siren-lusca

Application security for koa.

Usage no npm install needed!

<script type="module">
  import sirenLusca from 'https://cdn.skypack.dev/siren-lusca';
</script>

README

siren-lusca

Web application security middleware for koa. This middleware is modified based on lusca.

===== Build Status

Usage

var koa = require('koa'),
    app = koa(),
    session = require('koa-generic-session'),
    bodyParser = require('koa-bodyparser'),
    lusca = require('siren-lusca');

app.keys = ["abc"];
app.use(session());
app.use(bodyParser());

app.use(lusca({
    csrf: true,
    csp: { /* ... */},
    xframe: 'SAMEORIGIN',
    p3p: 'ABCDEF',
    hsts: {maxAge: 31536000, includeSubDomains: true},
    xssProtection: true,
    nocache: true,
    nosniff: {noETag: true},
    ienoopen: true
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
app.use(lusca.nocache());
app.use(lusca.nosniff({noETag: true}));
app.use(lusca.ienoopen());

Please note that you must ensure the existence of ctx.session.

API

Please refer to lusca or the comments in the source code.

Tests

$ npm test

Coverage

$ npm test-cov
```