How to use the lusca.xssProtection function in lusca
To help you get started, we’ve selected a few lusca examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
avoidwork / tenso / lib / utility.js View on Github 
luscaXframe = lusca.xframe(config.security.xframe);
obj.always(luscaXframe).blacklist(luscaXframe);
}
if (isEmpty(config.security.p3p || "") === false) {
luscaP3p = lusca.p3p(config.security.p3p);
obj.always(luscaP3p).blacklist(luscaP3p);
}
if (config.security.hsts instanceof Object) {
luscaHsts = lusca.hsts(config.security.hsts);
obj.always(luscaHsts).blacklist(luscaHsts);
}
if (config.security.xssProtection) {
luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
obj.always(luscaXssProtection).blacklist(luscaXssProtection);
}
if (config.security.nosniff) {
luscaNoSniff = lusca.nosniff();
obj.always(luscaNoSniff).blacklist(luscaNoSniff);
}
// Can fork to `middleware.keymaster()`
obj.always(middleware.zuul).blacklist(middleware.zuul);
passportInit = passport.initialize();
obj.always(passportInit).blacklist(passportInit);
if (stateless === false) {
passportSession = passport.session();// does not contains the api substring
_express.use((req, res, next) => {
const apiPrefix = Locals.config().apiPrefix;
if (req.originalUrl.includes(`/${apiPrefix}/`)) {
next();
} else {
lusca.csrf()(req, res, next);
}
});
// Enables x-frame-options headers
_express.use(lusca.xframe('SAMEORIGIN'));
// Enables xss-protection headers
_express.use(lusca.xssProtection(true));
_express.use((req, res, next) => {
// After successful login, redirect back to the intended page
if (!req.user
&& req.path !== '/login'
&& req.path !== '/signup'
&& !req.path.match(/^\/auth/)
&& !req.path.match(/\./)) {
req.session.returnTo = req.originalUrl;
} else if (req.user
&& (req.path === '/account' || req.path.match(/^\/api/))) {
req.session.returnTo = req.originalUrl;
}
next();
});}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
// security
app.disable('x-powered-by');
app.use(function enableCSRF(req, res, next) {
if (req.path === '/events') {
next();
} else {
lusca.csrf()(req, res, next);
}
});
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
// user
app.use(function addUserToLocals(req, res, next) {
res.locals.user = req.user;
next();
});
app.use(function redirectUser(req, res, next) {
// After successful login, redirect back to the intended page
if (!req.user && !req.path.match(/^\/auth/) && !req.path.match(/\./)) {
req.session.returnTo = req.path;
} else if (req.user && req.path === '/account') {
req.session.returnTo = req.path;
}
next();
});const html = md.render(str);
fn(null, html);
} catch (err) {
fn(err);
}
});
})
.set('view engine', 'html')
.set('views', `${__dirname}/public`)
.use(session(config.get('session')))
.use(setCsrfHeader)
.disable('x-powered-by') // Do not advertise Express
// .use(lusca.csrf()) // Cross Site Request Forgery
// .use(lusca.csp({policy: config.csp})) // Content Security Policy
.use(lusca.hsts({maxAge: 31536000}))
.use(lusca.xssProtection(true))
.use(helmet.noSniff())
.use(helmet.ieNoOpen())
.use(helmet.referrerPolicy({policy: 'no-referrer'}))
.use(compress()) // Use gzip compression
.use(express.static(__dirname)); // Serve static files
app.get('/', verifyCsrfHeader, (req, res) => {
res.render('index', {
message: 'The server is functioning properly!'
});
});
app.get('/:page.md', verifyCsrfHeader, (req, res) => {
const {page} = req.params;
res.render(`${page}.md`);
});
module.exports = app;app.use(bodyParser.urlencoded({ extended: true }));
app.use(expressValidator());
app.use(session({
resave: true,
saveUninitialized: true,
secret: process.env.SESSION_SECRET,
store: new MongoStore({
url: process.env.MONGODB_URI || process.env.MONGOLAB_URI,
autoReconnect: true
})
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.use(lusca.xframe("SAMEORIGIN"));
app.use(lusca.xssProtection(true));
app.use((req, res, next) => {
res.locals.user = req.user;
next();
});
app.use((req, res, next) => {
// After successful login, redirect back to the intended page
if (!req.user &&
req.path !== "/login" &&
req.path !== "/signup" &&
!req.path.match(/^\/auth/) &&
!req.path.match(/\./)) {
req.session.returnTo = req.path;
} else if (req.user &&
req.path == "/account") {
req.session.returnTo = req.path;
}// Create Express server
const app = express();
// Express configuration
app.set('port', process.env.PORT || 3000);
app.use(compression());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
app.use(expressValidator());
app.use(expressSession({
cookie: {maxAge: 60000},
secret: 'null'
}));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
next();
});
app.use(
express.static(path.join(__dirname, 'public'), {maxAge: 31557600000})
);
/**
* API examples routes.
*/
app.get('/api', apiController.getApi);luscaXframe = lusca.xframe(config.security.xframe);
obj.server.use(luscaXframe).blacklist(luscaXframe);
}
if (!string.isEmpty(config.security.p3p || "")) {
luscaP3p = lusca.p3p(config.security.p3p);
obj.server.use(luscaP3p).blacklist(luscaP3p);
}
if (config.security.hsts instanceof Object) {
luscaHsts = lusca.hsts(config.security.hsts);
obj.server.use(luscaHsts).blacklist(luscaHsts);
}
if (config.security.xssProtection instanceof Object) {
luscaXssProtection = lusca.xssProtection(config.security.xssProtection);
obj.server.use(luscaXssProtection).blacklist(luscaXssProtection);
}
protection = zuul(config.auth.protect);
obj.server.use(protection).blacklist(protection);
if (stateless && !stateful) {
init(false);
} else {
init(true);
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (arg, done) {*/
const app = express();
/**
* Express configuration.
*/
app.set("port", process.env.PORT || 3000);
app.use(compression());
app.use(cors());
app.use(logger("dev"));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(expressValidator());
app.use(flash());
app.use(lusca.xframe("SAMEORIGIN"));
app.use(lusca.xssProtection(true));
app.use(express.static(path.join(__dirname, "public"), { maxAge: 31557600000 }));
/**
* API routes.
*/
app.get("/", apiController.getRoot);
app.post("/user/create", apiController.createUser);
app.post("/user/login", apiController.loginUser);
app.post("/user/delete", apiController.validateToken, apiController.deleteUser);
app.get("/type/:type", apiController.getType);
app.get("/type/:type/schema", apiController.getTypeSchema);
app.post("/type/:type", apiController.validateToken, apiController.addDocument);
app.post("/type/:type/:hash", apiController.validateToken, apiController.getTypeDocument);
app.put("/type/:type/:hash", apiController.validateToken, apiController.updateDocument);
app.delete("/type/:type/:hash", apiController.validateToken, apiController.deleteDocument);
app.get("/document/:hash", apiController.getDocument);
