webux-security v1.3.8

Webux Security

This is only a wrapper for the security stuff within the framework.
In the component folder, you can add everything you need.

Installation

npm i --save webux-security

What is covered ?

Currently the wrapper uses these technologies:

• cors
• body-parser
• cookie-parser
• express headers
• helmet
• trust proxy
• compression
• disabling x-powered-by

Usage

Cors

More details: cors

you can enable/disable the cors within development or production mode.

there is some configuration to do,
the variable is origin, you can set it by doing,
to enable the origin,

module.exports = {
  origin: ["https://somedomain.com", "http://127.0.0.1"]
};

or to disable it,

module.exports = {
  origin: []
};

when an empty array is detected the cors or set to *

you can also use the environment variable to proceed:

export ORIGIN=http://127.0.0.1 https://somedomain.com

and to specify only one or everything you can do:

const options = {
  origin: "http:/127.0.0.1:8080"
}

# or

const options = {
  origin: "*"
}

How to apply the cors,

They are currently applied automatically while using this wrapper, fow now there is no way to "ignore" this setting, except by disabling it.

Body Parser and Cookie Parser

More details: body-parser
More details: cookie-parser

Currently you can configure 4 options for these parsers.

Usage example,

const options = {
  bodyParser: {
    limit: "10mb",
    extended: true
  },
  cookieParser: {
    secret: "Hey !"
  }
};

for the body-parser, by default, if nothing is defined the size will be 1mb an the extended option will be false
This is important, the cookie secret must remains SECRET, you should use a environment variable to handle this one,

export COOKIE_SECRET=somethingverysecurelikeasha512ofsomethingreallysecure

module.exports = {
  bodyParser: {
    limit: "2mb",
    extended: true
  },
  cookieParser: {
    secret: process.env.COOKIE_SECRET || "this is not a secure secret..."
  }
};

Headers

which headers are set,

• Access-Control-Allow-Methods
• Access-Control-Allow-Headers
• Access-Control-Allow-Credentials

The allow-origin is set using the cors function.

How to configure these 3 parameters,

module.exports = {
  allowedMethods: "GET, POST, PUT, DELETE, PATCH, OPTIONS",
  allowedCredentials: true,
  allowedHeaders:
    "Origin, X-Requested-with, Accept, Authorization, Content-Type, Accept-Language"
};

Helmet

More details: Helmet

it allows to configure some basic security stuff in your application, this wrapper uses the default configuration.

Trust Proxy

More details: Express Trust Proxy

it will set the trust proxy as your application requirements.

const options = {
  trustProxy: true
};

Compression

More details: Compression

This wrapper uses the default configuration, every responses are compressed.

x-powered-by

it will remove the express value from the header, it allows to add more security for people who scan the application to find potential vulnerabilities.

Examples

You can check the examples/ folder to get some

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

SEE LICENSE IN license.txt