koajs / koa-lusca

koa version of lusca. Application security for koa.
Other
66 stars 10 forks source link

koa-lusca

NPM version build status Test coverage Gittip David deps npm download

Web application security middleware for koa.

Fork from lusca, krakenjs/lusca#26.

Usage

var koa = require('koa');
var lusca = require('koa-lusca');
var app = koa();

app.use(lusca({
  csrf: true,
  csp: { /* ... */},
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true },
  xssProtection: true
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({/* ... */}));
app.use(lusca.xframe({ value: 'SAMEORIGIN' }));
app.use(lusca.p3p({ value: 'ABCDEF' }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection();

API

lusca.csrf(options)

Enables Cross Site Request Forgery (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden. To send the token you'll need to echo back the _csrf value you received from the previous request.

lusca.csp(options)

Enables Content Security Policy (CSP) headers.

Example Options

// Everything but images can only come from own domain (excluding subdomains)
{
  policy: {
    'default-src': '\'self\'',
    'img-src': '*'
  }
}

See the MDN CSP usage page for more information on available policy options.

lusca.xframe(value)

Enables X-FRAME-OPTIONS headers to help prevent Clickjacking.

lusca.p3p(value)

Enables Platform for Privacy Preferences Project (P3P) headers.

lusca.hsts(options)

Enables HTTP Strict Transport Security for the host domain. The preload flag is required for HSTS domain submissions to Chrome's HSTS preload list

lusca.xssProtection(options)

Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

License