How to use the lusca.xssProtection function in lusca

To help you get started, we’ve selected a few lusca examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github avoidwork / tenso / lib / utility.js View on Github external
luscaXframe = lusca.xframe(config.security.xframe);
		obj.always(luscaXframe).blacklist(luscaXframe);
	}

	if (isEmpty(config.security.p3p || "") === false) {
		luscaP3p = lusca.p3p(config.security.p3p);
		obj.always(luscaP3p).blacklist(luscaP3p);
	}

	if (config.security.hsts instanceof Object) {
		luscaHsts = lusca.hsts(config.security.hsts);
		obj.always(luscaHsts).blacklist(luscaHsts);
	}

	if (config.security.xssProtection) {
		luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
		obj.always(luscaXssProtection).blacklist(luscaXssProtection);
	}

	if (config.security.nosniff) {
		luscaNoSniff = lusca.nosniff();
		obj.always(luscaNoSniff).blacklist(luscaNoSniff);
	}

	// Can fork to `middleware.keymaster()`
	obj.always(middleware.zuul).blacklist(middleware.zuul);

	passportInit = passport.initialize();
	obj.always(passportInit).blacklist(passportInit);

	if (stateless === false) {
		passportSession = passport.session();
github GeekyAnts / express-typescript / src / middlewares / CsrfToken.ts View on Github external
// does not contains the api substring
		_express.use((req, res, next) => {
			const apiPrefix = Locals.config().apiPrefix;

			if (req.originalUrl.includes(`/${apiPrefix}/`)) {
				next();
			} else {
				lusca.csrf()(req, res, next);
			}
		});

		// Enables x-frame-options headers
		_express.use(lusca.xframe('SAMEORIGIN'));

		// Enables xss-protection headers
		_express.use(lusca.xssProtection(true));

		_express.use((req, res, next) => {
			// After successful login, redirect back to the intended page
			if (!req.user
				&& req.path !== '/login'
				&& req.path !== '/signup'
				&& !req.path.match(/^\/auth/)
				&& !req.path.match(/\./)) {
				req.session.returnTo = req.originalUrl;
			} else if (req.user
					&& (req.path === '/account' || req.path.match(/^\/api/))) {
				req.session.returnTo = req.originalUrl;
			}
			next();
		});
github TailorDev / assignees / app.js View on Github external
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());

// security
app.disable('x-powered-by');
app.use(function enableCSRF(req, res, next) {
  if (req.path === '/events') {
    next();
  } else {
    lusca.csrf()(req, res, next);
  }
});
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));

// user
app.use(function addUserToLocals(req, res, next) {
  res.locals.user = req.user;
  next();
});
app.use(function redirectUser(req, res, next) {
  // After successful login, redirect back to the intended page
  if (!req.user && !req.path.match(/^\/auth/) && !req.path.match(/\./)) {
    req.session.returnTo = req.path;
  } else if (req.user && req.path === '/account') {
    req.session.returnTo = req.path;
  }
  next();
});
github jhwohlgemuth / tomo-cli / dist / commands / create-server / templates / server.js View on Github external
const html = md.render(str);
                fn(null, html);
            } catch (err) {
                fn(err);
            }
        });
    })
    .set('view engine', 'html')
    .set('views', `${__dirname}/public`)
    .use(session(config.get('session')))
    .use(setCsrfHeader)
    .disable('x-powered-by') // Do not advertise Express
    // .use(lusca.csrf()) // Cross Site Request Forgery
    // .use(lusca.csp({policy: config.csp})) // Content Security Policy
    .use(lusca.hsts({maxAge: 31536000}))
    .use(lusca.xssProtection(true))
    .use(helmet.noSniff())
    .use(helmet.ieNoOpen())
    .use(helmet.referrerPolicy({policy: 'no-referrer'}))
    .use(compress()) // Use gzip compression
    .use(express.static(__dirname)); // Serve static files
app.get('/', verifyCsrfHeader, (req, res) => {
    res.render('index', {
        message: 'The server is functioning properly!'
    });
});
app.get('/:page.md', verifyCsrfHeader, (req, res) => {
    const {page} = req.params;
    res.render(`${page}.md`);
});

module.exports = app;
github shanhuiyang / TypeScript-MERN-Starter / src / app.ts View on Github external
app.use(bodyParser.urlencoded({ extended: true }));
app.use(expressValidator());
app.use(session({
  resave: true,
  saveUninitialized: true,
  secret: process.env.SESSION_SECRET,
  store: new MongoStore({
    url: process.env.MONGODB_URI || process.env.MONGOLAB_URI,
    autoReconnect: true
  })
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.use(lusca.xframe("SAMEORIGIN"));
app.use(lusca.xssProtection(true));
app.use((req, res, next) => {
  res.locals.user = req.user;
  next();
});
app.use((req, res, next) => {
  // After successful login, redirect back to the intended page
  if (!req.user &&
      req.path !== "/login" &&
      req.path !== "/signup" &&
      !req.path.match(/^\/auth/) &&
      !req.path.match(/\./)) {
    req.session.returnTo = req.path;
  } else if (req.user &&
      req.path == "/account") {
    req.session.returnTo = req.path;
  }
github ukon1990 / wow-auction-helper / server / src / app.ts View on Github external
// Create Express server
const app = express();

// Express configuration
app.set('port', process.env.PORT || 3000);
app.use(compression());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
app.use(expressValidator());
app.use(expressSession({
  cookie: {maxAge: 60000},
  secret: 'null'
}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(function (req, res, next) {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
  next();
});

app.use(
  express.static(path.join(__dirname, 'public'), {maxAge: 31557600000})
);


/**
 * API examples routes.
 */
app.get('/api', apiController.getApi);
github avoidwork / tenso / lib / tenso.es6.js View on Github external
luscaXframe = lusca.xframe(config.security.xframe);
		obj.server.use(luscaXframe).blacklist(luscaXframe);
	}

	if (!string.isEmpty(config.security.p3p || "")) {
		luscaP3p = lusca.p3p(config.security.p3p);
		obj.server.use(luscaP3p).blacklist(luscaP3p);
	}

	if (config.security.hsts instanceof Object) {
		luscaHsts = lusca.hsts(config.security.hsts);
		obj.server.use(luscaHsts).blacklist(luscaHsts);
	}

	if (config.security.xssProtection instanceof Object) {
		luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
		obj.server.use(luscaXssProtection).blacklist(luscaXssProtection);
	}

	protection = zuul(config.auth.protect);
	obj.server.use(protection).blacklist(protection);

	if (stateless && !stateful) {
		init(false);
	} else {
		init(true);

		passport.serializeUser(function (user, done) {
			done(null, user);
		});

		passport.deserializeUser(function (arg, done) {
github mcrider / dcap-node / src / server.ts View on Github external
*/
const app = express();

/**
 * Express configuration.
 */
app.set("port", process.env.PORT || 3000);
app.use(compression());
app.use(cors());
app.use(logger("dev"));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(expressValidator());
app.use(flash());
app.use(lusca.xframe("SAMEORIGIN"));
app.use(lusca.xssProtection(true));
app.use(express.static(path.join(__dirname, "public"), { maxAge: 31557600000 }));

/**
 * API  routes.
 */
app.get("/", apiController.getRoot);
app.post("/user/create", apiController.createUser);
app.post("/user/login", apiController.loginUser);
app.post("/user/delete", apiController.validateToken, apiController.deleteUser);
app.get("/type/:type", apiController.getType);
app.get("/type/:type/schema", apiController.getTypeSchema);
app.post("/type/:type", apiController.validateToken, apiController.addDocument);
app.post("/type/:type/:hash", apiController.validateToken, apiController.getTypeDocument);
app.put("/type/:type/:hash", apiController.validateToken, apiController.updateDocument);
app.delete("/type/:type/:hash", apiController.validateToken, apiController.deleteDocument);
app.get("/document/:hash", apiController.getDocument);

lusca

Application security for express.

Unrecognized
Latest version published 4 years ago

Package Health Score

57 / 100
Full package analysis

Similar packages