node-guard
v1.0.0
Published
General purpose I/O module to add following http headers to keep your webpages securing them from malware attacks. This module can be used with any node http server.
Downloads
10,392
Readme
Node Guard
General purpose I/O module to add following http headers to keep your webpages securing them from malware attacks. This module can be used with any node http server.
X-XSS-Protection
X-XSS-Protection
http header saves you from XSS
attacks. node-guard
will set up X-XSS-Protection
header on all modern browsers and will disable it for older versions of IE as they have security vulnerabilities defined here https://technet.microsoft.com/library/security/ms10-002.
const http = require('http')
const guard = require('node-guard')
const options = {
enabled: true,
enableOnOldIE: false
}
http.createServer(function (req, res) {
guard.addXssFilter(req, res, options)
res.end()
}).listen(3000)
X-Frame-Options
X-Frame-Options
defines whether your webpage can be embedded as an iframe to other website. It can take 3 different values from ALLOW-FROM
, DENY
and SAMEORIGIN
const http = require('http')
const guard = require('node-guard')
const options = 'DENY' // cannot be embedded at all
// or
const options = 'SAMEORIGIN' // only this website
// or
const options = 'ALLOW-FROM http://example.com' // defined uri
http.createServer(function (req, res) {
guard.addFrameOptions(res, options)
res.end()
}).listen(3000)
X-Content-Type-Options
X-Content-Type-Options
disables sniffing from web browsers, where they will try to sniff
mimetypes. Which means a web browser will execute the javascript file even if the content-type
of that file is not set to javascript
. Give it a read https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
const http = require('http')
const guard = require('node-guard')
const options = true // or false
http.createServer(function (req, res) {
guard.addNoSniff(res, options)
res.end()
}).listen(3000)
X-Download-Options
IE specific header to stop users from executing html files with the access to your site context. Here is a good read on same https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/.
const http = require('http')
const guard = require('node-guard')
const options = true // or false
http.createServer(function (req, res) {
guard.addNoOpen(res, options)
res.end()
}).listen(3000)