Merge pull request #997 from yilenpan/feat/csrf

[feat] Added Lusca middleware for CSRF [fixes #828]

config/env/default.js

@@ -28,6 +28,19 @@ module.exports = {
   // for obsecurity reasons
   sessionKey: 'sessionId',
   sessionCollection: 'sessions',
+  // Lusca config
+  csrf: {
+    csrf: false,
+    csp: { /* Content Security Policy object */},
+    xframe: 'SAMEORIGIN',
+    p3p: 'ABCDEF',
+    hsts: {
+      maxAge: 31536000, // Forces HTTPS for one year
+      includeSubDomains: true,
+      preload: true
+    },
+    xssProtection: true
+  },
   logo: 'modules/core/client/img/brand/logo.png',
   favicon: 'modules/core/client/img/brand/favicon.ico',
   uploads: {

config/lib/express.js

@@ -17,7 +17,8 @@ var config = require('../config'),
   helmet = require('helmet'),
   flash = require('connect-flash'),
   consolidate = require('consolidate'),
-  path = require('path');
+  path = require('path'),
+  lusca = require('lusca');
 
 /**
  * Initialize local variables
@@ -122,6 +123,9 @@ module.exports.initSession = function (app, db) {
       collection: config.sessionCollection
     })
   }));
+
+  // Add Lusca CSRF Middleware
+  app.use(lusca(config.csrf));
 };
 
 /**
@@ -228,7 +232,7 @@ module.exports.init = function (db) {
 
   // Initialize Express view engine
   this.initViewEngine(app);
-  
+
   // Initialize Helmet security headers
   this.initHelmetHeaders(app);
 

package.json

@@ -43,6 +43,7 @@
     "helmet": "~0.9.1",
     "jasmine-core": "~2.3.4",
     "lodash": "~3.10.0",
+    "lusca": "~1.3.0",
     "method-override": "~2.3.3",
     "mocha": "~2.4.5",
     "mongoose": "~4.2.3",