Web application security middleware for node.js
slides.forbesl.co.uk
var express = require('express');
var lusca = require('lusca');
var app = express();
app.use(lusca({
csrf: true,
csp: {
policy: {
'default-src': 'none',
'script-src': '\'self\' https://apis.google.com'
},
reportUri: '/report-violation'
},
xframe: 'SAMEORIGIN',
hsts: {maxAge: 31536000, includeSubDomains: true},
xssProtection: true
}));
var express = require('express');
var lusca = require('lusca');
var app = express();
app.use(lusca.csrf());
app.use(lusca.csp({
policy: {
'default-src': 'none',
'script-src': '\'self\' https://apis.google.com'
},
reportUri: '/report-violation'
}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection(true);
Makes _csrf available in views and requires that value to be echoed back
in any subsequent posts.
options.key - the name of the CSRF token (default: _csrfoptions.impl - custom function to generate tokenAdds CSP headers.
options.policy - object specifying the policy (see: https://www.owasp.org/index.php/Content_Security_Policy)options.reportUri - uri to report violations tooptions.reportOnly - set this to true if you only want to report, but not block violationsControl where the site can appear in an iframe:
Enforce strict transport security
options.maxAge - Numnber of seconds HSTS is in effect.options.includeSubDomains - set to true to include sub-domains.IE8 XSS protection headers.
options.enabled - defaults to trueoptions.mode - defaults to blockslides.forbesl.co.uk
Twitter: @ForbesLindesay
GitHub: @ForbesLindesay
Blog: www.forbeslindesay.co.uk
Jade
Browserify Middleware
readable-email.org
brcdn.org
tempjs.org