Web application security middleware.
var express = require('express'),
app = express(),
lusca = require('lusca');
app.use(lusca({
csrf: true,
csp: { /* ... */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
hsts: {maxAge: 31536000, includeSubDomains: true},
xssProtection: true
}));Setting any value to false will disable it. Alternately, you can opt into methods one by one:
app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection(true);keyString - Optional. The name of the CSRF token added to the model. Defaults to_csrf.implFunction - Optional. Custom implementation to generate a token.
Enables Cross Site Request Forgery (CSRF) headers.
If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden. To send the token you'll need to echo back the _csrf value you received from the previous request.
options.policyObject - Object definition of policy.options.reportOnlyBoolean - Enable report only mode.options.reportUriString - URI where to send the report data
Enables Content Security Policy (CSP) headers.
valueString - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.
Enables X-FRAME-OPTIONS headers to help prevent Clickjacking.
valueString - Required. The compact privacy policy.
Enables Platform for Privacy Preferences Project (P3P) headers.
options.maxAgeNumber - Required. Number of seconds HSTS is in effect.options.includeSubDomainsBoolean - Optional. Applies HSTS to all subdomains of the host
Enables HTTP Strict Transport Security for the host domain.
options.enabledBoolean - Optional. If the header is enabled or not (see header docs). Defaults to1.options.modeString - Optional. Mode to set on the header (see header docs). Defaults toblock.
Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)