A comprehensive security middleware package for Node.js applications providing real-time protection against common web vulnerabilities and attacks.
- Features
- Installation
- Quick Start
- Configuration
- Security Features
- API Reference
- Examples
- Best Practices
- FAQ
- Contributing
- Security Policy
- License
- 🔍 SQL Injection Detection & Prevention
- 🛡️ XSS (Cross-Site Scripting) Protection
- 🚫 NoSQL Injection Detection
- 🕵️ Malicious Payload Detection
- ⚡ Rate Limiting & Brute Force Protection
- 🧹 Input Sanitization
- 📜 Security Headers Management
- HSTS
- CSP
- XSS Protection
- And more...
- 🔐 Cryptographic Utilities
- Password Hashing
- Data Encryption
- Token Generation
- ✅ Request Validation
- 📝 Automatic Security Logging
# Using npm
npm install secure-shield
# Using yarn
yarn add secure-shield
# Using pnpm
pnpm add secure-shieldconst express = require('express');
const { SecureShield } = require('secure-shield');
const app = express();
// Initialize with default settings
const shield = new SecureShield();
app.use(shield.middleware());
// Or with custom configuration
const shield = new SecureShield({
sqlProtection: true,
xssProtection: true,
rateLimit: {
maxRequests: 100,
windowMs: 15 * 60 * 1000
}
});const shield = new SecureShield({
// Core Protection
sqlProtection: true,
xssProtection: true,
noSqlProtection: true,
payloadProtection: true,
// Rate Limiting
rateLimit: {
enabled: true,
maxRequests: 100,
windowMs: 15 * 60 * 1000,
bruteForceProtection: true
}
});const shield = new SecureShield({
// Security Headers
securityHeaders: {
enabled: true,
hsts: true,
noSniff: true,
xssFilter: true,
frameguard: 'SAMEORIGIN',
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
}
}
},
// Cryptographic Settings
crypto: {
enabled: true,
algorithm: 'aes-256-gcm',
secretKey: process.env.SECRET_KEY
},
// Logging
logging: {
enabled: true,
logLevel: 'info',
logPath: './security.log',
format: 'json'
}
});// Password Hashing
const { hash, salt } = await shield.hashPassword('userPassword');
// Password Verification
const isValid = await shield.verifyPassword('userPassword', hash, salt);
// Data Encryption
const encrypted = shield.encrypt('sensitive data');
const decrypted = shield.decrypt(encrypted);shield.requestValidation({
maxBodySize: 1024 * 1024, // 1MB
allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedContentTypes: [
'application/json',
'application/x-www-form-urlencoded'
]
});shield.securityHeaders({
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
csp: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"]
}
});-
shield.middleware()- Express/Koa middleware -
shield.scan(input)- Scan input for threats -
shield.sanitize(input)- Sanitize input -
shield.encrypt(data)- Encrypt sensitive data -
shield.decrypt(data)- Decrypt data -
shield.generateToken()- Generate secure token
shield.on('threat', (threat) => {
console.log('Security threat detected:', threat);
});
shield.on('rateLimit', (info) => {
console.log('Rate limit exceeded:', info);
});const express = require('express');
const { SecureShield } = require('secure-shield');
const app = express();
const shield = new SecureShield();
// Apply middleware
app.use(shield.middleware());
// Protected route
app.post('/api/data', (req, res) => {
res.json({ success: true });
});const { SecureShield } = require('secure-shield');
const shield = new SecureShield();
// Scan for threats
const threats = shield.scan(userInput);
// Sanitize input
const clean = shield.sanitize(userInput);-
Environment Configuration
- Use environment variables for sensitive settings
- Never commit security keys to version control
-
Rate Limiting
- Adjust limits based on your application's needs
- Implement IP-based and user-based limits
-
Logging
- Enable security logging in production
- Regularly review security logs
- Implement log rotation
-
Updates
- Keep the package updated
- Subscribe to security advisories
How does rate limiting work?
Rate limiting tracks requests using a sliding window algorithm and can be configured per IP or user basis.Is it production-ready?
Yes, SecureShield is production-ready and is used by many companies in production environments.We welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
Please report security vulnerabilities to security@secure-shield.dev instead of creating public issues.
This project is licensed under the MIT License - see the LICENSE file for details.
Made with ❤️ by the SecureShield Team