Enterprise-grade NIS2 Compliance Middleware for Express.js - Forensic logging, active defense, and security audit in a single app.use().
Companies subject to NIS2 Directive need demonstrable compliance. This middleware provides the technical controls required by law:
- Forensic Logging: JSON logs signed with HMAC-SHA256, PII encryption (Art. 21.2.h)
- Rate Limiting: Token bucket algorithm to prevent DoS/Brute Force (Art. 21.2.e)
- IP/Geo Blocking: Block Tor exit nodes, countries, malicious IPs (Art. 21.2.a)
- Session Guard: Detect session hijacking via IP/User-Agent validation
- Multi-SIEM: Direct connectors for Splunk, Datadog, QRadar
- Compliance CLI: Audit your configuration with
npx check-nis2
Part of the NIS2 Shield Ecosystem: Use with
@nis2shield/react-guard,@nis2shield/angular-guard, or@nis2shield/vue-guardfor client-side protection andnis2shield/infrastructurefor a complete, audited full-stack implementation.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend β
β @nis2shield/{react,angular,vue}-guard β
β βββ SessionWatchdog (idle detection) β
β βββ AuditBoundary (crash reports) β
β βββ β POST /api/nis2/telemetry/ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Backend (NIS2 Adapter) β
β **@nis2shield/express-middleware** β
β βββ ForensicLogger (HMAC signed logs) β
β βββ RateLimiter, SessionGuard, TorBlocker β
β βββ β SIEM (Elasticsearch, Splunk, QRadar, etc.) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Infrastructure β
β nis2shield/infrastructure β
β βββ Centralized Logging (ELK/Splunk) β
β βββ Audited Deployment (Terraform/Helm) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- π Forensic Logging: Standardized
NIS2-JSON-SCHEMA v1.0logs with HMAC-SHA256 integrity & PII encryption. - π Active Defense:
- Rate Limiting: Token bucket algorithm.
- IP Blocking: Block static IPs, Tor exit nodes, and Countries (GeoIP).
- Session Guard: Session hijacking protection (IP/User-Agent).
- π¨ Multi-SIEM Support: Direct connectors for Splunk HEC, Datadog, and QRadar.
- π Notifications: Webhook integration for security alerts (Slack/Teams).
- β
Compliance Engine: Built-in CLI
npx check-nis2to audit your configuration. - π‘οΈ Security Headers: HSTS, CSP, X-Frame-Options, and more.
npm install @nis2shield/express-middlewareimport express from 'express';
import { nis2Shield } from '@nis2shield/express-middleware';
const app = express();
// Basic usage - enables all features with defaults
app.use(nis2Shield());
app.get('/', (req, res) => {
res.json({ message: 'Protected by NIS2 Shield!' });
});
app.listen(3000);import { nis2Shield, Nis2Config } from '@nis2shield/express-middleware';
const config: Partial<Nis2Config> = {
enabled: true,
encryptionKey: process.env.NIS2_ENCRYPTION_KEY,
integrityKey: process.env.NIS2_HMAC_KEY,
logging: {
enabled: true,
anonymizeIP: true,
encryptPII: true,
piiFields: ['userId', 'email'],
},
activeDefense: {
rateLimit: {
enabled: true,
windowMs: 60000, // 1 minute
max: 100, // 100 requests per window
},
blockTor: true,
},
securityHeaders: {
enabled: true,
hsts: true,
csp: "default-src 'self'",
xFrameOptions: 'DENY',
},
};
app.use(nis2Shield(config));NIS2_ENCRYPTION_KEY=your-base64-aes-256-key
NIS2_HMAC_KEY=your-secret-hmac-key| Header | Default Value |
|---|---|
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
DENY |
Referrer-Policy |
strict-origin-when-cross-origin |
Permissions-Policy |
Restrictive policy |
{
"timestamp": "2025-01-15T10:00:00.000Z",
"module": "nis2_shield",
"type": "audit_log",
"request": {
"method": "POST",
"path": "/api/login",
"ip": "203.0.113.xxx"
},
"response": {
"status": 200,
"duration_ms": 45
},
"integrity_hash": "a1b2c3d4..."
}import express from 'express';
import { nis2Shield } from '@nis2shield/express-middleware';
const app = express();
app.use(nis2Shield({
enabled: true,
encryptionKey: process.env.NIS2_ENCRYPTION_KEY,
integrityKey: process.env.NIS2_HMAC_KEY,
activeDefense: {
rateLimit: {
enabled: true,
windowMs: 60000,
max: 30, // Strict: 30 req/min for banking
},
blockTor: true,
blockedCountries: ['KP', 'IR'], // OFAC compliance
},
securityHeaders: {
enabled: true,
hsts: true,
xFrameOptions: 'DENY',
},
}));import { nis2Shield, createWebhookNotifier } from '@nis2shield/express-middleware';
const webhookNotifier = createWebhookNotifier({
url: 'https://hooks.slack.com/services/...',
format: 'slack',
events: ['rate_limit', 'session_hijack', 'blocked_ip'],
});
app.use(nis2Shield({
enabled: true,
webhooks: webhookNotifier,
logging: {
enabled: true,
anonymizeIP: true,
encryptPII: true,
},
}));import { nis2Shield } from '@nis2shield/express-middleware';
app.use(nis2Shield({
enabled: true,
siem: {
type: 'datadog',
apiKey: process.env.DD_API_KEY,
site: 'datadoghq.eu',
},
}));- django-nis2-shield: Python/Django version
- nis2-spring-shield: Java/Spring Boot version
- dotnet-nis2-shield: ASP.NET Core version
- @nis2shield/react-guard: Frontend client-side protectiond
Automated releases are handled via GitHub Actions.
- Create Tag: Push a new tag (e.g.,
v0.2.0). - GitHub Release: Create a release in the GitHub UI.
- CI/CD: The
npm-publish.ymlworkflow triggers automatically:- Builds the project.
- Runs tests.
- Publishes to npm (using
NPM_TOKENsecret).
MIT License - See LICENSE for details.
- π Website
- π Documentation
- π Issues