https://github.com/mamboer/koa-luscax

Web application security middleware for the latest koa 2.x.
https://github.com/mamboer/koa-luscax

koa-lusca koa-xlusca lusca

Last synced: 3 months ago
JSON representation

Web application security middleware for the latest koa 2.x.

• Host: GitHub
• URL: https://github.com/mamboer/koa-luscax
• Owner: mamboer
• License: other
• Created: 2019-04-19T12:35:54.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2019-05-11T08:20:30.000Z (about 6 years ago)
• Last Synced: 2025-02-16T00:01:44.846Z (3 months ago)
• Topics: koa-lusca, koa-xlusca, lusca
• Language: JavaScript
• Size: 199 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE.txt
  • Security: SECURITY.md

Awesome Lists containing this project

README

        
# koa-luscax

[![NPM version][npm-image]][npm-url]

[![build status][travis-image]][travis-url]

[![Test coverage][coveralls-image]][coveralls-url]

[![David deps][david-image]][david-url]

[![npm download][download-image]][download-url]

[npm-image]: https://img.shields.io/npm/v/koa-luscax.svg?style=flat-square

[npm-url]: https://npmjs.org/package/koa-luscax

[travis-image]: https://img.shields.io/travis/mamboer/koa-luscax.svg?style=flat-square

[travis-url]: https://travis-ci.org/mamboer/koa-luscax

[coveralls-image]: https://img.shields.io/coveralls/mamboer/koa-luscax.svg?style=flat-square

[coveralls-url]: https://coveralls.io/r/mamboer/koa-luscax?branch=master

[david-image]: https://img.shields.io/david/mamboer/koa-luscax.svg?style=flat-square

[david-url]: https://david-dm.org/mamboer/koa-luscax

[download-image]: https://img.shields.io/npm/dm/koa-luscax.svg?style=flat-square

[download-url]: https://npmjs.org/package/koa-luscax

Web application security middleware for the latest koa 2.x.

Fork from [koa-lusca](https://github.com/chrisveness/koa-lusca),

> It's a pity that [koa-lusca](https://github.com/koajs/koa-lusca) is out of maintenances for over 3 years, so i made this fork and re-released it as koa-luscax, and let's keep it fresh.

## Usage

```js

const Koa = require('koa');

const lusca = require('koa-luscax');

const app = new Koa();

app.use(lusca({

  csrf: true,

  csp: { /* ... */},

  xframe: 'SAMEORIGIN',

  p3p: 'ABCDEF',

  hsts: { maxAge: 31536000, includeSubDomains: true },

  xssProtection: true,

  referrerPolicy: 'same-origin'

}));

```

Setting any value to `false` will disable it. Alternately, you can opt into methods one by one:

```js

app.use(lusca.csrf());

app.use(lusca.csp({/* ... */}));

app.use(lusca.xframe({ value: 'SAMEORIGIN' }));

app.use(lusca.p3p({ value: 'ABCDEF' }));

app.use(lusca.hsts({ maxAge: 31536000 });

app.use(lusca.xssProtection();

app.use(lusca.referrerPolicy('same-origin'));

```

## API

### lusca.csrf(options)

* `key` String - Optional. The name of the CSRF token added to the model. Defaults to `_csrf`.

* `secret` String - Optional. The key to place on the session object which maps to the server side token. Defaults to `_csrfSecret`.

* `impl` Function - Optional. Custom implementation to generate a token.

Enables [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)) (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a *403 Forbidden*. To send the token you'll need to echo back the `_csrf` value you received from the previous request.

### lusca.csp(options)

* `options.policy` Object - Object definition of policy.

* `options.policy` String, Object, or an Array - Object definition of policy. Valid policies examples include:

    * `{"default-src": "*"}`

    * `"referrer no-referrer"`

    * `[{ "img-src": "'self' http:" }, "block-all-mixed-content"]`

* `options.reportOnly` Boolean - Enable report only mode.

* `options.reportUri` String - URI where to send the report data

Enables [Content Security Policy](https://www.owasp.org/index.php/Content_Security_Policy) (CSP) headers.

#### Example Options

```js

// Everything but images can only come from own domain (excluding subdomains)

{

  policy: {

    'default-src': '\'self\'',

    'img-src': '*'

  }

}

```

See the [MDN CSP usage](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy) page for more information on available policy options.

### lusca.xframe(value)

* `value` String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.

Enables X-FRAME-OPTIONS headers to help prevent [Clickjacking](https://www.owasp.org/index.php/Clickjacking).

### lusca.p3p(value)

* `value` String - Required. The compact privacy policy.

Enables [Platform for Privacy Preferences Project](http://support.microsoft.com/kb/290333) (P3P) headers.

### lusca.hsts(options)

* `options.maxAge` Number - Required. Number of seconds HSTS is in effect.

* `options.includeSubDomains` Boolean - Optional. Applies HSTS to all subdomains of the host

Enables [HTTP Strict Transport Security](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security) for the host domain. The preload flag is required for HSTS domain submissions to [Chrome's HSTS preload list](https://hstspreload.appspot.com)

### lusca.xssProtection(options)

* `options.enabled` Boolean - Optional. If the header is enabled or not (see header docs). Defaults to `1`.

* `options.mode` String - Optional. Mode to set on the header (see header docs). Defaults to `block`.

Enables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

### lusca.cto()

Enables [X-Content-Type-Options](https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/) header to prevent MIME-sniffing a response away from the declared content-type.

### lusca.referrerPolicy(value)

* `value` String - Optional. The value for the header, e.g. `origin`, `same-origin`, `no-referrer`. Defaults to `` (empty string).

Enables [Referrer-Policy](https://www.w3.org/TR/referrer-policy/#intro) header to control the Referer header.

## License

- Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation

- Now: [MIT](LICENSE.txt)

## Origin Contributors Of koa-lusca

- Jeff Harrell  (https://github.com/jeffharrell)

- Jeff Harrell 

- Erik Toth 

- rragan 

- skoranga 

- Lenny Markus  (https://github.com/lmarkus)

- totherik 

- Lenny Markus 

- Trevor 

- Steve Stedman 

- AlexSantos 

- mstuart 

- swesthafer 

- Dmitry Shirokov  (https://github.com/runk)

- Sahat Yalkabov 

- fengmk2  (https://github.com/fengmk2)

- Anant Singh 

- Aria Stewart  (https://github.com/aredridel)

- Jean-Charles Sisk 

- Matt Edelman 

- Ilya Radchenko 

- Poornima Venkat 

- ali-sdk  (https://github.com/ali-sdk)

- fundon 

- Christoffer Hallas 

- Geller 

- Marek Fajkus  (https://github.com/turboMaCk)

- Shawn  (https://github.com/shaoshuai0102)

- Chris Veness