Skip to content
/ WAF-JS Public

Simple WAF to integrate with Node.js web systems

License

MIT license
3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

undertuga/WAF-JS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
lib
lib
 
 
test
test
 
 
.eslintrc.json
.eslintrc.json
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 

Repository files navigation

WAF-JS
Simple WAF to integrate with Node.js web systems

Build Status Coverage Status License: MIT npm node

Description

WAF-JS is a simple WAF developed for basic protection on Node.JS web systems, providing basic bot detection, HTTP method checking and some HTTP headers analysis. With a simple package install and passing some arguments, it can check if you want to continue handling the request, or simply drop it, log it or redirect it somewhere else.

It can be configurable by passing the allowed / desirable HTTP request methods and content types, and it also makes it possible to extend the current bot signatures.

Instalation

In order to install WAF-JS package, simply run:
npm install wafjs --save

Available Methods

  • botCheck() Based on pre-defined rules / signatures (with the possibility of extending them), and taking the user-agent field from the request headers, it tries to check of the request is from a known bot / crawler / spider, etc.. Returns a boolean value (if bot: true | not bot: false)

  • extendBotSigs({signatures}) Allows the extensions of pre-defined bot / crawlers, spiders, etc... signatures. Receives an array of signatures to be added to the pre-defined ones.

  • removeBotSig({signature}) Removes a signature from the list.

  • reqCheck() Checks the request, analysing the HTTP request method and content type, and matching it with the given config (allowed methods & content types). Returns a boolean value (valid / allowed request: true | invalid / forbidden request: false)

  • wafChecks() Performs both checks (bot and requests) returning a boolean value as response, according with the validity of the request components. (not a bot AND valid request: true | is bot OR invalid request: false)

Configuration & Usage

The following arguments are required to be passed to WAFJS

  1. Configuration object containing the allowedMethods & contentTypes

example of base config:

const baseConfig = {
  allowedMethods: ['GET', 'POST', 'PATCH', 'DELETE'], // allowed / desired HTTP methods
  contentTypes: ['application/json', 'multipart/form-data'] // allowed / desired content-types
}
  1. The request HTTP method of the request to be checked
  2. HTTP request headers object, or a custom object containing the user-agent & content-type properties

The wafjs package exports a class (WAFJS), wich can be instantiated as follows:

// package requirement
const { WAFJS } = require('wafjs') 

// declaring new WAFJS class instance
let _wafjs = new WAFJS(baseConfig, req.method, req.headers)

// usage example | bot check
if(_wafjs.botCheck()){
  res.statusCode = 403
  res.end()
}

ExpressJS integration example

WAFJS can easily be integrated into ExpressJS as middleware, analysing the request before any further handling by the web system:

  // WAF middleware validation & request id injection on every request
  express.use(async (req, res, next) => {
    if(_wafjs.reqCheck(req.method, req.headers))
      res.status(403).send()
  });

About

Simple WAF to integrate with Node.js web systems

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

WAF-JS v1.0 Latest
Nov 6, 2019

Packages

No packages published

Languages