Keeping in mind with the principles of Avoid DIY Security and Choose third-party software wisely., there are two commonly used node modules that can be used to help secure your node servers - helmet, and lusca by PayPal. Both of these offer similar, but different sets of functionality.
Helmet is a collection of middleware that can be included with your express server to help protect against a few common attack vectors, and consists of.
- contentSecurityPolicy for setting Content Security Policy
- dnsPrefetchControl controls browser DNS prefetching
- frameguard to prevent clickjacking
- hidePoweredBy to remove the X-Powered-By header
- hpkp for HTTP Public Key Pinning
- hsts for HTTP Strict Transport Security
- ieNoOpen sets X-Download-Options for IE8+
- noCache to disable client-side caching
- noSniff to keep clients from sniffing the MIME type
- xssFilter adds some small XSS protections source
Helmet out of the box without an extra configuration will make use of most of the above middleware with the exception of
Which require some additional configuration, and/or may not be appropriate in all environments.
lusca is another collection of middleware to protect against some common attacks, and is part of the Kraken framework by PayPal. However, it can be used independently of Kraken, as Kraken is a framework that is built on-top of Express.
While there is some overlap between Lusca and Helmet, the features provided by Lusca include:
- Cross Site Request Forgery (CSRF)
- X-Frame for clickjacking
- P3P Headers
- HTP Strict Transport Security
- X-XSS-Protection headers
Lucsa and CSRF
One of the noteworthy features of Lucasa, and their CSRF support, is an Angular specific that will et lusca up to use the default settings for CSRF validation according to the AngularJS docs.