-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 5d1f6c3
Showing
9 changed files
with
506 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
node_modules | ||
/lib | ||
*.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
src | ||
tsconfig.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2018 Caleb Kinney | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,214 @@ | ||
# Blockade ⚓️ | ||
|
||
Blockade ⚓️ is a lightweight package that adds optional security headers for Node web frameworks. | ||
|
||
### Supported Node.js web frameworks: | ||
[Express](https://expressjs.com), [hapi](https://hapijs.com), [Koa](https://koajs.com) | ||
|
||
|
||
## Install | ||
|
||
```console | ||
$ nom install blockade | ||
``` | ||
|
||
After installing Blockade: | ||
|
||
```javascript | ||
const blockade = require("blockade"); | ||
|
||
const secureHeaders = new blockade.SecureHeaders(); | ||
``` | ||
|
||
## Security Headers | ||
|
||
Security Headers are HTTP response headers that, when set, can enhance the security of your web application by enabling browser security policies. | ||
|
||
You can assess the security of your HTTP response headers at [securityheaders.com](https://securityheaders.com) | ||
|
||
*Recommendations used by Secure 🔒 and more information regarding security headers can be found at the [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project).* | ||
|
||
## Headers | ||
|
||
#### Server | ||
Contain information about server software | ||
**Default Value:** `NULL` *(obfuscate server information, not included by default)* | ||
|
||
#### Strict-Transport-Security (HSTS) | ||
Ensure application communication is sent over HTTPS | ||
**Default Value:** `max-age=63072000; includeSubdomains` | ||
|
||
#### X-Frame-Options (XFO) | ||
Disable framing from different origins (clickjacking defense) | ||
**Default Value:** `SAMEORIGIN` | ||
|
||
#### X-XSS-Protection | ||
Enable browser cross-site scripting filters | ||
**Default Value:** `1; mode=block` | ||
|
||
#### X-Content-Type-Options | ||
Prevent MIME-sniffing | ||
**Default Value:** `nosniff` | ||
|
||
#### Content-Security-Policy (CSP) | ||
Prevent cross-site injections | ||
**Default Value:** `script-src 'self'; object-src 'self'` *(not included by default)** | ||
|
||
#### Referrer-Policy | ||
Enable full referrer if same origin, remove path for cross origin and disable referrer in unsupported browsers | ||
**Default Value:** `no-referrer, strict-origin-when-cross-origin` | ||
|
||
#### Cache-control / Pragma / Expires | ||
Prevent cacheable HTTPS response | ||
**Default Value:** `no-cache, no-store, must-revalidate, max-age=0` / `no-cache` / `0` | ||
|
||
#### Feature-Policy | ||
Disable browser features and APIs | ||
**Default Value:** `accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none';",` *(not included by default)* | ||
|
||
### Additional information: | ||
- The `Strict-Transport-Security` (HSTS) header will tell the browser to **only** utilize secure HTTPS connections for the domain, and in the default configuration, including *all* subdomains. The HSTS header requires trusted certificates and users will *unable* to connect to the site if using self-signed or expired certificates. The browser will honor the HSTS header for the time directed in the max-age attribute (default = 2 years), and setting the max-age to 0 will disable an already set HSTS header. Use the `{ hsts: false }` option to not include the HSTS header in Secure Headers. | ||
- The `Content-Security-Policy` (CSP) header can break functionality and can (and should) be carefully constructed, use the `{ csp : true }` option to enable default values. | ||
|
||
### Example | ||
`secureHeaders.framework(response)` | ||
|
||
**Default HTTP response headers:** | ||
|
||
```HTTP | ||
Strict-Transport-Security: max-age=63072000; includeSubdomains | ||
X-Frame-Options: SAMEORIGIN | ||
X-XSS-Protection: 1; mode=block | ||
X-Content-Type-Options: nosniff | ||
Referrer-Policy: no-referrer, strict-origin-when-cross-origin | ||
Cache-control: no-cache, no-store, must-revalidate, max-age=0 | ||
Pragma: no-cache | ||
Expires: 0 | ||
``` | ||
|
||
### Options | ||
|
||
You can toggle the setting of headers with default values by passing an object with `true` or `false` and override default values by passing a string to the following options: | ||
|
||
- `server` - set the Server header, e.g. `Server=“Secure”` *(string / bool, default=false)* | ||
- `hsts` - set the Strict-Transport-Security header *(string / bool, default=true)* | ||
- `xfo` - set the X-Frame-Options header *(string / bool, default=true)* | ||
- `xxp` - set the X-XSS-Protection header *(string / bool, default=true)* | ||
- `content` - set the X-Content-Type-Options header *(string / bool, default=true)* | ||
- `csp` - set the Content-Security-Policy *(string / bool, default=false)* * | ||
- `referrer` - set the Referrer-Policy header *(string / bool, default=true)* | ||
- `cache` - set the Cache-control and Pragma headers *(string / bool, default=true)* | ||
- `feature` - set the Feature-Policy header *(string / bool, default=false)* | ||
|
||
#### Example | ||
|
||
```javascript | ||
const blockade = require("blockade"); | ||
|
||
const secureHeaders = new blockade.SecureHeaders({ | ||
server: "Blockade", | ||
csp: true, | ||
hsts: false | ||
}); | ||
|
||
. . . | ||
|
||
secureHeaders.framework(response) | ||
|
||
``` | ||
|
||
**HTTP response headers:** | ||
|
||
```HTTP | ||
Server: Blockade | ||
X-Frame-Options: SAMEORIGIN | ||
X-XSS-Protection: 1; mode=block | ||
X-Content-Type-Options: nosniff | ||
Content-Security-Policy: script-src 'self'; object-src 'self' | ||
Referrer-Policy: no-referrer, strict-origin-when-cross-origin | ||
Pragma: no-cache | ||
Expires: 0 | ||
Cache-control: no-cache, no-store, must-revalidate, max-age=0 | ||
``` | ||
|
||
# Supported Frameworks | ||
|
||
## Express | ||
|
||
#### Headers | ||
`secureHeaders.express(res);` | ||
|
||
##### Example | ||
```javascript | ||
const express = require("express"); | ||
const blockade = require("blockade"); | ||
|
||
const secureHeaders = new blockade.SecureHeaders(); | ||
. . . | ||
|
||
app.use(function(req, res, next) { | ||
secureHeaders.express(res); | ||
next(); | ||
}); | ||
|
||
. . . | ||
|
||
``` | ||
|
||
## hapi | ||
|
||
#### Headers | ||
`secureHeaders.hapi(response);` | ||
|
||
##### Example | ||
```javascript | ||
const Hapi = require("hapi"); | ||
const blockade = require("blockade"); | ||
|
||
const secureHeaders = new blockade.SecureHeaders(); | ||
. . . | ||
|
||
server.ext("onPreResponse", (request, h) => { | ||
const response = request.response; | ||
secureHeaders.hapi(response); | ||
return response; | ||
}); | ||
|
||
. . . | ||
|
||
``` | ||
|
||
## Koa | ||
|
||
#### Headers | ||
`secureHeaders.koa(ctx);` | ||
|
||
##### Example | ||
```javascript | ||
const Koa = require("koa"); | ||
const blockade = require("blockade"); | ||
|
||
const secureHeaders = new blockade.SecureHeaders(); | ||
. . . | ||
|
||
app.use(async (ctx, next) => { | ||
await next(); | ||
secureHeaders.koa(ctx); | ||
}); | ||
|
||
. . . | ||
|
||
``` | ||
|
||
|
||
## Attribution/References | ||
|
||
#### Frameworks | ||
- [Express](https://github.com/expressjs/express) - Fast, unopinionated, minimalist web framework for node. | ||
- [hapi](https://github.com/hapijs/hapi) - Server Framework for Node.js | ||
- [Koa.js](https://github.com/koajs) - Next generation web framework for Node.js | ||
|
||
#### Resources | ||
- [OWASP - Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) | ||
- [Mozilla Web Security](https://infosec.mozilla.org/guidelines/web_security) | ||
- [securityheaders.com](https://securityheaders.com) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"name": "blockade", | ||
"version": "1.0.0", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/cakinney/blockade" | ||
}, | ||
"description": "Security Headers for Node.js", | ||
"main": "lib/bloackade.js", | ||
"types": "lib/blockade.d.ts", | ||
"scripts": { | ||
"build": "tsc" | ||
}, | ||
"author": "Caleb Kinney", | ||
"license": "MIT" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export { SecureHeaders } from "./framework-headers"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import { headerObject, headerObj, setHeaderTuple } from "./headers"; | ||
|
||
export class SecureHeaders { | ||
options: secureHeadersOptions; | ||
constructor(options: secureHeadersOptions) { | ||
this.options = options; | ||
} | ||
|
||
express(res: any) { | ||
const headers = headerObject(this.options); | ||
res.set(headers); | ||
} | ||
|
||
hapi(response: any) { | ||
setHeaderTuple(response, this.options); | ||
} | ||
|
||
koa(ctx: any) { | ||
const headers = headerObject(this.options); | ||
ctx.set(headers); | ||
} | ||
} | ||
|
||
export interface secureHeadersOptions { | ||
server?: boolean | string; | ||
hsts?: boolean | string; | ||
xfo?: boolean | string; | ||
xxp?: boolean | string; | ||
content?: boolean | string; | ||
csp?: boolean | string; | ||
referrer?: boolean | string; | ||
cache?: boolean | string; | ||
feature?: boolean | string; | ||
[key: string]: boolean | string | undefined; | ||
} |
Oops, something went wrong.