security-guard v0.1.1

security-guard

Providing security guards for Node.js applications based on Koa.js.

Install

npm i security-guard

Running local example

yarn && yarn example

the example server will run at localhost:3000.

exp.

to preview XSS attack, go to localhost:3000/xss?q=<xss>, replace xss with your script.

Use as a middleware

const Guard = require('security-guard');
app.use(Guard(options));

• options [Options] options object.

Options {
    helper: {
        surl?: SurlOtpions // see below for detail
    }
}

Helper

some utils to help reducing XSS and other security risks.

helper.surl(sourceUrl, surlOptions)

to transform given url to a more security url.

• sourceUrl \<string> source url to transform.
• surlOptions [SurlOptions] options. This options will cover the options.helper.surl in Guard(options).

    SurlOtpions {
        protocolWhiteList?: string[]   // white list of protocols like ['http', 'https'], if the source url doesn't match any in the white list, surl() will return ''. default to be ['http', 'https', 'data', 'file']
    }

exp.

const Guard = require('security-guard');
app.use(Guard());
//...
router.get('/surl', async ctx => {
    const href = ctx.request.href;
    console.log("source href：", href);   // http://localhost:3000/surl?q=%3Cscript%3Ealert(%27hello%27)%3C/script%3E

    const secureHref = ctx.helper.surl(href, {
        protocolWhiteList: ['http', 'https']
    });
    console.log("security url：", secureHref); // http://localhost:3000/surl?q=%26lt%3Bscript%26gt%3Balert%28%26%23x27%3Bhello%26%23x27%3B%29%26lt%3B%2Fscript%26gt%3B

    const pu = new URL(secureHref);
    const q = pu.searchParams.get('q');

    console.log(q); // <script>alert('hello')</script>
    await ctx.render('surl', {
        query: q
    });
});

Go to localhost:3000/surl?q=<xss> to preview it, replace xss with your script

// todo