[ICO]NameLast modifiedSizeDescription
[PARENTDIR]Parent Directory  -  
[DIR]lib/2023-06-08 14:13 -  
[DIR]node_modules/2023-06-08 14:14 -  
[TXT]CHANGELOG.md2016-05-24 09:46 768  
[TXT]LICENSE.txt2015-11-02 08:08 2.8K0fb859dc fixed mobile overflwo options [كارل مبارك]
[TXT]README.md2016-05-24 09:44 4.7K0fb859dc fixed mobile overflwo options [كارل مبارك]
[   ]index.js2015-11-02 08:08 2.6K 
[   ]package.json2023-06-08 14:14 2.2K 
# koa-lusca

[![NPM version][npm-image]][npm-url]
[![build status][travis-image]][travis-url]
[![Test coverage][coveralls-image]][coveralls-url]
[![Gittip][gittip-image]][gittip-url]
[![David deps][david-image]][david-url]
[![npm download][download-image]][download-url]

[npm-image]: https://img.shields.io/npm/v/koa-lusca.svg?style=flat-square
[npm-url]: https://npmjs.org/package/koa-lusca
[travis-image]: https://img.shields.io/travis/koajs/koa-lusca.svg?style=flat-square
[travis-url]: https://travis-ci.org/koajs/koa-lusca
[coveralls-image]: https://img.shields.io/coveralls/koajs/koa-lusca.svg?style=flat-square
[coveralls-url]: https://coveralls.io/r/koajs/koa-lusca?branch=master
[gittip-image]: https://img.shields.io/gittip/fengmk2.svg?style=flat-square
[gittip-url]: https://www.gittip.com/fengmk2/
[david-image]: https://img.shields.io/david/koajs/koa-lusca.svg?style=flat-square
[david-url]: https://david-dm.org/koajs/koa-lusca
[download-image]: https://img.shields.io/npm/dm/koa-lusca.svg?style=flat-square
[download-url]: https://npmjs.org/package/koa-lusca

Web application security middleware for koa.

Fork from [lusca](https://github.com/krakenjs/lusca), [krakenjs/lusca#26](https://github.com/krakenjs/lusca/pull/26).

## Usage

```js
var koa = require('koa');
var lusca = require('koa-lusca');
var app = koa();

app.use(lusca({
  csrf: true,
  csp: { /* ... */},
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true },
  xssProtection: true
}));
```

Setting any value to `false` will disable it. Alternately, you can opt into methods one by one:

```js
app.use(lusca.csrf());
app.use(lusca.csp({/* ... */}));
app.use(lusca.xframe({ value: 'SAMEORIGIN' }));
app.use(lusca.p3p({ value: 'ABCDEF' }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection();
```

## API

### lusca.csrf(options)

* `key` String - Optional. The name of the CSRF token added to the model. Defaults to `_csrf`.
* `secret` String - Optional. The key to place on the session object which maps to the server side token. Defaults to `_csrfSecret`.
* `impl` Function - Optional. Custom implementation to generate a token.

Enables [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)) (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a *403 Forbidden*. To send the token you'll need to echo back the `_csrf` value you received from the previous request.

### lusca.csp(options)

* `options.policy` Object - Object definition of policy.
* `options.policy` String, Object, or an Array - Object definition of policy. Valid policies examples include:
    * `{"default-src": "*"}`
    * `"referrer no-referrer"`
    * `[{ "img-src": "'self' http:" }, "block-all-mixed-content"]`
* `options.reportOnly` Boolean - Enable report only mode.
* `options.reportUri` String - URI where to send the report data

Enables [Content Security Policy](https://www.owasp.org/index.php/Content_Security_Policy) (CSP) headers.

#### Example Options

```js
// Everything but images can only come from own domain (excluding subdomains)
{
  policy: {
    'default-src': '\'self\'',
    'img-src': '*'
  }
}
```

See the [MDN CSP usage](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy) page for more information on available policy options.

### lusca.xframe(value)

* `value` String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.

Enables X-FRAME-OPTIONS headers to help prevent [Clickjacking](https://www.owasp.org/index.php/Clickjacking).

### lusca.p3p(value)

* `value` String - Required. The compact privacy policy.

Enables [Platform for Privacy Preferences Project](http://support.microsoft.com/kb/290333) (P3P) headers.

### lusca.hsts(options)

* `options.maxAge` Number - Required. Number of seconds HSTS is in effect.
* `options.includeSubDomains` Boolean - Optional. Applies HSTS to all subdomains of the host

Enables [HTTP Strict Transport Security](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security) for the host domain. The preload flag is required for HSTS domain submissions to [Chrome's HSTS preload list](https://hstspreload.appspot.com)

### lusca.xssProtection(options)

* `options.enabled` Boolean - Optional. If the header is enabled or not (see header docs). Defaults to `1`.
* `options.mode` String - Optional. Mode to set on the header (see header docs). Defaults to `block`.

Enables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

## License

- Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation
- Now: [MIT](LICENSE.txt)