Penjaro AI-powered proxy middleware for preventive cybersecurity
npm install penjaro-network-security-library-javascript
Penjaro provides intelligent, proactive network security for your web applications and APIs. It acts as a smart shield between your application and potential threats, analyzing incoming requests and outgoing responses using a sophisticated combination of:
- Rule-based detection
- Threat intelligence feeds
- AI-powered analysis (optional)
- Framework-specific hardening techniques
Stop attacks before they reach your application logic. Penjaro integrates seamlessly as middleware or a standalone proxy, offering a powerful layer of defense against common and sophisticated threats.
- Proactive Defense: Identifies and blocks threats like SQL injection, XSS, command injection, malicious bots, DoS attempts, and more at the edge
- AI-Powered Intelligence: Leverage TensorFlow.js models to detect novel and complex attack patterns that signature-based methods might miss
- Threat Feed Integration: Stay ahead of attackers by automatically blocking IPs known for malicious activity (malware C&C, scanners, Tor exits, etc.)
- Response Security: Prevent accidental leaks of sensitive data (API keys, PII) or verbose error messages in responses
- Framework Native: Easy integration with popular Node.js frameworks (Express, NestJS, Koa, Fastify, Hapi)
- Highly Configurable: Fine-tune security policies to match your application's specific needs and risk profile
- Distributed Ready: Use Redis to share rate limiting and threat intelligence state across multiple instances
tf.js modelsIn addition to the core security features, Penjaro provides several advanced security mechanisms to enhance your application's protection:
Content Security Policy is one of the most powerful browser security features, restricting which resources can be loaded and executed by the browser. Penjaro provides comprehensive CSP support with violation reporting:
- Configure and apply CSP headers with sensible defaults
- Set up CSP violation reporting endpoints
- Store, analyze, and respond to CSP violation reports
- Multiple storage options (in-memory, file, callback)
- Notification hooks for real-time alerts
``javascript`
const penjaroMiddleware = await createPenjaroProxy({
apiKey: 'your-api-key',
securityHeaders: {
contentSecurityPolicy: {
enableReporting: true,
reportingPath: '/csp-report',
directives: {
'default-src': ["'self'"],
'script-src': ["'self'", "https://trusted-cdn.com"]
}
}
}
});
HTTP security headers provide critical browser-level protections against common web vulnerabilities. Penjaro offers a comprehensive set of security headers with sensible defaults:
- Content-Security-Policy (CSP)
- Strict-Transport-Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- Cross-Origin headers (Opener, Embedder, Resource Policy)
`javascript`
const penjaroMiddleware = await createPenjaroProxy({
apiKey: 'your-api-key',
securityHeaders: {
frameOptions: 'DENY',
hsts: 'max-age=31536000; includeSubDomains; preload',
referrerPolicy: 'strict-origin-when-cross-origin',
permissionsPolicy: 'camera=(), microphone=(), geolocation=()'
}
});
Cookies often store sensitive session data that needs protection. Penjaro's encrypted cookies feature provides transparent encryption and decryption:
- AES-GCM encryption for cookie values
- Automatic encryption/decryption
- Cookie-specific encryption targeting
- Configurable cookie options (httpOnly, secure, SameSite)
- Convenience methods for setting/getting encrypted cookies
`javascript
const penjaroMiddleware = await createPenjaroProxy({
apiKey: 'your-api-key',
encryptedCookies: {
secretKey: 'at-least-32-characters-long-secret-key',
cookieNames: ['session', 'auth', 'token'],
defaultCookieOptions: {
httpOnly: true,
secure: true,
sameSite: 'strict'
}
}
});
// In your route handlers
app.get('/profile', (req, res) => {
// Access decrypted cookie
const sessionData = req.getDecryptedCookie('session');
// Set encrypted cookie
res.setEncryptedCookie('session', JSON.stringify({ userId: 123 }));
});
`
Ensure resources loaded from external sources (like CDNs) haven't been tampered with:
- Generate integrity hashes for scripts and stylesheets
- Verify resource integrity
- Cache generated hashes for performance
- Generate SRI-enabled HTML tags
`javascript
const { createSRIManager } = require('penjaro-network-security-library-javascript');
// Setup SRI
const sriManager = createSRIManager({
algorithms: ['sha384'],
cacheDir: '.sri-cache'
});
// Generate integrity hash
const integrity = await sriManager.generateIntegrity('https://cdn.example.com/script.js');
console.log(integrity.integrity); // outputs: "sha384-a1b2c3d4..."
// Generate script tag with integrity
const scriptTag = await sriManager.generateScriptTag('https://cdn.example.com/script.js');
`
Detect and block malicious bots, scrapers, and automated tools:
- User-Agent pattern detection
- Browser fingerprinting
- Behavioral analysis
- Challenge-based verification
- Whitelist trusted crawlers (Google, Bing, etc.)
- Customizable challenge pages
`javascript`
const penjaroMiddleware = await createPenjaroProxy({
apiKey: 'your-api-key',
botProtection: {
enableChallenges: true,
enableFingerprinting: true,
enableBehavioralAnalysis: true,
cookieName: '_bot_verify',
excludePatterns: [/^\/api\/public/, /\.(jpg|png|gif)$/],
trustedBotPatterns: [/Googlebot/i, /bingbot/i]
}
});
`bashInstall the core package
npm install penjaro-network-security-library-javascript
Core Concept: Operating Modes
Penjaro can operate in two distinct modes, determined by the presence of the
option:$3
- Integrates directly into your framework's middleware chain
- Analyzes incoming requests only
- Blocks malicious requests or passes legitimate ones to your application logic
- Ideal for securing existing applications without changing infrastructure$3
- Acts as a reverse proxy
- Analyzes both incoming requests and outgoing responses
- Forwards valid requests to your target server
- Provides comprehensive protection including data leak prevention
- Requires Penjaro to run as a separate process or containerQuick Start Examples
$3
`typescript
import express from 'express';
import { createPenjaroProxy, PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';const app = express();
const penjaroOptions: PenjaroConfigOptions = {
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
enableThreatIntelCheck: true,
includeDefaultFireholFeed: true,
};
async function startServer() {
try {
// Initialize Penjaro middleware
const penjaroMiddleware = await createPenjaroProxy(penjaroOptions);
// Apply Penjaro middleware BEFORE other routes/middleware
app.use(penjaroMiddleware);
// Your application routes
app.get('/', (req, res) => {
res.send('Hello World!');
});
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(
Server running with Penjaro protection on port ${PORT});
});
} catch (error) {
console.error("Failed to initialize Penjaro or start server:", error);
process.exit(1);
}
}startServer();
`$3
typescript
import express from 'express';
import { createPenjaroProxy, PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';async function startProxy() {
try {
const penjaroOptions: PenjaroConfigOptions = {
apiKey: process.env.PENJARO_API_KEY,
targetServer: 'http://localhost:8080', // Your actual application server
enableRateLimit: true,
enableResponseAnalysis: true, // Enable response analysis
enableDataLeakChecks: true,
enableVerboseErrorChecks: true,
};
// Initialize Penjaro proxy
const penjaroProxy = await createPenjaroProxy(penjaroOptions);
// Create an Express app that just uses the proxy
const app = express();
app.use(penjaroProxy);
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(
Penjaro proxy running on port ${PORT}, forwarding to ${penjaroOptions.targetServer});
});
} catch (error) {
console.error("Failed to initialize Penjaro proxy:", error);
process.exit(1);
}
}startProxy();
`Express 5.x Compatibility
Penjaro now includes built-in support for both Express 4.x and Express 5.x. The library has been updated to handle the middleware changes in Express 5, including:
- Handling of async/await middleware functions
- Support for Express 5's promise-based middleware chain
- Compatibility with Express 5's updated response object
$3
For the best compatibility with Express 5.x, use the dedicated Express adapter:
typescript
import express from 'express';
import { createExpressMiddleware } from 'penjaro-network-security-library-javascript';const app = express();
async function startServer() {
try {
// Use the Express-specific adapter for best compatibility
const penjaroMiddleware = await createExpressMiddleware({
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
// ... other options
});
// Apply Penjaro middleware
app.use(penjaroMiddleware);
// Your Express 5.x routes
app.get('/', async (req, res) => {
// Express 5.x allows async route handlers
const data = await fetchSomeData();
res.send(data);
});
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(
Express 5.x server running with Penjaro protection on port ${PORT});
});
} catch (error) {
console.error("Failed to initialize Penjaro:", error);
process.exit(1);
}
}startServer();
`$3
Penjaro now supports a wider range of dependency versions:
- Express:
- NestJS:
- Koa:
- Fastify:
- Redis:
- And more...This makes it easier to integrate Penjaro into projects using different versions of these frameworks and libraries.
Framework Integration Examples
$3
NestJS integration is easy and clean with Penjaro's dedicated adapter. Here's a complete example:
#### 1. Create a Penjaro Module
typescript
// src/penjaro/penjaro.module.ts
import { Module, DynamicModule } from '@nestjs/common';
import { PenjaroService } from './penjaro.service';
import { PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';@Module({})
export class PenjaroModule {
static register(options: PenjaroConfigOptions): DynamicModule {
return {
module: PenjaroModule,
providers: [
{
provide: 'PENJARO_OPTIONS',
useValue: options,
},
PenjaroService,
],
exports: [PenjaroService],
};
}
}
`#### 2. Create a Penjaro Service
typescript
// src/penjaro/penjaro.service.ts
import { Injectable, Inject, OnModuleInit, OnModuleDestroy, Logger } from '@nestjs/common';
import { createPenjaroProxy, PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';
import { RequestHandler } from 'express';@Injectable()
export class PenjaroService implements OnModuleInit, OnModuleDestroy {
private middleware: RequestHandler | null = null;
private redisClient: unknown | null = null;
private readonly logger = new Logger(PenjaroService.name);
private initializationPromise: Promise | null = null;
constructor(
@Inject('PENJARO_OPTIONS') private readonly options: PenjaroConfigOptions,
) {}
async onModuleInit() {
this.initializationPromise = this.initialize();
await this.initializationPromise;
}
private async initialize() {
try {
this.logger.log('Initializing Penjaro middleware...');
this.middleware = (await createPenjaroProxy(
this.options,
)) as unknown as RequestHandler;
// Store redis client reference if it exists
if (this.options.redisClient) {
this.redisClient = this.options.redisClient;
}
this.logger.log('Penjaro middleware initialized successfully');
} catch (error) {
this.logger.error(
Failed to initialize Penjaro middleware: ${error.message});
throw error;
}
} async onModuleDestroy() {
// Clean up redis connection if needed
if (
this.redisClient &&
typeof (this.redisClient as any).disconnect === 'function'
) {
try {
await (this.redisClient as any).disconnect();
this.logger.log('Redis client disconnected successfully');
} catch (error) {
this.logger.error(
Error disconnecting Redis client: ${error.message});
}
}
} getMiddleware(): RequestHandler {
if (!this.middleware) {
throw new Error('Penjaro middleware not initialized');
}
return this.middleware;
}
}
`#### 3. Create a Penjaro Middleware
typescript
// src/penjaro/penjaro.middleware.ts
import { Injectable, NestMiddleware, Logger } from '@nestjs/common';
import { Request, Response, NextFunction } from 'express';
import { PenjaroService } from './penjaro.service';@Injectable()
export class PenjaroMiddleware implements NestMiddleware {
private readonly logger = new Logger(PenjaroMiddleware.name);
constructor(private readonly penjaroService: PenjaroService) {}
use(req: Request, res: Response, next: NextFunction) {
try {
const middleware = this.penjaroService.getMiddleware();
middleware(req, res, (err?: any) => {
if (err) {
this.logger.error(
Penjaro middleware error: ${err.message});
return next(err);
}
next();
});
} catch (error) {
this.logger.error(Failed to get Penjaro middleware: ${error.message});
next(error);
}
}
}
`#### 4. Use in App Module
typescript
// src/app.module.ts
import { Module, MiddlewareConsumer, NestModule } from '@nestjs/common';
import { AppController } from './app.controller';
import { AppService } from './app.service';
import { PenjaroModule } from './penjaro/penjaro.module';
import { PenjaroMiddleware } from './penjaro/penjaro.middleware';@Module({
imports: [
PenjaroModule.register({
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
rateLimitPoints: 5,
rateLimitDuration: 10, // 10 seconds
enableResponseAnalysis: true,
enableDataLeakChecks: true,
enableVerboseErrorChecks: true,
// Example custom rules
customRequestRulePatterns: {
xss: [/]>[\s\S]?<\/script>/i],
sql: [/(\%27)|(\')|(\-\-)|(\%23)|(#)/i, /(\s|;|\/\*)+(select|union|insert|drop|delete|update|create|alter)/i],
},
}),
],
controllers: [AppController],
providers: [AppService],
})
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(PenjaroMiddleware)
.exclude('health') // Exclude health check endpoint
.forRoutes('*');
}
}
`$3
typescript
// src/app.module.ts
import { Module, NestModule, MiddlewareConsumer } from '@nestjs/common';
import { AppController } from './app.controller';
import { AppService } from './app.service';
import { createPenjaroAdapter, Framework } from 'penjaro-network-security-library-javascript/dist/adapters';@Module({
imports: [],
controllers: [AppController],
providers: [AppService],
})
export class AppModule implements NestModule {
async configure(consumer: MiddlewareConsumer) {
const penjaroMiddleware = await createPenjaroAdapter(Framework.NESTJS, {
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
rateLimitPoints: 10,
rateLimitDuration: 1,
});
consumer
.apply(penjaroMiddleware)
.forRoutes('*');
}
}
`$3
typescript
import Koa from 'koa';
import { createPenjaroAdapter, Framework } from 'penjaro-network-security-library-javascript/dist/adapters';const app = new Koa();
async function start() {
try {
const penjaroMiddleware = await createPenjaroAdapter(Framework.KOA, {
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
enableThreatIntelCheck: true,
includeDefaultFireholFeed: true,
});
// Add Penjaro middleware
app.use(penjaroMiddleware);
// Add your routes
app.use(async (ctx) => {
ctx.body = 'Hello World';
});
// Start server
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(
Server running on port ${PORT});
});
} catch (error) {
console.error('Failed to initialize Penjaro middleware:', error);
process.exit(1);
}
}start();
`$3
typescript
import Fastify from 'fastify';
import { createPenjaroAdapter, Framework } from 'penjaro-network-security-library-javascript/dist/adapters';const fastify = Fastify({ logger: true });
async function start() {
try {
const penjaroPlugin = await createPenjaroAdapter(Framework.FASTIFY, {
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
enableThreatIntelCheck: true,
});
// Register Penjaro plugin
await fastify.register(penjaroPlugin);
// Define routes
fastify.get('/', async (request, reply) => {
return { hello: 'world' };
});
// Start server
await fastify.listen({ port: 3000, host: '0.0.0.0' });
console.log(
Server running on ${fastify.server.address().port});
} catch (error) {
console.error('Failed to start server:', error);
process.exit(1);
}
}start();
`$3
typescript
import Hapi from '@hapi/hapi';
import { createPenjaroAdapter, Framework } from 'penjaro-network-security-library-javascript/dist/adapters';async function start() {
try {
const server = Hapi.server({
port: 3000,
host: 'localhost',
});
const penjaroPlugin = await createPenjaroAdapter(Framework.HAPI, {
apiKey: process.env.PENJARO_API_KEY,
enableRateLimit: true,
rateLimitPoints: 10,
rateLimitDuration: 1,
});
// Register Penjaro plugin
await server.register(penjaroPlugin);
// Define routes
server.route({
method: 'GET',
path: '/',
handler: (request, h) => {
return 'Hello World!';
},
});
// Start server
await server.start();
console.log(
Server running on ${server.info.uri});
} catch (error) {
console.error('Failed to start server:', error);
process.exit(1);
}
}start();
`Comprehensive Configuration Examples
Below is a complete configuration example with detailed comments for each option:
typescript
import { PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';
import * as tf from '@tensorflow/tfjs-node'; // Only if using AI features// Load a pre-trained model (only if using AI features)
async function loadModel() {
const model = await tf.loadLayersModel('file:///path/to/model/model.json');
return model;
}
async function createConfiguration() {
// Optional: Load AI model
const aiModel = await loadModel().catch(err => {
console.error('Failed to load AI model:', err);
return null;
});
const penjaroConfig: PenjaroConfigOptions = {
//======================================================================
// REQUIRED CONFIGURATION
//======================================================================
// Your unique API key obtained from Penjaro dashboard
apiKey: process.env.PENJARO_API_KEY || 'your_api_key',
//======================================================================
// OPERATING MODE
//======================================================================
// Target server URL - if specified, enables Proxy Mode
// If omitted, operates in Middleware Mode
// targetServer: 'http://localhost:8080',
// HTTP Proxy configuration (only used in Proxy Mode)
proxyConfig: {
// Options passed directly to http-proxy-middleware
// See: https://github.com/chimurai/http-proxy-middleware#options
changeOrigin: true,
ws: true, // Support WebSockets
// pathRewrite: { '^/api': '' }, // URL rewriting
},
//======================================================================
// RATE LIMITING
//======================================================================
// Enable IP-based rate limiting
enableRateLimit: true,
// Maximum requests allowed per time window
rateLimitPoints: 100,
// Time window in seconds
rateLimitDuration: 60, // 100 requests per minute
//======================================================================
// THREAT INTELLIGENCE
//======================================================================
// Enable checking IPs against threat intelligence feeds
enableThreatIntelCheck: true,
// Custom threat intelligence feed URLs (plain text, one IP per line)
threatIntelFeedUrls: [
'https://your-organization.com/custom-blocklist.txt',
],
// How often to refresh the threat intelligence feeds (in minutes)
threatIntelFetchIntervalMinutes: 60, // Hourly updates
// Include default feeds
includeDefaultTorFeed: true, // Tor exit nodes
includeDefaultFireholFeed: true, // FireHOL Level 1 blocklist
includeDefaultFeodoFeed: true, // Feodo Tracker botnet IPs
includeDefaultCinsFeed: true, // CINS Army List
// IPs that should never be blocked, even if in block lists
whitelistIps: [
'127.0.0.1', '::1', // Localhost
'192.168.0.0/16', // Private network
'your-office-ip.example.com', // Office IP
],
// Callback for threat intel fetch errors
onThreatIntelError: (error) => {
console.error('Threat intel error:', error);
// You can implement notifications or logging here
},
//======================================================================
// GRAPHQL PROTECTION
//======================================================================
// Enable GraphQL-specific protections (requires graphql package)
enableGraphqlProtection: true,
// Maximum allowed query nesting depth
graphqlMaxDepth: 7,
// Maximum allowed query complexity score
graphqlMaxComplexity: 500,
// Block GraphQL introspection queries in production
graphqlBlockIntrospection: process.env.NODE_ENV === 'production',
// Block if these keywords appear in GraphQL string values
graphqlBlockKeywords: [
'UNION SELECT', 'DROP TABLE', '../../', 'eval(', 'etc/passwd'
],
//======================================================================
// RESPONSE ANALYSIS (PROXY MODE ONLY)
//======================================================================
// Master switch for response analysis
enableResponseAnalysis: true,
// Enable checks for data leaks in responses
enableDataLeakChecks: true,
// Enable checks for verbose errors in responses
enableVerboseErrorChecks: true,
// Max size in bytes to analyze (1MB default)
responseAnalysisMaxSize: 1048576,
// Content types to analyze
responseAnalysisContentTypes: [
'application/json', 'text/html', 'text/plain',
'application/xml', 'text/xml'
],
// Block responses with sensitive data/errors?
blockUnsafeResponses: true,
// Replace default patterns instead of adding to them?
replaceDefaultPatterns: false,
// Custom data leak patterns to detect
customDataLeakPatterns: [
/api[_-]?key["\s][:=]\s"'["']/i,
/password["\s][:=]\s"'["']/i,
/private[_-]key["\s][:=]\s["']-{5}BEGIN(?:(?!\n-{5}END).)*-{5}END/is
],
// Custom verbose error patterns to detect
customVerboseErrorPatterns: [
/TypeError:.at\s+.\(.*:\d+:\d+\)/i,
/internal server error/i,
/Database connection failed/i
],
// URL paths to exclude from data leak checks
excludePathsFromDataLeakCheck: [
/\/auth\/login/i, // Auth endpoints containing credentials
/\/user\/profile/i, // Profile pages with PII
],
// URL paths to exclude from error checks
excludePathsFromErrorCheck: [
/\/debug\//i, // Debug endpoints
/\/developer\//i // Developer tools
],
//======================================================================
// JA3 FINGERPRINTING
//======================================================================
// Enable JA3 TLS fingerprint checking
// REQUIRES upstream proxy (Nginx, Envoy, etc.) to provide the hash
enableJa3Check: false,
// Header name containing the JA3 hash from upstream proxy
ja3HeaderName: 'X-JA3-Hash',
// Known malicious JA3 hashes to block
badJa3Hashes: [
'e7d705a3286e19ea42f587b344ee6865', // Cobalt Strike variant
'4d7a28d5dd63494652553193b9a3a0cf', // Metasploit variant
'6734f37431670b3ab4292b8f60f29984' // Malware variant
],
//======================================================================
// REQUEST RULE CUSTOMIZATION
//======================================================================
// Disable specific built-in rule categories
disableDefaultRequestRules: {
ssrf: true, // Disable SSRF detection (for local dev)
ssrfHeader: true, // Disable SSRF header checks
sql: false, // Keep SQL injection checks
xss: false, // Keep XSS checks
command: false, // Keep command injection checks
traversal: false, // Keep path traversal checks
header: false, // Keep header checks
log4j: false, // Keep Log4j checks
info: false, // Keep information disclosure checks
scanner: false, // Keep scanner detection
xssLib: false // Keep XSS library checks
},
// Custom request rule patterns to add or replace
customRequestRulePatterns: {
sql: [
/UNION\s+SELECT/i,
/ORDER\s+BY\s+\d+/i
],
xss: [
/]>[\s\S]?<\/script>/i,
/javascript:alert\(/i
],
creditcard: [
/4[0-9]{12}(?:[0-9]{3})?/, // Visa
/5[1-5][0-9]{14}/ // Mastercard
]
},
// Replace default request patterns instead of merging?
replaceDefaultRequestPatterns: false,
//======================================================================
// AI INTEGRATION
//======================================================================
// Pre-loaded TensorFlow.js model (optional)
aiModel: aiModel,
// Custom function to extract features from requests
featureExtractor: (req) => {
// Extract numerical features from request for AI model
return [
req.headers['content-length'] ? parseInt(req.headers['content-length'], 10) : 0,
req.url ? req.url.length : 0,
req.query ? Object.keys(req.query).length : 0,
// Add more features as needed
];
},
// Behavior if AI analysis fails
aiAnalysisFailureMode: 'fail-open', // Options: 'fail-open' or 'fail-closed'
//======================================================================
// REDIS INTEGRATION (DISTRIBUTED DEPLOYMENT)
//======================================================================
// Redis URL for distributed rate limiting and threat intel
redisUrl: process.env.REDIS_URL,
// Redis connection options (used if redisUrl not provided)
// redisOptions: {
// host: 'localhost',
// port: 6379,
// password: 'your-password'
// },
// Optional: Pre-configured Redis client
// redisClient: yourRedisClient,
//======================================================================
// INCIDENT REPORTING
//======================================================================
// Enable reporting of security incidents to Penjaro API
enableIncidentReporting: true
};
return penjaroConfig;
}
Framework-Specific Integration Examples
$3
#### Middleware Mode
`typescript
// middleware-mode.ts
import express from 'express';
import cors from 'cors';
import helmet from 'helmet';
import { createPenjaroProxy, PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';
import dotenv from 'dotenv';dotenv.config();
const app = express();
const PORT = process.env.PORT || 3000;
async function startServer() {
try {
// Configure Penjaro
const penjaroOptions: PenjaroConfigOptions = {
apiKey: process.env.PENJARO_API_KEY || 'your_api_key',
enableRateLimit: true,
enableThreatIntelCheck: true,
includeDefaultFireholFeed: true,
// Disable SSRF checks for local development
disableDefaultRequestRules: {
ssrf: true,
ssrfHeader: true
}
};
// Initialize Penjaro middleware
console.log('Initializing Penjaro middleware...');
const penjaroMiddleware = await createPenjaroProxy(penjaroOptions);
console.log('Penjaro middleware initialized successfully!');
// Apply standard middleware
app.use(cors());
app.use(helmet());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// Apply Penjaro middleware BEFORE routes
app.use(penjaroMiddleware);
// Define your routes
app.get('/', (req, res) => {
res.send('Hello World - Protected by Penjaro');
});
// Error handler
app.use((err, req, res, next) => {
console.error(err.stack);
res.status(500).json({
message: 'Something went wrong!'
});
});
// Start server
app.listen(PORT, () => {
console.log(
Server running on port ${PORT});
});
} catch (error) {
console.error('Failed to start server:', error);
process.exit(1);
}
}startServer();
`#### Proxy Mode
typescript
// proxy-mode.ts
import express from 'express';
import { createPenjaroProxy, PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';
import dotenv from 'dotenv';dotenv.config();
// In proxy mode, we need two servers:
// 1. The target server (your actual application)
// 2. The proxy server with Penjaro
// 1. First, the target server (this would be your actual app)
const targetApp = express();
const TARGET_PORT = process.env.TARGET_PORT || 8080;
// Define your backend routes
targetApp.get('/', (req, res) => {
res.send('Hello from target server');
});
targetApp.get('/api/data', (req, res) => {
res.json({ message: 'This is protected data' });
});
// Start the target server
targetApp.listen(TARGET_PORT, () => {
console.log(
Target server running on port ${TARGET_PORT});
});// 2. Now, the proxy server with Penjaro
async function startProxy() {
try {
// Configure Penjaro in proxy mode
const penjaroOptions: PenjaroConfigOptions = {
apiKey: process.env.PENJARO_API_KEY || 'your_api_key',
// This is what activates proxy mode
targetServer:
http://localhost:${TARGET_PORT},
// Rate limiting
enableRateLimit: true,
rateLimitPoints: 100,
rateLimitDuration: 60,
// Response analysis (only available in proxy mode)
enableResponseAnalysis: true,
enableDataLeakChecks: true,
enableVerboseErrorChecks: true,
// Disable SSRF for local development
disableDefaultRequestRules: {
ssrf: true,
ssrfHeader: true
}
}; // Create the proxy server
const proxyApp = express();
// Initialize Penjaro proxy
const penjaroProxy = await createPenjaroProxy(penjaroOptions);
// Apply Penjaro proxy middleware
proxyApp.use(penjaroProxy);
// Start the proxy server
const PROXY_PORT = process.env.PORT || 3000;
proxyApp.listen(PROXY_PORT, () => {
console.log(
Penjaro proxy running on port ${PROXY_PORT});
console.log(Forwarding to target server at http://localhost:${TARGET_PORT});
});
} catch (error) {
console.error('Failed to start proxy server:', error);
process.exit(1);
}
}startProxy();
`$3
#### Middleware Mode
typescript
// penjaro.config.ts
import { PenjaroConfigOptions } from 'penjaro-network-security-library-javascript';export const penjaroConfig: PenjaroConfigOptions = {
apiKey: process.env.PENJARO_API_KEY || 'your_api_key',
enableRateLimit: true,
rateLimitPoints: 60,
rateLimitDuration: 60,
enableThreatIntelCheck: true,
includeDefaultFireholFeed: true,
// Disable SSRF detection for local development
disableDefaultRequestRules: {
ssrf: true,
ssrfHeader: true
},
// Custom request rules
customRequestRulePatterns: {
sql: [/union\s+select/i, /exec\s+xp_cmdshell/i],
xss: [/