Home

Awesome

lusca

Build Status NPM version

Web application security middleware.

Usage

var express = require('express'),
	app = express(),
	session = require('express-session'),
	lusca = require('lusca');

//this or other session management will be required
app.use(session({
	secret: 'abc',
	resave: true,
	saveUninitialized: true
}));

app.use(lusca({
    csrf: true,
    csp: { /* ... */},
    xframe: 'SAMEORIGIN',
    p3p: 'ABCDEF',
    hsts: {maxAge: 31536000, includeSubDomains: true, preload: true},
    xssProtection: true,
    nosniff: true,
    referrerPolicy: 'same-origin'
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
app.use(lusca.nosniff());
app.use(lusca.referrerPolicy('same-origin'));

Please note that you must use express-session, cookie-session, their express 3.x alternatives, or other session object management in order to use lusca.

API

lusca.csrf(options)

Notes: The app can use either a blocklist or a allowlist, not both. By default, all post routes are allowlisted.

Enables Cross Site Request Forgery (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden. To send the token you'll need to echo back the _csrf value you received from the previous request.

Furthermore, parsers must be registered before lusca.

lusca.csp(options)

Enables Content Security Policy (CSP) headers.

Example Options

// Everything but images can only come from own domain (excluding subdomains)
{
  policy: {
    'default-src': '\'self\'',
    'img-src': '*'
  }
}

See the MDN CSP usage page for more information on available policy options.

lusca.xframe(value)

Enables X-FRAME-OPTIONS headers to help prevent Clickjacking.

lusca.p3p(value)

Enables Platform for Privacy Preferences Project (P3P) headers.

lusca.hsts(options)

Enables HTTP Strict Transport Security for the host domain. The preload flag is required for HSTS domain submissions to Chrome's HSTS preload list.

lusca.xssProtection(options)

Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

lusca.nosniff()

Enables X-Content-Type-Options header to prevent MIME-sniffing a response away from the declared content-type.

lusca.referrerPolicy(value)

Enables Referrer-Policy header to control the Referer header.