Web application security middleware for koa.

Fork from lusca, krakenjs/lusca#26.

var koa = require('koa');
var lusca = require('koa-lusca');
var app = koa();

app.use(lusca({
  csrf: true,
  csp: { /* ... */},
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true },
  xssProtection: true
}));

Setting any value to false will disable it. Alternately, you can opt into methods one by one:

app.use(lusca.csrf());
app.use(lusca.csp({/* ... */}));
app.use(lusca.xframe({ value: 'SAMEORIGIN' }));
app.use(lusca.p3p({ value: 'ABCDEF' }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xssProtection();

• key String - Optional. The name of the CSRF token added to the model. Defaults to _csrf.
• secret String - Optional. The key to place on the session object which maps to the server side token. Defaults to _csrfSecret.
• impl Function - Optional. Custom implementation to generate a token.

Enables Cross Site Request Forgery (CSRF) headers.

If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden. To send the token you'll need to echo back the _csrf value you received from the previous request.

• options.policy Object - Object definition of policy.
• options.reportOnly Boolean - Enable report only mode.
• options.reportUri String - URI where to send the report data

Enables Content Security Policy (CSP) headers.

// Everything but images can only come from own domain (excluding subdomains)
{
  policy: {
    'default-src': '\'self\'',
    'img-src': '*'
  }
}

See the MDN CSP usage page for more information on available policy options.

• value String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri.

Enables X-FRAME-OPTIONS headers to help prevent Clickjacking.

• value String - Required. The compact privacy policy.

Enables Platform for Privacy Preferences Project (P3P) headers.

• options.maxAge Number - Required. Number of seconds HSTS is in effect.
• options.includeSubDomains Boolean - Optional. Applies HSTS to all subdomains of the host

Enables HTTP Strict Transport Security for the host domain.

• options.enabled Boolean - Optional. If the header is enabled or not (see header docs). Defaults to 1.
• options.mode String - Optional. Mode to set on the header (see header docs). Defaults to block.

Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)

• Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation
• Now: MIT