# security
Sets Headers to a very save style. may be overriden by config.
## Installation
- `npm install --save @libs/security`
## Usage
`const Security = require('@libs/security')`
`const security = new Security(options)`
`app.use(security.setHeaders)`
## Options
### Headers
This is the List of Header with default values and Option name
| Header | Option | Default Value |
| ------- | ------ | ------------- |
| [Cache-Control](https://developer.mozilla.org/en/docs/Web/HTTP/Headers/Cache-Control) | CacheControl | no-cache, no-store, must-revalidate |
| [Pragma](https://developer.mozilla.org/en/docs/Web/HTTP/Headers/Pragma) | Pragma | no-cache |
| [Expires](https://developer.mozilla.org/en/docs/Web/HTTP/Headers/Expires) | Expires | 0 |
| [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) | ContentSecurityPolicy | default-src \'self\'; frame-ancestors \'none\' |
| [X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) | XXSSProtection | 1; mode=block |
| [X-DNS-Prefetch-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) | XDNSPrefetchControl | off |
| [Expect-CT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) | ExpectCT | report-uri="/_report", enforce, max-age=30 |
| [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) | XFrameOptions | deny |
| [X-Powered-By](https://blog.rapid7.com/2019/12/06/hidden-helpers-security-focused-http-headers-to-protect-against-vulnerabilities/) | XPoweredBy | true |
| [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) | StrictTransportSecurity | max-age=30 |
| [X-Download-Options](https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions) | XDownloadOptions | noopen |
| [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) | XContentTypeOptions | nosniff |
| [X-Permitted-Cross-Domain-Policies](https://helmetjs.github.io/docs/crossdomain/) | XPermittedCrossDomainPolicies | none |
| [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) | ReferrerPolicy | no-referrer |
### Allowed Methods
The option _allowedMethods_ is an array of allowed HTTP-Methods.
By Default it is set to `['GET', 'POST', 'PUT', 'DELETE']`, dissallowing e.g. _HEAD_
You may set this Array to whatever you like, we recommend to make it even more restrict if possible.
A read-only API may set `allowedMethods: ['GET']`
### Only Defined Routes
The Option _onlyDefinedRoutes_ may be set to _true_ (Default: _false_)
Then only explicitely defined Routes are allowed by the express-Router,
all other attempts will receive a status _405_
To define Routes, use the Option _definedRoutes_, which expects an Array of Routes.
You may also define regex-Definitions for Routes by prefixing them with __REGEX:__.
Beware of Escaping!
Example: `REGEX:\\/id\\/\\d{1,}`
Allows: _/id/NUMBER_ where NUMBER is a digit between 0 and Infinity
We discourage the use of rules like _/.*_ (which allows all routes)
And it is better to define all known routes.
So if you have a route like _/items/:id_ defined, you should add all ids to your array of defined routes ...
## Examples
Run these and check with your favorite testing tool, eg nikto, zap
### Default
You Should create SSL-Keys first to enable https-example:
`openssl req -x509 -newkey rsa:4096 -keyout examples/default/private.key -out examples/default/certificate.crt -days 365 -nodes`
`node examples/default/index.js`
### unsave
`node examples/unsave/index.js`
## Author
Dominik Sigmund <dominik.sigmund@br.de>
## Contribution
### Header
To add header, create a fork, then branch and add the header to:
- index.js
- index.test.js
- README.md
then run tests and mutation tests.
after that, create a pull request and state the function of the header.
### Other Functions
Similar as above, just make sure the functions secures the app even more.