Secan NPM | npm.io

secan

Tools for protecting your javascript code in browser.

Installation

$ npm i -P secan

Usage

import secan from 'secan';
secan({
   debuggerLoop: true 
});
window.addEventListener('devtoolsopen', () => {
    console.log('What are you doing now?');
    // when you open devtools, this event will be emitted and you will get a debugger and a debugger...
});

Options

interval (number) By default, secan will perform a check every 3 seconds, this option can specify another value
debug (boolean or string) If true, secan will not perform check, it is useful in development environment. If a string, for example, debug: '__debug__' when the URL of current page has a query string such as ?__debug__=1, secan will not perform check, it's a backdoor in production environment...
breakIframe (boolean) If true, when current page in a <iframe>, secan will redirect window.top to current page, default true. But you still need to set a header X-Frame-Options, see MDN, this is the right way
debuggerLoop (boolean) When secan detected the devtools open, secan will start a debugger loop to interfere debugging
hookFn (boolean) If true, secan will hook eval console alert, and when these method called, secan will emit window.addEventListener('eval'), window.addEventListener('console') and window.addEventListener('alert'), if someone perform a XSS test, this may be useful
baitURL (string) Must be a URL start with https, when sslstrip occurred, this URL will be http not https and secan can detect then emit a event window.addEventListener('sslstrip')
allowInlineScript (boolean) Default true, secan will check all <script>, if src of <script> not in scriptDomain, secan will emit a event window.addEventListener('invalidscript'), if allowInlineScript is true, secan will also emit this event
scriptDomain (string or string[]) A domain whitelist of <script> src, if a src of <script> not in scriptDomain, secan will emit a event window.addEventListener('invalidscript')
pageDomain (string) If current domain is not pageDomain, secan will emit a event window.addEventListener('invaliddomain')

Events

window.addEventListener('eval') If hookFn is true, this event will be emitted when eval called, and the event.detail.args can get the arguments of this call
window.addEventListener('console') If hookFn is true, this event will be emitted when console[<method>] called, and the event.detail.args can get the arguments of this call
window.addEventListener('alert') If hookFn is true, this event will be emitted when alert called, and the event.detail.args can get the arguments of this call
window.addEventListener('invaliddomain') If pageDomain set, and domain of current page is not pageDomain, this event will be emitted, and the event.detail.url can get the URL of current page
window.addEventListener('sslbreak') If the URL of current page is not HTTPS, this event will be emitted
window.addEventListener('sslstrip') If secan detected sslstrip, this event will be emitted
window.addEventListener('iniframe') If secan detected that current page is in a <iframe>, this event will be emitted
window.addEventListener('headlessbrowser') If secan detected that current page is in a headless browser, such as puppeteer or phantomJS, this event will be emitted
window.addEventListener('invalidscript') Secan will check all <script>, if src of <script> not in scriptDomain, this event will be emitted
window.addEventListener('devtoolsopen') If secan detected that devtools is open, this event will be emitted