security
Sets Headers to a very save style. may be overriden by config.
Installation
npm install --save @plastdev/security
Usage
const security = require('@plastdev/security')
app.use(security(options))
Options
Headers
This is the List of Header with default values and Option name
| Header | Option | Default Value |
|---|---|---|
| Cache-Control | CacheControl | no-cache, no-store, must-revalidate |
| Pragma | Pragma | no-cache |
| Expires | Expires | 0 |
| Content-Security-Policy | ContentSecurityPolicy | default-src 'self'; frame-ancestors 'none' |
| X-XSS-Protection | XXSSProtection | 1; mode=block |
| X-DNS-Prefetch-Control | XDNSPrefetchControl | off |
| Expect-CT | ExpectCT | report-uri="/_report", enforce, max-age=30 |
| X-Frame-Options | XFrameOptions | deny |
| X-Powered-By | XPoweredBy | true |
| Strict-Transport-Security | StrictTransportSecurity | max-age=30 |
| X-Download-Options | XDownloadOptions | noopen |
| X-Content-Type-Options | XContentTypeOptions | nosniff |
| X-Permitted-Cross-Domain-Policies | XPermittedCrossDomainPolicies | none |
| Referrer-Policy | ReferrerPolicy | no-referrer |
Allowed Methods
The option allowedMethods is an array of allowed HTTP-Methods.
By Default it is set to ['GET', 'POST', 'PUT', 'DELETE'], dissallowing e.g. HEAD
You may set this Array to whatever you like, we recommend to make it even more restrict if possible.
A read-only API may set allowedMethods: ['GET']
Only Defined Routes
The Option onlyDefinedRoutes may be set to true (Default: false)
Then only explicitely defined Routes are allowed by the express-Router, all other attempts will receive a status 405
To define Routes, use the Option definedRoutes, which expects an Array of Routes. No Wildcard is allowed as this kind of defeats the purpose of this ...
So if you have a route like /items/:id defined, you should add all ids to your array of defined routes ...
Examples
Run these and check with your favorite testing tool, eg nikto, zap
Default
You Should create SSL-Keys first to enable https-example:
openssl req -x509 -newkey rsa:4096 -keyout examples/default/private.key -out examples/default/certificate.crt -days 365 -nodes
node examples/default/index.js
unsave
node examples/unsave/index.js
Author
Dominik Sigmund dominik.sigmund@br.de
Contribution
Header
To add header, create a fork, then branch and add the header to:
- index.js
- index.test.js
- README.md
then run tests and mutation tests.
after that, create a pull request and state the function of the header.
Other Functions
Similar as above, just make sure the functions secures the app even more.