UNPKG

aimless-security

Version:

Enhanced Runtime Application Self-Protection (RASP) and API Fuzzing Engine with advanced threat detection, behavioral analysis, and intelligent response scoring for Node.js applications

github.com/CamozDevelopment/Aimless-Security

CamozDevelopment/Aimless-Security

291 lines (234 loc) โ€ข 7.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
# Access Control Quick Reference ## ๐ŸŽฏ What is Access Control? The **Endpoint Access Control** system lets you define **exactly which APIs** can be executed in your application. Think of it as a bouncer at a club - only the people on the list get in. ## ๐Ÿš€ Quick Examples ### 1. Only Allow Specific APIs (Allowlist) ```javascript const aimless = new Aimless({ rasp: { blockMode: true, accessControl: { mode: 'allowlist', defaultAction: 'block', allowedEndpoints: [ { path: '/' }, { path: '/api/public/*' }, { path: '/auth/login', methods: ['POST'] } ] } } }); ``` **Result**: Only `/`, `/api/public/*`, and `POST /auth/login` are accessible. Everything else returns 403. ### 2. Block Dangerous Endpoints (Blocklist) ```javascript accessControl: { mode: 'blocklist', blockedEndpoints: [ '/admin/*', '/debug/*', '/.env' ] } ``` **Result**: Everything is allowed **except** admin routes, debug endpoints, and .env files. ### 3. Protect Sensitive Routes ```javascript accessControl: { mode: 'monitor', protectedEndpoints: [ { path: '/api/payments/*', maxThreatLevel: 'low', // Block even low threats requireAuth: true, // Must have auth header rateLimit: { maxRequests: 10, windowMs: 60000 } } ] } ``` **Result**: Payment endpoints get extra security - stricter threat detection, auth required, limited to 10 requests/minute. ## ๐Ÿ“‹ Configuration Options ### Access Control Modes | Mode | Behavior | |------|----------| | `allowlist` | Only specified endpoints are accessible (strict whitelist) | | `blocklist` | Everything allowed except blocked endpoints | | `monitor` | Log access patterns but don't enforce restrictions | ### Endpoint Rules ```typescript { path: string | RegExp, // Endpoint path or pattern methods?: string[], // Allowed HTTP methods (GET, POST, etc.) requireAuth?: boolean, // Require authentication header maxThreatLevel?: 'low' | 'medium' | 'high' | 'critical', rateLimit?: { maxRequests: number, windowMs: number } } ``` ### Pattern Matching | Pattern | Matches | Example | |---------|---------|---------| | `/api/users` | Exact match | Only `/api/users` | | `/api/*` | Wildcard | `/api/users`, `/api/posts`, etc. | | `/admin/*/settings` | Middle wildcard | `/admin/user/settings` | | `/^\/api\/v\d+\/.*/` | Regex | `/api/v1/users`, `/api/v2/posts` | ## ๐Ÿ” Common Use Cases ### Production API (Strict Security) ```javascript const aimless = new Aimless({ rasp: { blockMode: true, injectionProtection: true, xssProtection: true, accessControl: { mode: 'allowlist', defaultAction: 'block', requireAuthHeader: 'X-API-Key', // Public endpoints allowedEndpoints: [ { path: '/' }, { path: '/health' }, { path: '/auth/login', methods: ['POST'] } ], // Extra protection for admin/payments protectedEndpoints: [ { path: '/api/admin/*', maxThreatLevel: 'low', requireAuth: true }, { path: '/api/payments/*', maxThreatLevel: 'low', requireAuth: true, rateLimit: { maxRequests: 20, windowMs: 60000 } } ], // Explicitly blocked blockedEndpoints: [ '/debug/*', '/internal/*', /.env/ ] } } }); ``` ### Development Mode (Monitor Only) ```javascript const aimless = new Aimless({ rasp: { blockMode: false, // Don't block, just log accessControl: { mode: 'monitor' // Monitor access patterns } }, logging: { enabled: true, level: 'info', logFile: './security.log' } }); ``` ### SaaS Multi-Tenant API ```javascript accessControl: { mode: 'allowlist', allowedEndpoints: [ // Versioned APIs { path: /^\/api\/v\d+\/.*/ }, // Tenant-specific endpoints { path: /^\/tenants\/[a-z0-9-]+\/.*/, requireAuth: true }, // Public docs { path: '/docs/*', methods: ['GET'] } ], protectedEndpoints: [ { path: /^\/tenants\/[a-z0-9-]+\/admin\/.*/, maxThreatLevel: 'low', requireAuth: true } ] } ``` ## ๐Ÿงช Testing Your Configuration ```javascript // Check if endpoint is allowed const result = aimless.rasp.checkEndpointAccess({ method: 'GET', path: '/api/users', headers: { 'authorization': 'Bearer token' } }); console.log(result.allowed); // true/false console.log(result.reason); // Why blocked (if blocked) console.log(result.matchedRule); // Which rule matched // Check protected endpoint rules const rule = aimless.rasp.getProtectionRules({ method: 'POST', path: '/api/payments/charge' }); if (rule) { console.log(rule.maxThreatLevel); // 'low' console.log(rule.requireAuth); // true } ``` ## ๐Ÿ“Š Request Flow ``` 1. Access Control Check โ”œโ”€ Is endpoint blocked? โ†’ 403 Forbidden โ”œโ”€ Is endpoint allowed? โ”œโ”€ Auth header required? โ†’ Check header โ””โ”€ Method allowed? โ†’ Continue 2. Threat Analysis โ””โ”€ Scan for SQL/XSS/injection threats 3. Protected Endpoint Rules โ”œโ”€ Apply stricter threat levels โ”œโ”€ Per-endpoint rate limiting โ””โ”€ Decide: Allow or Block 4. Response โ””โ”€ Continue to your route handler ``` ## ๐Ÿšจ Security Best Practices 1. **Start with Monitor Mode** - Deploy in `monitor` mode first - Review logs to understand traffic patterns - Switch to `allowlist` or `blocklist` when ready 2. **Use Allowlist for Production** - Allowlist mode is most secure (zero-trust) - Explicitly define every allowed endpoint - Unknown endpoints are blocked by default 3. **Protect Sensitive Routes** - Use `protectedEndpoints` for admin, payments, etc. - Set `maxThreatLevel: 'low'` for zero tolerance - Enable `requireAuth: true` 4. **Combine with blockMode** - Set `blockMode: true` to actually block threats - `blockMode: false` only logs threats (monitor mode) 5. **Use Wildcards Wisely** - `/api/*` is convenient but broad - Prefer specific paths when possible - Use regex for complex patterns ## ๐Ÿ“– Full Example See [examples/access-control.js](../examples/access-control.js) for 6 complete configuration examples. ## ๐Ÿ†˜ Troubleshooting **"All my endpoints are blocked!"** - Check `defaultAction` - set to `'allow'` if using blocklist - Verify your endpoint paths match exactly (case-sensitive) - Try `mode: 'monitor'` temporarily to debug **"Protected endpoint not enforcing strict security"** - Ensure `blockMode: true` is set - Check `maxThreatLevel` is set correctly - Verify the path pattern matches your endpoint **"Regex patterns not working"** - Use `/.../` regex literal, not string - Test your regex pattern separately first - Remember: patterns are case-sensitive ## ๐Ÿ”— Related - [Main README](../README.md) - Full documentation - [Examples](../examples/) - Complete code examples - [Vercel Guide](../VERCEL.md) - Serverless deployment