node-guard

    1.0.0 • Public • Published

    Node Guard

    Coverage Status License

    General purpose I/O module to add following http headers to keep your webpages securing them from malware attacks. This module can be used with any node http server.

    X-XSS-Protection

    X-XSS-Protection http header saves you from XSS attacks. node-guard will set up X-XSS-Protection header on all modern browsers and will disable it for older versions of IE as they have security vulnerabilities defined here https://technet.microsoft.com/library/security/ms10-002.

    const http = require('http')
    const guard = require('node-guard')
    const options = {
      enabled: true,
      enableOnOldIE: false
    }
     
    http.createServer(function (req, res) {
      guard.addXssFilter(req, res, options)
      res.end()
    }).listen(3000)

    X-Frame-Options

    X-Frame-Options defines whether your webpage can be embedded as an iframe to other website. It can take 3 different values from ALLOW-FROM, DENY and SAMEORIGIN

    const http = require('http')
    const guard = require('node-guard')
    const options = 'DENY' // cannot be embedded at all
    // or
    const options = 'SAMEORIGIN' // only this website
    // or
    const options = 'ALLOW-FROM http://example.com' // defined uri
     
    http.createServer(function (req, res) {
      guard.addFrameOptions(res, options)
      res.end()
    }).listen(3000)

    X-Content-Type-Options

    X-Content-Type-Options disables sniffing from web browsers, where they will try to sniff mimetypes. Which means a web browser will execute the javascript file even if the content-type of that file is not set to javascript. Give it a read https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

    const http = require('http')
    const guard = require('node-guard')
    const options = true // or false
     
    http.createServer(function (req, res) {
      guard.addNoSniff(res, options)
      res.end()
    }).listen(3000)

    X-Download-Options

    IE specific header to stop users from executing html files with the access to your site context. Here is a good read on same https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/.

    const http = require('http')
    const guard = require('node-guard')
    const options = true // or false
     
    http.createServer(function (req, res) {
      guard.addNoOpen(res, options)
      res.end()
    }).listen(3000)

    Install

    npm i node-guard

    DownloadsWeekly Downloads

    2,691

    Version

    1.0.0

    License

    MIT

    Last publish

    Collaborators

    • amanvirk