lusca
lusca copied to clipboard
krakenjs
Application security for express apps.
My browser says: ` Cookie “XSRF-TOKEN” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more...
Hey there. I'm working on a legacy system and need to change the name of the CSRF-Token. I have tried many different options, but nothing seems to work. ``` app.use(lusca({...
I just realized that you need to write the policy like this in order for the nonce to work: ``` policy: { "default-src": "'self'", "img-src": "'self'", "style-src": " 'self' 'unsafe-inline'",...
Hi, I am trying to setup a backend code which uses Lusca for security. The code is hosted on EC2 instance and it needs to read some values from AWS...
``` app.use(lusca({ csrf: { angular: true }, xframe: 'SAMEORIGIN', hsts: { maxAge: 31536000, //1 year, in seconds includeSubDomains: true, preload: true }, xssProtection: true })); ``` use postman in chrome...
Hi, I'm an independent security researcher and author of [`host-validation`](https://www.npmjs.com/package/host-validation), an NPM module for protecting Express.js servers from DNS rebinding attacks via host header validation. I've done a [fair amount...
We have a scenario where our API is consumed by an Angular app using JWT with cookies for authentication and as such we have CSRF enabled. Our server also supports...
Chromium supports `X-XSS-Protection: 1; report=`. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Documentation says: > If enabled, the CSRF token must be in the payload when modifying data or you will receive a 403 Forbidden But the error that is thrown from...
