UNPKG

express-waf

Version:

A simple Web Application Firewall (WAF)

github.com/ToMMApps/express-waf

ToMMApps/express-waf

81 lines (66 loc) 2.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
express-waf =========== A small web application firewall for the NodeJS Express framework. Installation ---------- ``` npm install --save express-waf ``` Usage ---------- The constructor expects the configuration for the blocker and optional settings as parameters. Blocker configuration includes: - blockTime: A blacklist timeout which indicates the time after that entries from the blacklist will be removed. - db: The used database for the blacklist. In the folder "/database" you can find predefined database connectors. If you don't find the connector you need, you may define your own database connector. This connector must define an add-, a remove- and a contains-function. ``` var ExpressWaf = require('express-waf'); var emudb = new ExpressWaf.EmulatedDB(); var waf = new ExpressWaf.ExpressWaf({ blocker:{ db: emudb, blockTime: 1000 }, log: true }); ``` After that you can add additional modules to the firewall. Without these modules the firewall won't block any attacks. The basic functionality only includes a blacklist for evil hosts and a logging mechanism for attacks. Additional modules can be found in the folder "/modules". This includes, for example a module against SQL Injection attacks or a module against CSRF attacks. For example, this is how to add the CSRF module: ``` waf.addModule('csrf-module', { allowedMethods:['GET', 'POST'], refererIndependentUrls: ['/'], allowedOrigins: ['www.example.com'] }, function (error) { console.log(error); }); ``` Don't forget to finally add the check method of express-waf as middleware: ``` app.use(waf.check); ``` If you forget this step your firewall won't do anything! This is it. Your firewall is now configured to be used with your node.js/express application. List of Modules --------- - csrf-module: https://www.owasp.org/index.php/CSRF - lfi-module: https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion - sql-module: https://www.owasp.org/index.php/SQL_Injection - xss-module: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 Code-Quality --------- All modules can be tested by using the jasmine-node testing framework: ``` jasmine-node spec/ ``` Code coverage can be calculated with istanbul: ``` istanbul cover jasmine-node spec/ ``` Current jenkins report for this project: - ![BuildStatus](http://jenkins.tomm-apps.de/buildStatus/icon?job=tommapps_express-waf) - ![Test](http://jenkins.tomm-apps.de:3434/badge/tommapps_express-waf/test) - ![LastBuild](http://jenkins.tomm-apps.de:3434/badge/tommapps_express-waf/lastbuild) - ![Coverage](http://jenkins.tomm-apps.de:3434/badge/tommapps_express-waf/coverage)