Merge pull request #997 from yilenpan/feat/csrf

[feat] Added Lusca middleware for CSRF [fixes #828]
This commit is contained in:
Liran Tal
2016-02-20 13:16:31 +02:00
3 changed files with 20 additions and 2 deletions

13
config/env/default.js vendored
View File

@@ -28,6 +28,19 @@ module.exports = {
// for obsecurity reasons
sessionKey: 'sessionId',
sessionCollection: 'sessions',
// Lusca config
csrf: {
csrf: false,
csp: { /* Content Security Policy object */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
hsts: {
maxAge: 31536000, // Forces HTTPS for one year
includeSubDomains: true,
preload: true
},
xssProtection: true
},
logo: 'modules/core/client/img/brand/logo.png',
favicon: 'modules/core/client/img/brand/favicon.ico',
uploads: {

View File

@@ -17,7 +17,8 @@ var config = require('../config'),
helmet = require('helmet'),
flash = require('connect-flash'),
consolidate = require('consolidate'),
path = require('path');
path = require('path'),
lusca = require('lusca');
/**
* Initialize local variables
@@ -122,6 +123,9 @@ module.exports.initSession = function (app, db) {
collection: config.sessionCollection
})
}));
// Add Lusca CSRF Middleware
app.use(lusca(config.csrf));
};
/**
@@ -228,7 +232,7 @@ module.exports.init = function (db) {
// Initialize Express view engine
this.initViewEngine(app);
// Initialize Helmet security headers
this.initHelmetHeaders(app);

View File

@@ -43,6 +43,7 @@
"helmet": "~0.9.1",
"jasmine-core": "~2.3.4",
"lodash": "~3.10.0",
"lusca": "~1.3.0",
"method-override": "~2.3.3",
"mocha": "~2.4.5",
"mongoose": "~4.2.3",