guardly
v1.0.15
Security helper methods for front-end development
7/weekUpdated 1 years agoMITUnpacked: 551.4 KB
Published by G.Slinn
npm install guardly
Guardly
Guardly is a JavaScript/TypeScript library that provides a suite of security helper methods designed to enhance the security of web applications. It includes methods for preventing common web vulnerabilities such as XSS, CSRF, SQL Injection, LDAP Injection, HTTP Parameter Pollution, and more.
Features
- XSS Prevention: Escape and sanitise HTML input.
- CSRF Prevention: Generate and set CSRF tokens.
- HTTPS Enforcement: Ensure HTTPS protocol usage.
- SSL/TLS Validation: Validate SSL/TLS configurations.
- CSP Setting: Set Content-Security-Policy meta tags.
- Command Injection Prevention: Validate allowed commands.
- SQL Injection Prevention: Escape SQL special characters.
- LDAP Injection Prevention: Escape LDAP special characters.
- HTTP Verb Tampering Prevention: Validate HTTP methods.
- Header Injection Prevention: sanitise headers.
- XML Injection Prevention: sanitise XML input.
- SRI for CDN: Add Subresource Integrity (SRI) to CDN scripts.
- HTTP Parameter Pollution Prevention: sanitise URL parameters.
- Input Validation: Validate and sanitise user inputs.
Installation
Install Guardly via npm:
``bash`
npm install guardly
Run
See the RUNBOOK file for details.
Usage
*
Import the library into your project:
`javascript`
const {
validateCommand,
generateCSRFToken,
escapeHTML,
escapeSQL,
enforceHTTPS,
validateSSLCertificate,
addSRItoCDNScript,
setCSP,
isValidInput,
sanitiseInput,
escapeLDAP,
sanitiseParameters,
validateHTTPMethod,
sanitiseHeader,
sanitiseXML,
setCSRFToken,
sanitiseHTML
} = require('guardly');
Examples
*
$3
`javascript
const input = 'Test & "escape"';
const escapedOutput = escapeHTML(input); // '<div>Test & "escape"</div>'
const htmlInput = '
Safe
';const sanitisedOutput = sanitiseHTML(htmlInput); // '
Safe
'`
$3
javascript
const token = generateCSRFToken();
console.log(token); // Outputs a 24 character tokendocument.body.innerHTML = '
';
const form = document.getElementById('form');
setCSRFToken(form); // Sets the CSRF token in the form and in the cookie
`$3
javascript
enforceHTTPS(); // Redirects to HTTPS if the current protocol is HTTP
`$3
javascript
const url = 'https://example.com';
validateSSLCertificate(url); // Validates SSL/TLS configuration for the provided URL
`$3
javascript
setCSP({
'default-src': "'self'",
'script-src': "'self' https://trusted.cdn.com",
'style-src': "'self' https://trusted.styles.com",
'img-src': "'self' https://trusted.images.com"
});
// Sets a Content-Security-Policy meta tag
`$3
javascript
const allowedCommands = ["ls", "ping", "whoami"];
const command = "ls -la";
const isValid = validateCommand(command, allowedCommands); // true
`$3
javascript
const userInput = "' OR '1'='1";
const escapedInput = escapeSQL(userInput); // "\\' OR \\'1\\'=\\'1"
`$3
javascript
const ldapInput = 'admin*()\\|';
const escapedLDAPInput = escapeLDAP(ldapInput); // 'admin\\2a\\28\\29\\5c\\7c'
`$3
javascript
const allowedMethods = ["GET", "POST", "PUT", "DELETE"];
const method = "POST";
const isMethodValid = validateHTTPMethod(method, allowedMethods); // true
`$3
javascript
const header = "Content-Type: text/html\r\nContent-Length: 0";
const sanitisedHeader = sanitiseHeader(header); // 'Content-Type: text/htmlContent-Length: 0'
`$3
javascript
const xmlInput = 'John & Doe
const sanitisedXML = sanitiseXML(xmlInput); // '<user><name>John & Doe</name></user>'
`$3
javascript
addSRItoCDNScript('https://cdn.example.com/library.js', 'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux5J3t3PEaNYCpAnG5P1FZCOm/S6Sni');
// Adds a script tag with SRI attributes to the document head
`$3
javascript
const params = new URLSearchParams("id=123&id=456");
const sanitisedParams = sanitiseParameters(params);
console.log(sanitisedParams.toString()); // 'id=123'
`$3
javascript
const userInput = 'Hello';
const sanitised = sanitiseInput(userInput);
console.log(sanitised); // '<script>alert("XSS")</script>Hello'const safeInput = 'Hello, World!';
const unsafeInput = '';
console.log(isValidInput(safeInput)); // true
console.log(isValidInput(unsafeInput)); // false
`Running Tests
To run the tests for Guardly, use the following command:bash
npm test
``License
This project is licensed under the MIT License - see the LICENSE file for details.