secure-express-routes
Express middleware you can use to lock down all your routes by default
Limitations
Turns out that this approach is probably not suitable for most applications. secure-express-routes
can’t access req.params
, because that’s not set until the middleware defined on an actual route is run. Any applications that use req.params
for permission checks, won't be able to use this library as a viable option. See expressjs/express#2088.
Disclaimer
This package doesn't actually do anything to secure your routes. It just makes returning a 403
the default for every route in your application. What security you need will be specific to your scenario.
Use case
secure-express-routes
is for express applications that expose routes that need to be protected. Without it, your run the risk of accidentally exposing sensitive data or private functionality. For example:
appapp
In the above example, the my-secure-things
route is not doing any permission checks, because someone forgot to add checkPermissions
to the chain of middleware - an easy mistake to make!
When using secure-express-routes
, your application will return a 403
unless you add some code to let the request through, thereby making your routes secure by default.
Installation
$ npm install
Usage
const express = ;const secureExpressRoutes = ; const app = ;app; app;app;
API
secure-express-routes
is a simple express middleware. It takes two arguments:
A hash of your application's routes and associated auth functions
With the structure: { [routePath]: authFunction }
.
Example:
{ return !requserlooksSuspicious && reslocalsallowedIPAddress; // whatever authentication and authorization checks you need } true
Where /example-route
and public-route
both correspond to express routes in your application. The authFunction
will be passed the express req
and res
object for inspection. If the function returns true
, the middleware chain will be allowed to continue. In all other cases, the middleware chain will terminate and a 403
will be returned.
A options object
Example:
responseCode: 404
Option | Description | Default |
---|---|---|
responseCode |
The HTTP response code to return by default | 403 |
Performance
Because secure-express-routes
iterates over an array of routes on each request, it may get slow with for applications with lots of routes. A workaround will be to split your routes into different routers and have one secureExpressRoutes
instance for each router.
License
MIT