angel_security 0.0.0-alpha+4

Angel middleware designed to enhance application security by patching common Web security holes.

security

Angel middleware designed to enhance application security by patching common Web security holes.

Currently unfinished, with incomplete code coverage - USE AT YOUR OWN RISK!!!

• Generic Middleware
  • Sanitizing HTML
  • CSRF Tokens
  • Banning by IP/Origin
  • Trusted Proxy
  • Throttling Requests
• Helmet Port
• Service Hooks
• Permissions

Sanitizing HTML

app.before.add(sanitizeHtmlInput());

// Or:
app.chain(sanitizeHtmlInput()).get(...)

CSRF Tokens

app.chain(verifyCsrfToken()).post('/form', ...);
app.responseFinalizers.add(setCsrfToken());

Banning by IP

app.before.add(banIp('1.2.3.4'));

// Or a range:
app.before.add(banIp('1.2.3.*'));
app.before.add(banIp('1.2.*.4'));

// Or multiple filters:
app.before.add(banIp(['1.2.3.4', '192.*.*.*', new RegExp(r'1\.2.\3.\4')]));

// Also can ban origins
app.before.add(banOrigin('*.known-attacker.com'));

// By default, `banOrigin` forces users to have an `Origin` header.
// Use this flag to disable it:
app.before.add(banOrigin('evil.site', allowEmptyOrigin: true));

Trusted Proxy

Works well with Apache or Nginx.

// ONLY trust localhost X-Forwarded-* headers
app.before.add(trustProxy('127.0.0.1'));

Throttling Requests

Throws a 429 error if the given rate limit is exceeded.

// Example: 5 requests per minute
app.before.add(throttleRequests(5, new Duration(minutes: 1)));

Helmet

security includes a port of helmetjs. Helmet includes 11 middleware that attempt to enhance security via HTTP headers.

Call helmet to include all of them.

import 'package:angel_security/helmet.dart';

Service Hooks

Also included are a set of service hooks, ported from FeathersJS.

import 'package:angel_security/hooks.dart';

Permissions

See the tests.