Express-waf NPM

express-waf

A small web application firewall for the NodeJS Express framework.

Installation

npm install --save express-waf

Usage

The constructor expects the configuration for the blocker and optional settings as parameters. Blocker configuration includes:

blockTime: A blacklist timeout which indicates the time after that entries from the blacklist will be removed.
db: The used database for the blacklist. In the folder "/database" you can find predefined database connectors. If you don't find the connector you need, you may define your own database connector. This connector must define an add-, a remove- and a contains-function.

var ExpressWaf = require('express-waf');

var emudb = new ExpressWaf.EmulatedDB();
var waf = new ExpressWaf.ExpressWaf({
    blocker:{
        db: emudb,
        blockTime: 1000
    },
    log: true
});

After that you can add additional modules to the firewall. Without these modules the firewall won't block any attacks. The basic functionality only includes a blacklist for evil hosts and a logging mechanism for attacks.

Additional modules can be found in the folder "/modules". This includes, for example a module against SQL Injection attacks or a module against CSRF attacks.

For example, this is how to add the CSRF module:

waf.addModule('csrf-module', {
    allowedMethods:['GET', 'POST'],
    refererIndependentUrls: ['/'],
    allowedOrigins: ['www.example.com']
}, function (error) {
    console.log(error);
});

Don't forget to finally add the check method of express-waf as middleware:

app.use(waf.check);

If you forget this step your firewall won't do anything! This is it. Your firewall is now configured to be used with your node.js/express application.