CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-lusca

Application security middleware for Express.js providing CSRF protection, CSP headers, and comprehensive web security features.

Pending
Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

Lusca

Lusca is a comprehensive web application security middleware for Express.js applications that provides essential security features including Cross-Site Request Forgery (CSRF) protection, Content Security Policy (CSP) headers, X-Frame-Options for clickjacking prevention, HTTP Strict Transport Security (HSTS), X-XSS-Protection headers, X-Content-Type-Options for MIME-sniffing prevention, Platform for Privacy Preferences (P3P) headers, and Referrer-Policy control.

Package Information

  • Package Name: lusca
  • Package Type: npm
  • Language: JavaScript
  • Installation: npm install lusca

Core Imports

const lusca = require('lusca');

For individual security modules:

const lusca = require('lusca');
// Access individual modules as properties
// lusca.csrf, lusca.csp, lusca.hsts, lusca.p3p, 
// lusca.xframe, lusca.xssProtection, lusca.nosniff, lusca.referrerPolicy

Basic Usage

Unified Configuration

const express = require('express');
const session = require('express-session');
const lusca = require('lusca');

const app = express();

// Session middleware required for CSRF
app.use(session({
  secret: 'your-secret-key',
  resave: true,
  saveUninitialized: true
}));

// Apply all security features at once
app.use(lusca({
  csrf: true,
  csp: { policy: { 'default-src': "'self'" } },
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
  xssProtection: true,
  nosniff: true,
  referrerPolicy: 'same-origin'
}));

Individual Module Usage

// Apply security features individually
app.use(lusca.csrf());
app.use(lusca.csp({ policy: { 'default-src': "'self'" } }));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
app.use(lusca.nosniff());
app.use(lusca.referrerPolicy('same-origin'));

Architecture

Lusca is built around a modular security middleware architecture:

  • Main Function: Unified configuration that applies multiple security features
  • Individual Modules: Standalone middleware functions for specific security headers
  • Session Integration: CSRF protection requires Express session middleware
  • Nonce Support: Automatic nonce generation for CSP when styleNonce or scriptNonce is enabled

Capabilities

Main Lusca Function

Configures and applies multiple security features based on provided options.

/**
 * Main lusca middleware function that applies multiple security features
 * @param {Object} options - Configuration object with security feature options
 * @returns {Function} Express middleware function
 */
function lusca(options);

Options Properties:

  • csrf - CSRF protection configuration (boolean or object)
  • csp - Content Security Policy configuration (object)
  • xframe - X-Frame-Options value (string)
  • p3p - P3P compact privacy policy (string)
  • hsts - HTTP Strict Transport Security configuration (object)
  • xssProtection - X-XSS-Protection configuration (boolean or object)
  • nosniff - X-Content-Type-Options configuration (boolean)
  • referrerPolicy - Referrer-Policy value (string)

CSRF Protection

Provides Cross-Site Request Forgery protection with token-based validation.

/**
 * CSRF protection middleware
 * @param {Object} options - CSRF configuration options
 * @returns {Function} Express middleware function that validates CSRF tokens
 */
function csrf(options);

interface CSRFOptions {
  /** The name of the CSRF token in the model. Default "_csrf" */
  key?: string;
  /** The key to place on the session object for server side token. Default "_csrfSecret" */
  secret?: string;
  /** Custom implementation to generate a token */
  impl?: TokenImplementation;
  /** The name of the response header containing CSRF token. Default "x-csrf-token" */
  header?: string;
  /** Cookie configuration for CSRF token */
  cookie?: string | {
    name: string;
    options?: CookieOptions;
  };
  /** Shorthand setting for AngularJS CSRF defaults */
  angular?: boolean;
  /** Routes that will not have CSRF protection */
  blocklist?: string | Array<string | { path: string; type: 'exact' | 'startsWith' }>;
  /** Routes that will have CSRF protection (all others will not) */
  allowlist?: string | Array<string | { path: string; type: 'exact' | 'startsWith' }>;
}

interface TokenImplementation {
  create(req: Request, secret: string): {
    token: string;
    secret: string;
    validate: (req: Request, token: string) => boolean;
  };
}

Adds to Request:

/**
 * Function added to req object for getting CSRF token
 * @returns {string} Current CSRF token
 */
req.csrfToken(): string;

Content Security Policy

Enables Content Security Policy headers to prevent XSS attacks.

/**
 * Content Security Policy middleware
 * @param {Object} options - CSP configuration options
 * @returns {Function} Express middleware function that sets CSP headers
 */
function csp(options);

interface CSPOptions {
  /** CSP policy definition */
  policy?: string | Object | Array<string | Object>;
  /** Enable report-only mode */
  reportOnly?: boolean;
  /** URI where to send violation reports */
  reportUri?: string;
  /** Enable nonce for inline style-src, access from res.locals.nonce */
  styleNonce?: boolean;
  /** Enable nonce for inline script-src, access from res.locals.nonce */
  scriptNonce?: boolean;
}

/**
 * Utility function to create policy strings from various formats
 * @param {string|Object|Array} policy - Policy definition
 * @returns {string} Formatted policy string
 */
function createPolicyString(policy): string;

HTTP Strict Transport Security

Enables HSTS headers to enforce HTTPS connections.

/**
 * HSTS middleware
 * @param {Object} options - HSTS configuration options
 * @returns {Function} Express middleware function that sets HSTS headers
 */
function hsts(options);

interface HSTSOptions {
  /** Number of seconds HSTS is in effect. Required */
  maxAge?: number;
  /** Applies HSTS to all subdomains of the host */
  includeSubDomains?: boolean;
  /** Adds preload flag for Chrome's HSTS preload list */
  preload?: boolean;
}

Platform for Privacy Preferences

Enables P3P headers for legacy Internet Explorer privacy policies.

/**
 * P3P middleware
 * @param {string} value - The P3P compact privacy policy value
 * @returns {Function} Express middleware function that sets P3P headers
 */
function p3p(value);

X-Frame-Options

Enables X-Frame-Options headers to prevent clickjacking attacks.

/**
 * X-Frame-Options middleware
 * @param {string} value - Frame options value (DENY, SAMEORIGIN, ALLOW-FROM uri)
 * @returns {Function} Express middleware function that sets X-Frame-Options headers
 */
function xframe(value);

XSS Protection

Enables X-XSS-Protection headers for legacy XSS filtering in older browsers.

/**
 * X-XSS-Protection middleware
 * @param {Object|boolean} options - XSS protection configuration
 * @returns {Function} Express middleware function that sets X-XSS-Protection headers
 */
function xssProtection(options);

interface XSSProtectionOptions {
  /** Enable XSS protection (0 or 1). Default 1 */
  enabled?: number | boolean;
  /** Protection mode. Default "block" */
  mode?: string;
}

MIME Sniffing Protection

Enables X-Content-Type-Options headers to prevent MIME-sniffing attacks.

/**
 * X-Content-Type-Options middleware
 * @returns {Function} Express middleware function that sets X-Content-Type-Options headers
 */
function nosniff();

Referrer Policy

Enables Referrer-Policy headers to control referrer information.

/**
 * Referrer-Policy middleware
 * @param {string} value - Referrer policy value
 * @returns {Function} Express middleware function that sets Referrer-Policy headers
 */
function referrerPolicy(value);

Supported Values:

  • '' (empty string)
  • 'no-referrer'
  • 'no-referrer-when-downgrade'
  • 'same-origin'
  • 'origin'
  • 'strict-origin'
  • 'origin-when-cross-origin'
  • 'strict-origin-when-cross-origin'
  • 'unsafe-url'

Error Handling

  • CSRF: Returns 403 Forbidden for missing or invalid CSRF tokens
  • CSP: Throws Error for invalid policy objects
  • Referrer Policy: Throws Error for unsupported values (non-production only)
  • Session Requirement: CSRF functionality requires Express session middleware

Advanced Usage Examples

CSRF with Custom Token Implementation

const customToken = {
  create: function(req, secret) {
    // Custom token generation logic
    return {
      token: 'custom-token',
      secret: secret,
      validate: function(req, token) {
        // Custom validation logic
        return token === 'custom-token';
      }
    };
  }
};

app.use(lusca.csrf({
  impl: customToken,
  key: '_customCsrf',
  header: 'x-custom-csrf-token'
}));

Complex CSP Configuration

app.use(lusca.csp({
  policy: {
    'default-src': "'self'",
    'script-src': "'self' 'unsafe-inline'",
    'style-src': "'self' 'unsafe-inline'",
    'img-src': "'self' data: https:",
    'font-src': "'self' https://fonts.gstatic.com"
  },
  reportOnly: false,
  reportUri: '/csp-violation-report',
  styleNonce: true,
  scriptNonce: true
}));

CSRF with Path Allowlist/Blocklist

app.use(lusca.csrf({
  // Exact path matching
  blocklist: [
    { path: '/api/webhook', type: 'exact' },
    { path: '/public', type: 'startsWith' }
  ],
  // Or string format (uses startsWith matching)
  blocklist: ['/api/webhook', '/public']
}));
Workspace
tessl
Visibility
Public
Created
Last updated
Describes
npmpkg:npm/lusca@1.7.x
Publish Source
CLI
Badge
tessl/npm-lusca badge