The Protevus Platform: Unified Full-Stack Development
https://protevus.com
| lib | ||
| test | ||
| .gitignore | ||
| .travis.yml | ||
| LICENSE | ||
| pubspec.yaml | ||
| README.md | ||
security
Angel middleware designed to enhance application security by patching common Web security holes.
Currently unfinished, with incomplete code coverage - USE AT YOUR OWN RISK!!!
- Generic Middleware
- Helmet Port
- Service Hooks
- Permissions
Sanitizing HTML
app.before.add(sanitizeHtmlInput());
// Or:
app.chain(sanitizeHtmlInput()).get(...)
CSRF Tokens
app.chain(verifyCsrfToken()).post('/form', ...);
app.responseFinalizers.add(setCsrfToken());
Banning by IP
app.before.add(banIp('1.2.3.4'));
// Or a range:
app.before.add(banIp('1.2.3.*'));
app.before.add(banIp('1.2.*.4'));
// Or multiple filters:
app.before.add(banIp(['1.2.3.4', '192.*.*.*', new RegExp(r'1\.2.\3.\4')]));
// Also can ban origins
app.before.add(banOrigin('*.known-attacker.com'));
// By default, `banOrigin` forces users to have an `Origin` header.
// Use this flag to disable it:
app.before.add(banOrigin('evil.site', allowEmptyOrigin: true));
Trusted Proxy
Works well with Apache or Nginx.
// ONLY trust localhost X-Forwarded-* headers
app.before.add(trustProxy('127.0.0.1'));
Throttling Requests
Throws a 429 error if the given rate limit is exceeded.
// Example: 5 requests per minute
app.before.add(throttleRequests(5, new Duration(minutes: 1)));
Helmet
security includes a port of helmetjs.
Helmet includes 11 middleware that attempt to enhance security via HTTP headers.
Call helmet to include all of them.
import 'package:angel_security/helmet.dart';
Service Hooks
Also included are a set of service hooks, ported from FeathersJS.
import 'package:angel_security/hooks.dart';
Permissions
See the tests.