owasp-nodejs-security-pack v1.0.8

owasp-nodejs-security-pack

owasp-nodejs-security-pack is a Node.js library designed to provide robust, plug-and-play middleware for securing your Express applications. It offers various middleware utilities to enhance security, prevent vulnerabilities, and streamline the integration of security best practices.

Installation

Install the package using npm:

npm install owasp-nodejs-security-pack

Features

1. Signature Verification Middleware: Validates digital signatures to ensure message integrity.
2. Brute Force Protection: Prevents excessive requests from a single client.
3. Composable Middleware: Combine multiple middleware functions into a single one.
4. Content-Type Validator: Restricts requests to specific content types.
5. Hybrid Encryption: Encrypts data with RSA and AES hybrid approach.
6. Output Escaping: Sanitizes responses to prevent XSS attacks.
7. HTTP Parameter Pollution Prevention: Protects against parameter pollution attacks.
8. Rate Limiting: Restricts the number of requests from an IP within a time window.

Usage

1. Signature Verification Middleware

Validates the signature of incoming requests using a public key.

import { verifySignatureMiddleware } from "owasp-nodejs-security-pack";

app.use(verifySignatureMiddleware);

2. Brute Force Protection

Prevents excessive requests from a single client by tracking request history.

import { createBruteForceMiddleware } from "owasp-nodejs-security-pack";

const bruteForceMiddleware = createBruteForceMiddleware({
  maxRequests: 100,
  windowMs: 15 * 60 * 1000, // 15 minutes
  blockDurationMs: 15 * 60 * 1000, // 15 minutes
  message: "Too many requests from this IP"
});

app.use(bruteForceMiddleware);

3. Composable Middleware

Combine multiple middleware functions into a single one.

import { composeMiddleware } from "owasp-nodejs-security-pack";

const combinedMiddleware = composeMiddleware(middleware1, middleware2, middleware3);
app.use(combinedMiddleware);

4. Content-Type Validator

Restricts requests to specific content types.

import { createContentTypeMiddleware } from "owasp-nodejs-security-pack";

const contentTypeMiddleware = createContentTypeMiddleware({
  allowedTypes: ["json", "form-data"],
  errorMessage: "Only JSON and Form Data are supported"
});

app.use(contentTypeMiddleware);

5. Hybrid Encryption

Encrypts data using RSA and AES for secure data transfer.

import { encryptDataHybrid } from "owasp-nodejs-security-pack";

const encryptedData = encryptDataHybrid({
  name: "Sensitive Data",
  description: "This is a secure message."
});
console.log(encryptedData);

6. Output Escaping

Sanitizes response data to prevent XSS attacks.

import { createOutputEscapingMiddleware } from "owasp-nodejs-security-pack";

const outputEscaping = createOutputEscapingMiddleware({
  escapeMode: "partial",
  customEscapeFields: ["name", "description"],
  excludeFields: ["id", "timestamp"]
});

app.use(outputEscaping);

7. HTTP Parameter Pollution Prevention

Prevents attacks using parameter pollution in query, body, or params.

import { createHPPMiddleware } from "owasp-nodejs-security-pack";

const hppMiddleware = createHPPMiddleware({
  whitelist: ["allowedParam"],
  blockedParams: ["criticalParam"],
  errorMessage: "Invalid request parameters"
});

app.use(hppMiddleware);

8. Rate Limiting

Restricts the number of requests from an IP within a specified time window.

import { rateLimiter } from "owasp-nodejs-security-pack";

app.use(rateLimiter);

Contributing

We welcome contributions! Please fork the repository and submit a pull request with your changes.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Enjoy secure coding! 🚀

Author

Gunjan Sharma (Senior Software Engineer & Blockchain Enthusiast)