lusca

Web application security middleware for node.js

slides.forbesl.co.uk

Express

  • The most popular web application framework for node.js
  • Comes with very few security features as standard
  • Used by paypal

Express

var express = require('express');
var lusca = require('lusca');

var app = express();

app.use(lusca({
    csrf: true,
    csp: {
      policy: {
        'default-src': 'none',
        'script-src': '\'self\' https://apis.google.com'
      },
      reportUri: '/report-violation'
    },
    xframe: 'SAMEORIGIN',
    hsts: {maxAge: 31536000, includeSubDomains: true},
    xssProtection: true
}));

Express

var express = require('express');
var lusca = require('lusca');

var app = express();

app.use(lusca.csrf());
app.use(lusca.csp({
  policy: {
    'default-src': 'none',
    'script-src': '\'self\' https://apis.google.com'
  },
  reportUri: '/report-violation'
}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection(true);

Cross Site Request Forgery - lusca.csrf(options)

Makes _csrf available in views and requires that value to be echoed back in any subsequent posts.

  • options.key - the name of the CSRF token (default: _csrf
  • options.impl - custom function to generate token

Content Security Policy - lusca.csp(options)

Adds CSP headers.

  • options.policy - object specifying the policy (see: https://www.owasp.org/index.php/Content_Security_Policy)
  • options.reportUri - uri to report violations to
  • options.reportOnly - set this to true if you only want to report, but not block violations

Clickjacking - lusca.xframe(value)

Control where the site can appear in an iframe:

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM uri

HTTP Strict Transport Security - lusca.hsts(options)

Enforce strict transport security

  • options.maxAge - Numnber of seconds HSTS is in effect.
  • options.includeSubDomains - set to true to include sub-domains.

luscaxssProtection(options)

IE8 XSS protection headers.

  • options.enabled - defaults to true
  • options.mode - defaults to block

Forbes Lindesay

slides.forbesl.co.uk

Social Networks

Twitter: @ForbesLindesay

GitHub: @ForbesLindesay

Blog: www.forbeslindesay.co.uk

Open Source

Jade

Browserify Middleware

readable-email.org

brcdn.org

tempjs.org