{"id":13779492,"url":"https://github.com/koajs/koa-lusca","last_synced_at":"2025-06-11T13:03:46.017Z","repository":{"id":17504426,"uuid":"20292287","full_name":"koajs/koa-lusca","owner":"koajs","description":"koa version of lusca. Application security for koa.","archived":false,"fork":false,"pushed_at":"2022-02-12T07:46:12.000Z","size":120,"stargazers_count":66,"open_issues_count":6,"forks_count":10,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-03T22:16:49.969Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koajs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2014-05-29T11:58:37.000Z","updated_at":"2024-07-19T23:54:16.000Z","dependencies_parsed_at":"2022-08-02T19:30:30.187Z","dependency_job_id":null,"html_url":"https://github.com/koajs/koa-lusca","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fkoa-lusca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fkoa-lusca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fkoa-lusca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fkoa-lusca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koajs","download_url":"https://codeload.github.com/koajs/koa-lusca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koajs%2Fkoa-lusca/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":258643517,"owners_count":22734824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:01:05.847Z","updated_at":"2025-06-11T13:03:45.957Z","avatar_url":"https://github.com/koajs.png","language":"JavaScript","funding_links":[],"categories":["Middleware","仓库"],"sub_categories":["中间件"],"readme":"# koa-lusca\n\n[![NPM version][npm-image]][npm-url]\n[![build status][travis-image]][travis-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n[![Gittip][gittip-image]][gittip-url]\n[![David deps][david-image]][david-url]\n[![npm download][download-image]][download-url]\n\n[npm-image]: https://img.shields.io/npm/v/koa-lusca.svg?style=flat-square\n[npm-url]: https://npmjs.org/package/koa-lusca\n[travis-image]: https://img.shields.io/travis/koajs/koa-lusca.svg?style=flat-square\n[travis-url]: https://travis-ci.org/koajs/koa-lusca\n[coveralls-image]: https://img.shields.io/coveralls/koajs/koa-lusca.svg?style=flat-square\n[coveralls-url]: https://coveralls.io/r/koajs/koa-lusca?branch=master\n[gittip-image]: https://img.shields.io/gittip/fengmk2.svg?style=flat-square\n[gittip-url]: https://www.gittip.com/fengmk2/\n[david-image]: https://img.shields.io/david/koajs/koa-lusca.svg?style=flat-square\n[david-url]: https://david-dm.org/koajs/koa-lusca\n[download-image]: https://img.shields.io/npm/dm/koa-lusca.svg?style=flat-square\n[download-url]: https://npmjs.org/package/koa-lusca\n\nWeb application security middleware for koa.\n\nFork from [lusca](https://github.com/krakenjs/lusca), [krakenjs/lusca#26](https://github.com/krakenjs/lusca/pull/26).\n\n## Usage\n\n```js\nvar koa = require('koa');\nvar lusca = require('koa-lusca');\nvar app = koa();\n\napp.use(lusca({\n  csrf: true,\n  csp: { /* ... */},\n  xframe: 'SAMEORIGIN',\n  p3p: 'ABCDEF',\n  hsts: { maxAge: 31536000, includeSubDomains: true },\n  xssProtection: true\n}));\n```\n\nSetting any value to `false` will disable it. Alternately, you can opt into methods one by one:\n\n```js\napp.use(lusca.csrf());\napp.use(lusca.csp({/* ... */}));\napp.use(lusca.xframe({ value: 'SAMEORIGIN' }));\napp.use(lusca.p3p({ value: 'ABCDEF' }));\napp.use(lusca.hsts({ maxAge: 31536000 });\napp.use(lusca.xssProtection();\n```\n\n## API\n\n### lusca.csrf(options)\n\n* `key` String - Optional. The name of the CSRF token added to the model. Defaults to `_csrf`.\n* `secret` String - Optional. The key to place on the session object which maps to the server side token. Defaults to `_csrfSecret`.\n* `impl` Function - Optional. Custom implementation to generate a token.\n\nEnables [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\\(CSRF\\)) (CSRF) headers.\n\nIf enabled, the CSRF token must be in the payload when modifying data or you will receive a *403 Forbidden*. To send the token you'll need to echo back the `_csrf` value you received from the previous request.\n\n### lusca.csp(options)\n\n* `options.policy` Object - Object definition of policy.\n* `options.policy` String, Object, or an Array - Object definition of policy. Valid policies examples include:\n    * `{\"default-src\": \"*\"}`\n    * `\"referrer no-referrer\"`\n    * `[{ \"img-src\": \"'self' http:\" }, \"block-all-mixed-content\"]`\n* `options.reportOnly` Boolean - Enable report only mode.\n* `options.reportUri` String - URI where to send the report data\n\nEnables [Content Security Policy](https://www.owasp.org/index.php/Content_Security_Policy) (CSP) headers.\n\n#### Example Options\n\n```js\n// Everything but images can only come from own domain (excluding subdomains)\n{\n  policy: {\n    'default-src': '\\'self\\'',\n    'img-src': '*'\n  }\n}\n```\n\nSee the [MDN CSP usage](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy) page for more information on available policy options.\n\n### lusca.xframe(value)\n\n* `value` String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.\n\nEnables X-FRAME-OPTIONS headers to help prevent [Clickjacking](https://www.owasp.org/index.php/Clickjacking).\n\n### lusca.p3p(value)\n\n* `value` String - Required. The compact privacy policy.\n\nEnables [Platform for Privacy Preferences Project](http://support.microsoft.com/kb/290333) (P3P) headers.\n\n### lusca.hsts(options)\n\n* `options.maxAge` Number - Required. Number of seconds HSTS is in effect.\n* `options.includeSubDomains` Boolean - Optional. Applies HSTS to all subdomains of the host\n\nEnables [HTTP Strict Transport Security](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security) for the host domain. The preload flag is required for HSTS domain submissions to [Chrome's HSTS preload list](https://hstspreload.appspot.com)\n\n### lusca.xssProtection(options)\n\n* `options.enabled` Boolean - Optional. If the header is enabled or not (see header docs). Defaults to `1`.\n* `options.mode` String - Optional. Mode to set on the header (see header docs). Defaults to `block`.\n\nEnables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)\n\n## License\n\n- Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation\n- Now: [MIT](LICENSE.txt)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoajs%2Fkoa-lusca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoajs%2Fkoa-lusca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoajs%2Fkoa-lusca/lists"}