or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

index.md

tile.json

tessl/npm-lusca

Application security middleware for Express.js providing CSRF protection, CSP headers, and comprehensive web security features.

Workspace: tessl
Visibility: Public
Created: 3 months ago
Last updated: 3 months ago
Describes: pkg:npm/lusca@1.7.x

To install, run

npx @tessl/cli install tessl/npm-lusca@1.7.0

Lusca

Lusca is a comprehensive web application security middleware for Express.js applications that provides essential security features including Cross-Site Request Forgery (CSRF) protection, Content Security Policy (CSP) headers, X-Frame-Options for clickjacking prevention, HTTP Strict Transport Security (HSTS), X-XSS-Protection headers, X-Content-Type-Options for MIME-sniffing prevention, Platform for Privacy Preferences (P3P) headers, and Referrer-Policy control.

Package Information

Package Name: lusca
Package Type: npm
Language: JavaScript
Installation: npm install lusca

Core Imports

const lusca = require('lusca');

For individual security modules:

const lusca = require('lusca');
// Access individual modules as properties
// lusca.csrf, lusca.csp, lusca.hsts, lusca.p3p, 
// lusca.xframe, lusca.xssProtection, lusca.nosniff, lusca.referrerPolicy

Basic Usage

Unified Configuration

const express = require('express');
const session = require('express-session');
const lusca = require('lusca');

const app = express();

// Session middleware required for CSRF
app.use(session({
  secret: 'your-secret-key',
  resave: true,
  saveUninitialized: true
}));

// Apply all security features at once
app.use(lusca({
  csrf: true,
  csp: { policy: { 'default-src': "'self'" } },
  xframe: 'SAMEORIGIN',
  p3p: 'ABCDEF',
  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
  xssProtection: true,
  nosniff: true,
  referrerPolicy: 'same-origin'
}));

Individual Module Usage

// Apply security features individually
app.use(lusca.csrf());
app.use(lusca.csp({ policy: { 'default-src': "'self'" } }));
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.hsts({ maxAge: 31536000 }));
app.use(lusca.xssProtection(true));
app.use(lusca.nosniff());
app.use(lusca.referrerPolicy('same-origin'));

Architecture

Lusca is built around a modular security middleware architecture:

Main Function: Unified configuration that applies multiple security features
Individual Modules: Standalone middleware functions for specific security headers
Session Integration: CSRF protection requires Express session middleware
Nonce Support: Automatic nonce generation for CSP when styleNonce or scriptNonce is enabled

Capabilities

Main Lusca Function

Configures and applies multiple security features based on provided options.

/**
 * Main lusca middleware function that applies multiple security features
 * @param {Object} options - Configuration object with security feature options
 * @returns {Function} Express middleware function
 */
function lusca(options);

Options Properties:

csrf - CSRF protection configuration (boolean or object)
csp - Content Security Policy configuration (object)
xframe - X-Frame-Options value (string)
p3p - P3P compact privacy policy (string)
hsts - HTTP Strict Transport Security configuration (object)
xssProtection - X-XSS-Protection configuration (boolean or object)
nosniff - X-Content-Type-Options configuration (boolean)
referrerPolicy - Referrer-Policy value (string)

CSRF Protection

Provides Cross-Site Request Forgery protection with token-based validation.

/**
 * CSRF protection middleware
 * @param {Object} options - CSRF configuration options
 * @returns {Function} Express middleware function that validates CSRF tokens
 */
function csrf(options);

interface CSRFOptions {
  /** The name of the CSRF token in the model. Default "_csrf" */
  key?: string;
  /** The key to place on the session object for server side token. Default "_csrfSecret" */
  secret?: string;
  /** Custom implementation to generate a token */
  impl?: TokenImplementation;
  /** The name of the response header containing CSRF token. Default "x-csrf-token" */
  header?: string;
  /** Cookie configuration for CSRF token */
  cookie?: string | {
    name: string;
    options?: CookieOptions;
  };
  /** Shorthand setting for AngularJS CSRF defaults */
  angular?: boolean;
  /** Routes that will not have CSRF protection */
  blocklist?: string | Array<string | { path: string; type: 'exact' | 'startsWith' }>;
  /** Routes that will have CSRF protection (all others will not) */
  allowlist?: string | Array<string | { path: string; type: 'exact' | 'startsWith' }>;
}

interface TokenImplementation {
  create(req: Request, secret: string): {
    token: string;
    secret: string;
    validate: (req: Request, token: string) => boolean;
  };
}

Adds to Request:

/**
 * Function added to req object for getting CSRF token
 * @returns {string} Current CSRF token
 */
req.csrfToken(): string;

Content Security Policy

Enables Content Security Policy headers to prevent XSS attacks.

/**
 * Content Security Policy middleware
 * @param {Object} options - CSP configuration options
 * @returns {Function} Express middleware function that sets CSP headers
 */
function csp(options);

interface CSPOptions {
  /** CSP policy definition */
  policy?: string | Object | Array<string | Object>;
  /** Enable report-only mode */
  reportOnly?: boolean;
  /** URI where to send violation reports */
  reportUri?: string;
  /** Enable nonce for inline style-src, access from res.locals.nonce */
  styleNonce?: boolean;
  /** Enable nonce for inline script-src, access from res.locals.nonce */
  scriptNonce?: boolean;
}

/**
 * Utility function to create policy strings from various formats
 * @param {string|Object|Array} policy - Policy definition
 * @returns {string} Formatted policy string
 */
function createPolicyString(policy): string;

HTTP Strict Transport Security

Enables HSTS headers to enforce HTTPS connections.

/**
 * HSTS middleware
 * @param {Object} options - HSTS configuration options
 * @returns {Function} Express middleware function that sets HSTS headers
 */
function hsts(options);

interface HSTSOptions {
  /** Number of seconds HSTS is in effect. Required */
  maxAge?: number;
  /** Applies HSTS to all subdomains of the host */
  includeSubDomains?: boolean;
  /** Adds preload flag for Chrome's HSTS preload list */
  preload?: boolean;
}

Platform for Privacy Preferences

Enables P3P headers for legacy Internet Explorer privacy policies.

/**
 * P3P middleware
 * @param {string} value - The P3P compact privacy policy value
 * @returns {Function} Express middleware function that sets P3P headers
 */
function p3p(value);

X-Frame-Options

Enables X-Frame-Options headers to prevent clickjacking attacks.

/**
 * X-Frame-Options middleware
 * @param {string} value - Frame options value (DENY, SAMEORIGIN, ALLOW-FROM uri)
 * @returns {Function} Express middleware function that sets X-Frame-Options headers
 */
function xframe(value);

XSS Protection

Enables X-XSS-Protection headers for legacy XSS filtering in older browsers.

/**
 * X-XSS-Protection middleware
 * @param {Object|boolean} options - XSS protection configuration
 * @returns {Function} Express middleware function that sets X-XSS-Protection headers
 */
function xssProtection(options);

interface XSSProtectionOptions {
  /** Enable XSS protection (0 or 1). Default 1 */
  enabled?: number | boolean;
  /** Protection mode. Default "block" */
  mode?: string;
}

MIME Sniffing Protection

Enables X-Content-Type-Options headers to prevent MIME-sniffing attacks.

/**
 * X-Content-Type-Options middleware
 * @returns {Function} Express middleware function that sets X-Content-Type-Options headers
 */
function nosniff();

Referrer Policy

Enables Referrer-Policy headers to control referrer information.

/**
 * Referrer-Policy middleware
 * @param {string} value - Referrer policy value
 * @returns {Function} Express middleware function that sets Referrer-Policy headers
 */
function referrerPolicy(value);

Supported Values:

'' (empty string)
'no-referrer'
'no-referrer-when-downgrade'
'same-origin'
'origin'
'strict-origin'
'origin-when-cross-origin'
'strict-origin-when-cross-origin'
'unsafe-url'

Error Handling

CSRF: Returns 403 Forbidden for missing or invalid CSRF tokens
CSP: Throws Error for invalid policy objects
Referrer Policy: Throws Error for unsupported values (non-production only)
Session Requirement: CSRF functionality requires Express session middleware

Advanced Usage Examples

CSRF with Custom Token Implementation

const customToken = {
  create: function(req, secret) {
    // Custom token generation logic
    return {
      token: 'custom-token',
      secret: secret,
      validate: function(req, token) {
        // Custom validation logic
        return token === 'custom-token';
      }
    };
  }
};

app.use(lusca.csrf({
  impl: customToken,
  key: '_customCsrf',
  header: 'x-custom-csrf-token'
}));

Complex CSP Configuration

app.use(lusca.csp({
  policy: {
    'default-src': "'self'",
    'script-src': "'self' 'unsafe-inline'",
    'style-src': "'self' 'unsafe-inline'",
    'img-src': "'self' data: https:",
    'font-src': "'self' https://fonts.gstatic.com"
  },
  reportOnly: false,
  reportUri: '/csp-violation-report',
  styleNonce: true,
  scriptNonce: true
}));

CSRF with Path Allowlist/Blocklist

app.use(lusca.csrf({
  // Exact path matching
  blocklist: [
    { path: '/api/webhook', type: 'exact' },
    { path: '/public', type: 'startsWith' }
  ],
  // Or string format (uses startsWith matching)
  blocklist: ['/api/webhook', '/public']
}));