usage

var koa = require('koa');
var lusca = require('lusca');
var app = koa();

app.use(lusca({
  csrf: true,
  csp: { /* ... */},
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true },
  xssProtection: true
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({/* ... */}));
app.use(lusca.xframe({ value: 'SAMEORIGIN' }));
app.use(lusca.p3p({ value: 'ABCDEF' }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection();

API

lusca.csrf(options)

  • key String - Optional. The name of the CSRF token added to the model. Defaults to _csrf.
  • secret String - Optional. The key to place on the session object which maps to the server side token. Defaults to _csrfSecret.
  • impl Function - Optional. Custom implementation to generate a token.

Enables Cross Site Request Forgery (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden. To send the token you'll need to echo back the _csrf value you received from the previous request.

lusca.csp(options)

  • options.policy Object - Object definition of policy.
  • options.reportOnly Boolean - Enable report only mode.
  • options.reportUri String - URI where to send the report data

Enables Content Security Policy (CSP) headers.

Example Options

// Everything but images can only come from own domain (excluding subdomains)
{
  policy: {
    'default-src': '\'self\'',
    'img-src': '*'
  }
}

See the MDN CSP usage page for more information on available policy options.

lusca.xframe(value)

  • value String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.

Enables X-FRAME-OPTIONS headers to help prevent Clickjacking.

lusca.p3p(value)

  • value String - Required. The compact privacy policy.

Enables Platform for Privacy Preferences Project (P3P) headers.

lusca.hsts(options)

  • options.maxAge Number - Required. Number of seconds HSTS is in effect.
  • options.includeSubDomains Boolean - Optional. Applies HSTS to all subdomains of the host

Enables HTTP Strict Transport Security for the host domain.

lusca.xssProtection(options)

  • options.enabled Boolean - Optional. If the header is enabled or not (see header docs). Defaults to 1.
  • options.mode String - Optional. Mode to set on the header (see header docs). Defaults to block.

Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

License

  • Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation
  • Now: MIT

About

koa version of lusca. Application security for koa.

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

6 tags

Packages

 
 
 

Contributors

Languages

  • JavaScript 100.0%