$ npm install express auto-protect
const express = require('express')
const app = express()
# here pass all are middleware for security
app.use(nodeMonitor.test)
app.use(nodeMonitor.validateAndSetMiddleware(process.env.SECURTY_KEY))
# here pass your your api middlewares and others also
app.get('/', function (req, res) {
res.send('Hello World')
})
app.listen(3000)
This repository contains a collection of security vulnerabilities and attack vectors commonly found in web applications. The data is organized into categories, each containing a list of use cases related to that category.
- Application is vulnerable to Command injection attack
- Application is vulnerable to HTML injection attack
- Application is vulnerable to iframe injection attack
- Application is vulnerable to SQL Injection
- Application is vulnerable to XML injection
- SSL Information
- Server Error Message
- Directory listing is enabled on the server
- HTTP parameter pollution
- The remote server contains a 'robots.txt' file
- Application accepts arbitrary methods
- Dangerous HTTP methods are enabled on the server
- OPTIONS method enabled
- An adversary can fingerprint the web server from the HTTP responses
- Application's server side source code disclosure
- Critical information in URL
- Default web-page present in the server
- Sensitive information revealed in HTTP response
- Cleartext Password returned in login response
- The application is vulnerable to a URL redirection flaw
- Application is vulnerable to cross frame scripting
- Application is vulnerable to Cross Site Scripting attack
- Application is vulnerable to stored Cross Site Scripting attack
- Is XSS possible via CSS injection?
- Auto-complete is enabled for sensitive fields
- Captcha is not implemented for publicly available forms
- click jacking
- Developer comments revealed in page source
- Email Flooding
- Vulnerabilities in known components
- Is sensitive data or session token stored in local data storage of browser?
- Is "allow-access-from domain" in cross-domain.xml policy file set to * or unauthorized domains?
- Is "Origin" header in client request validated at the server?
- Is "Access-Control-Allow-Origin" header in server response is set securely?