芝麻web文件管理V1.00
编辑当前文件:/home/freeclou/app.optimyar.com/backend/node_modules/koa-lusca/README.md
# koa-lusca [![NPM version][npm-image]][npm-url] [![build status][travis-image]][travis-url] [![Test coverage][coveralls-image]][coveralls-url] [![Gittip][gittip-image]][gittip-url] [![David deps][david-image]][david-url] [![npm download][download-image]][download-url] [npm-image]: https://img.shields.io/npm/v/koa-lusca.svg?style=flat-square [npm-url]: https://npmjs.org/package/koa-lusca [travis-image]: https://img.shields.io/travis/koajs/koa-lusca.svg?style=flat-square [travis-url]: https://travis-ci.org/koajs/koa-lusca [coveralls-image]: https://img.shields.io/coveralls/koajs/koa-lusca.svg?style=flat-square [coveralls-url]: https://coveralls.io/r/koajs/koa-lusca?branch=master [gittip-image]: https://img.shields.io/gittip/fengmk2.svg?style=flat-square [gittip-url]: https://www.gittip.com/fengmk2/ [david-image]: https://img.shields.io/david/koajs/koa-lusca.svg?style=flat-square [david-url]: https://david-dm.org/koajs/koa-lusca [download-image]: https://img.shields.io/npm/dm/koa-lusca.svg?style=flat-square [download-url]: https://npmjs.org/package/koa-lusca Web application security middleware for koa. Fork from [lusca](https://github.com/krakenjs/lusca), [krakenjs/lusca#26](https://github.com/krakenjs/lusca/pull/26). ## Usage ```js var koa = require('koa'); var lusca = require('koa-lusca'); var app = koa(); app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', hsts: { maxAge: 31536000, includeSubDomains: true }, xssProtection: true })); ``` Setting any value to `false` will disable it. Alternately, you can opt into methods one by one: ```js app.use(lusca.csrf()); app.use(lusca.csp({/* ... */})); app.use(lusca.xframe({ value: 'SAMEORIGIN' })); app.use(lusca.p3p({ value: 'ABCDEF' })); app.use(lusca.hsts({ maxAge: 31536000 }); app.use(lusca.xssProtection(); ``` ## API ### lusca.csrf(options) * `key` String - Optional. The name of the CSRF token added to the model. Defaults to `_csrf`. * `secret` String - Optional. The key to place on the session object which maps to the server side token. Defaults to `_csrfSecret`. * `impl` Function - Optional. Custom implementation to generate a token. Enables [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)) (CSRF) headers. If enabled, the CSRF token must be in the payload when modifying data or you will receive a *403 Forbidden*. To send the token you'll need to echo back the `_csrf` value you received from the previous request. ### lusca.csp(options) * `options.policy` Object - Object definition of policy. * `options.policy` String, Object, or an Array - Object definition of policy. Valid policies examples include: * `{"default-src": "*"}` * `"referrer no-referrer"` * `[{ "img-src": "'self' http:" }, "block-all-mixed-content"]` * `options.reportOnly` Boolean - Enable report only mode. * `options.reportUri` String - URI where to send the report data Enables [Content Security Policy](https://www.owasp.org/index.php/Content_Security_Policy) (CSP) headers. #### Example Options ```js // Everything but images can only come from own domain (excluding subdomains) { policy: { 'default-src': '\'self\'', 'img-src': '*' } } ``` See the [MDN CSP usage](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy) page for more information on available policy options. ### lusca.xframe(value) * `value` String - Required. The value for the header, e.g. DENY, SAMEORIGIN or ALLOW-FROM uri. Enables X-FRAME-OPTIONS headers to help prevent [Clickjacking](https://www.owasp.org/index.php/Clickjacking). ### lusca.p3p(value) * `value` String - Required. The compact privacy policy. Enables [Platform for Privacy Preferences Project](http://support.microsoft.com/kb/290333) (P3P) headers. ### lusca.hsts(options) * `options.maxAge` Number - Required. Number of seconds HSTS is in effect. * `options.includeSubDomains` Boolean - Optional. Applies HSTS to all subdomains of the host Enables [HTTP Strict Transport Security](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security) for the host domain. The preload flag is required for HSTS domain submissions to [Chrome's HSTS preload list](https://hstspreload.appspot.com) ### lusca.xssProtection(options) * `options.enabled` Boolean - Optional. If the header is enabled or not (see header docs). Defaults to `1`. * `options.mode` String - Optional. Mode to set on the header (see header docs). Defaults to `block`. Enables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8) ## License - Original License: Apache License, Version 2.0, Copyright (C) 2014 eBay Software Foundation - Now: [MIT](LICENSE.txt)