Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • develop
  • 2.3.1
  • 2.3.0
  • 2.2.3
  • 2.2.2
6 results
Sigmund, Dominik's avatar
Merge branch 'develop' into 'main'
Sigmund, Dominik authored 
fix index.d

See merge request !5
da4a65a7
History
Sigmund, Dominik's avatar da4a65a7
History
Name Last commit Last update
.gitlab
.vscode
docs
examples
.gitignore
.gitlab-ci.yml
.npmignore
.npmrc
README.md
index.d.ts
index.js
index.test.js
jest.config.js
package-lock.json
package.json
stryker.conf.json
README.md

security

Sets Headers to a very save style. may be overriden by config.

Installation

  • npm install --save @libs/security

Usage

const Security = require('@libs/security')
const security = new Security(options)
app.use(security.setHeaders)

Options

Headers

This is the List of Header with default values and Option name

Header Option Default Value
Cache-Control CacheControl no-cache, no-store, must-revalidate
Pragma Pragma no-cache
Expires Expires 0
Content-Security-Policy ContentSecurityPolicy default-src 'self'; frame-ancestors 'none'
X-XSS-Protection XXSSProtection 1; mode=block
X-DNS-Prefetch-Control XDNSPrefetchControl off
Expect-CT ExpectCT report-uri="/_report", enforce, max-age=30
X-Frame-Options XFrameOptions deny
X-Powered-By XPoweredBy true
Strict-Transport-Security StrictTransportSecurity max-age=30
X-Download-Options XDownloadOptions noopen
X-Content-Type-Options XContentTypeOptions nosniff
X-Permitted-Cross-Domain-Policies XPermittedCrossDomainPolicies none
Referrer-Policy ReferrerPolicy no-referrer

Allowed Methods

The option allowedMethods is an array of allowed HTTP-Methods.
By Default it is set to ['GET', 'POST', 'PUT', 'DELETE'], dissallowing e.g. HEAD

You may set this Array to whatever you like, we recommend to make it even more restrict if possible.

A read-only API may set allowedMethods: ['GET']

Only Defined Routes

The Option onlyDefinedRoutes may be set to true (Default: false)

Then only explicitely defined Routes are allowed by the express-Router, all other attempts will receive a status 405

To define Routes, use the Option definedRoutes, which expects an Array of Routes.

You may also define regex-Definitions for Routes by prefixing them with REGEX:.
Beware of Escaping!

Example: REGEX:\\/id\\/\\d{1,}
Allows: /id/NUMBER where NUMBER is a digit between 0 and Infinity

We discourage the use of rules like /.* (which allows all routes)
And it is better to define all known routes.
So if you have a route like /items/:id defined, you should add all ids to your array of defined routes ...

Examples

Run these and check with your favorite testing tool, eg nikto, zap

Default

You Should create SSL-Keys first to enable https-example:
openssl req -x509 -newkey rsa:4096 -keyout examples/default/private.key -out examples/default/certificate.crt -days 365 -nodes

node examples/default/index.js

unsave

node examples/unsave/index.js

Author

Dominik Sigmund dominik.sigmund@br.de

Contribution

Header

To add header, create a fork, then branch and add the header to:

  • index.js
  • index.test.js
  • README.md

then run tests and mutation tests.

after that, create a pull request and state the function of the header.

Other Functions

Similar as above, just make sure the functions secures the app even more.