Napoleonic Political Magnificence

    @plastdev/security
    TypeScript icon, indicating that this package has built-in type declarations

    2.0.0 • Public • Published

    security

    Sets Headers to a very save style. may be overriden by config.

    Installation

    • npm install --save @plastdev/security

    Usage

    const security = require('@plastdev/security')
    app.use(security(options))

    Options

    Headers

    This is the List of Header with default values and Option name

    Header Option Default Value
    Cache-Control CacheControl no-cache, no-store, must-revalidate
    Pragma Pragma no-cache
    Expires Expires 0
    Content-Security-Policy ContentSecurityPolicy default-src 'self'; frame-ancestors 'none'
    X-XSS-Protection XXSSProtection 1; mode=block
    X-DNS-Prefetch-Control XDNSPrefetchControl off
    Expect-CT ExpectCT report-uri="/_report", enforce, max-age=30
    X-Frame-Options XFrameOptions deny
    X-Powered-By XPoweredBy true
    Strict-Transport-Security StrictTransportSecurity max-age=30
    X-Download-Options XDownloadOptions noopen
    X-Content-Type-Options XContentTypeOptions nosniff
    X-Permitted-Cross-Domain-Policies XPermittedCrossDomainPolicies none
    Referrer-Policy ReferrerPolicy no-referrer

    Allowed Methods

    The option allowedMethods is an array of allowed HTTP-Methods.
    By Default it is set to ['GET', 'POST', 'PUT', 'DELETE'], dissallowing e.g. HEAD

    You may set this Array to whatever you like, we recommend to make it even more restrict if possible.

    A read-only API may set allowedMethods: ['GET']

    Only Defined Routes

    The Option onlyDefinedRoutes may be set to true (Default: false)

    Then only explicitely defined Routes are allowed by the express-Router, all other attempts will receive a status 405

    To define Routes, use the Option definedRoutes, which expects an Array of Routes. No Wildcard is allowed as this kind of defeats the purpose of this ...

    So if you have a route like /items/:id defined, you should add all ids to your array of defined routes ...

    Examples

    Run these and check with your favorite testing tool, eg nikto, zap

    Default

    You Should create SSL-Keys first to enable https-example:
    openssl req -x509 -newkey rsa:4096 -keyout examples/default/private.key -out examples/default/certificate.crt -days 365 -nodes

    node examples/default/index.js

    unsave

    node examples/unsave/index.js

    Author

    Dominik Sigmund dominik.sigmund@br.de

    Contribution

    Header

    To add header, create a fork, then branch and add the header to:

    • index.js
    • index.test.js
    • README.md

    then run tests and mutation tests.

    after that, create a pull request and state the function of the header.

    Other Functions

    Similar as above, just make sure the functions secures the app even more.

    Install

    npm i @plastdev/security

    DownloadsWeekly Downloads

    12

    Version

    2.0.0

    License

    ISC

    Unpacked Size

    2.33 MB

    Total Files

    37

    Last publish

    Collaborators

    • sigmundd