Skip to content

Commit

Permalink
v1.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
cak committed Dec 29, 2018
0 parents commit 5d1f6c3
Show file tree
Hide file tree
Showing 9 changed files with 506 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
node_modules
/lib
*.DS_Store
2 changes: 2 additions & 0 deletions .npmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
src
tsconfig.json
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2018 Caleb Kinney

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
214 changes: 214 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
# Blockade ⚓️

Blockade ⚓️ is a lightweight package that adds optional security headers for Node web frameworks.

### Supported Node.js web frameworks:
[Express](https://expressjs.com), [hapi](https://hapijs.com), [Koa](https://koajs.com)


## Install

```console
$ nom install blockade
```

After installing Blockade:

```javascript
const blockade = require("blockade");

const secureHeaders = new blockade.SecureHeaders();
```

## Security Headers

Security Headers are HTTP response headers that, when set, can enhance the security of your web application by enabling browser security policies.

You can assess the security of your HTTP response headers at [securityheaders.com](https://securityheaders.com)

*Recommendations used by Secure 🔒 and more information regarding security headers can be found at the [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project).*

## Headers

#### Server
Contain information about server software
**Default Value:** `NULL` *(obfuscate server information, not included by default)*

#### Strict-Transport-Security (HSTS)
Ensure application communication is sent over HTTPS
**Default Value:** `max-age=63072000; includeSubdomains`

#### X-Frame-Options (XFO)
Disable framing from different origins (clickjacking defense)
**Default Value:** `SAMEORIGIN`

#### X-XSS-Protection
Enable browser cross-site scripting filters
**Default Value:** `1; mode=block`

#### X-Content-Type-Options
Prevent MIME-sniffing
**Default Value:** `nosniff`

#### Content-Security-Policy (CSP)
Prevent cross-site injections
**Default Value:** `script-src 'self'; object-src 'self'` *(not included by default)**

#### Referrer-Policy
Enable full referrer if same origin, remove path for cross origin and disable referrer in unsupported browsers
**Default Value:** `no-referrer, strict-origin-when-cross-origin`

#### Cache-control / Pragma / Expires
Prevent cacheable HTTPS response
**Default Value:** `no-cache, no-store, must-revalidate, max-age=0` / `no-cache` / `0`

#### Feature-Policy
Disable browser features and APIs
**Default Value:** `accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none';",` *(not included by default)*

### Additional information:
- The `Strict-Transport-Security` (HSTS) header will tell the browser to **only** utilize secure HTTPS connections for the domain, and in the default configuration, including *all* subdomains. The HSTS header requires trusted certificates and users will *unable* to connect to the site if using self-signed or expired certificates. The browser will honor the HSTS header for the time directed in the max-age attribute (default = 2 years), and setting the max-age to 0 will disable an already set HSTS header. Use the `{ hsts: false }` option to not include the HSTS header in Secure Headers.
- The `Content-Security-Policy` (CSP) header can break functionality and can (and should) be carefully constructed, use the `{ csp : true }` option to enable default values.

### Example
`secureHeaders.framework(response)`

**Default HTTP response headers:**

```HTTP
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
Cache-control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
```

### Options

You can toggle the setting of headers with default values by passing an object with `true` or `false` and override default values by passing a string to the following options:

- `server` - set the Server header, e.g. `Server=“Secure”` *(string / bool, default=false)*
- `hsts` - set the Strict-Transport-Security header *(string / bool, default=true)*
- `xfo` - set the X-Frame-Options header *(string / bool, default=true)*
- `xxp` - set the X-XSS-Protection header *(string / bool, default=true)*
- `content` - set the X-Content-Type-Options header *(string / bool, default=true)*
- `csp` - set the Content-Security-Policy *(string / bool, default=false)* *
- `referrer` - set the Referrer-Policy header *(string / bool, default=true)*
- `cache` - set the Cache-control and Pragma headers *(string / bool, default=true)*
- `feature` - set the Feature-Policy header *(string / bool, default=false)*

#### Example

```javascript
const blockade = require("blockade");

const secureHeaders = new blockade.SecureHeaders({
server: "Blockade",
csp: true,
hsts: false
});

. . .

secureHeaders.framework(response)

```

**HTTP response headers:**

```HTTP
Server: Blockade
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self'; object-src 'self'
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
Pragma: no-cache
Expires: 0
Cache-control: no-cache, no-store, must-revalidate, max-age=0
```

# Supported Frameworks

## Express

#### Headers
`secureHeaders.express(res);`

##### Example
```javascript
const express = require("express");
const blockade = require("blockade");

const secureHeaders = new blockade.SecureHeaders();
. . .

app.use(function(req, res, next) {
secureHeaders.express(res);
next();
});

. . .

```

## hapi

#### Headers
`secureHeaders.hapi(response);`

##### Example
```javascript
const Hapi = require("hapi");
const blockade = require("blockade");

const secureHeaders = new blockade.SecureHeaders();
. . .

server.ext("onPreResponse", (request, h) => {
const response = request.response;
secureHeaders.hapi(response);
return response;
});

. . .

```

## Koa

#### Headers
`secureHeaders.koa(ctx);`

##### Example
```javascript
const Koa = require("koa");
const blockade = require("blockade");

const secureHeaders = new blockade.SecureHeaders();
. . .

app.use(async (ctx, next) => {
await next();
secureHeaders.koa(ctx);
});

. . .

```


## Attribution/References

#### Frameworks
- [Express](https://github.com/expressjs/express) - Fast, unopinionated, minimalist web framework for node.
- [hapi](https://github.com/hapijs/hapi) - Server Framework for Node.js
- [Koa.js](https://github.com/koajs) - Next generation web framework for Node.js

#### Resources
- [OWASP - Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)
- [Mozilla Web Security](https://infosec.mozilla.org/guidelines/web_security)
- [securityheaders.com](https://securityheaders.com)
16 changes: 16 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"name": "blockade",
"version": "1.0.0",
"repository": {
"type": "git",
"url": "https://github.com/cakinney/blockade"
},
"description": "Security Headers for Node.js",
"main": "lib/bloackade.js",
"types": "lib/blockade.d.ts",
"scripts": {
"build": "tsc"
},
"author": "Caleb Kinney",
"license": "MIT"
}
1 change: 1 addition & 0 deletions src/blockade.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
export { SecureHeaders } from "./framework-headers";
35 changes: 35 additions & 0 deletions src/framework-headers.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import { headerObject, headerObj, setHeaderTuple } from "./headers";

export class SecureHeaders {
options: secureHeadersOptions;
constructor(options: secureHeadersOptions) {
this.options = options;
}

express(res: any) {
const headers = headerObject(this.options);
res.set(headers);
}

hapi(response: any) {
setHeaderTuple(response, this.options);
}

koa(ctx: any) {
const headers = headerObject(this.options);
ctx.set(headers);
}
}

export interface secureHeadersOptions {
server?: boolean | string;
hsts?: boolean | string;
xfo?: boolean | string;
xxp?: boolean | string;
content?: boolean | string;
csp?: boolean | string;
referrer?: boolean | string;
cache?: boolean | string;
feature?: boolean | string;
[key: string]: boolean | string | undefined;
}
Loading

0 comments on commit 5d1f6c3

Please sign in to comment.