Siren-lusca NPM

siren-lusca

Web application security middleware for koa. This middleware is modified based on lusca.

=====

Usage

var koa = require('koa'),
	app = koa(),
	session = require('koa-generic-session'),
    bodyParser = require('koa-bodyparser'),
	lusca = require('siren-lusca');

app.keys = ["abc"];
app.use(session());
app.use(bodyParser());

app.use(lusca({
    csrf: true,
    csp: { /* ... */},
    xframe: 'SAMEORIGIN',
    p3p: 'ABCDEF',
    hsts: {maxAge: 31536000, includeSubDomains: true},
    xssProtection: true,
    nocache: true,
    nosniff: {noETag: true},
    ienoopen: true
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
app.use(lusca.nocache());
app.use(lusca.nosniff({noETag: true}));
app.use(lusca.ienoopen());

Please note that you must ensure the existence of ctx.session.