An easy-to-use Web Application Firewall (WAF) for Node.js. Can be used with Express, Fastify, NextJS, NuxtJS ... or Node.js http.
import express from 'express';
import easyWaf from 'easy-waf'; // CommonJS: require('easy-waf').default;
const app = express();
app.use(easyWaf());
app.listen(3000);
[!WARNING] This software tries to defend many common attacks while keeping the rate of false positives low. There will always be methods to bypass this WAF. Therefore, using this package is not a reason to neglect security when developing an application. Always validate user input! This software should be used with caution and is more an educational tool than a professional security solution.
[!TIP] I strongly recommend to activate the "dryMode" at the beginning to be able to identify possible false positives from the logs. If EasyWAF should parse bodies, bind a body-parser middleware to your app before adding EasyWAF.
npm i easy-waf
In the examples folder you can find samples of how to integrate EasyAF into your application.
If you run your Node.js app behind a reverse proxy, don't forget to set the trustProxy option.
To enable Open Redirect protection, configure the queryUrlWhitelist option.
EasyWAF is easy to use without the need for much configuration, but there are still many customization options.
app.use(
easyWaf({
allowedHTTPMethods: ['GET', 'POST'],
queryUrlWhitelist: ['github.com'],
modules: {
directoryTraversal: {
enabled: true,
excludePaths: /^\/exclude$/i,
},
},
}),
);
| Option | Type | Default | Description |
|---|---|---|---|
| allowedHTTPMethods | array | undefined | List of all HTTP request methods that are allowed. All other request methods will be blocked. By default, all HTTP methods are allowed. |
| customBlockedPage | string | undefined | Add HTML code to override the default "Request blocked" page. View example with placeholders |
| queryUrlWhitelist | array | undefined | List of urls that are allowed to be included in the path or query of the request url. By default, all urls are allowed. (Open Redirect / SSRF) |
| disableLogging | boolean | false | If true, nothing is logged. This is not recommended! |
| dryMode | boolean | false | If true, suspicious requests are only logged and not blocked. In addition, the log format is changed to prevent an IPS from blocking the IP. |
| ipBlacklist | array | [] | All requests by ips on the blacklist are blocked. CIDR notation is supported (IPv4 and IPv6). On single addresses, a prefix of /32 or /128 is assumed. |
| ipWhitelist | array | [] | All requests by ips on the whitelist are never blocked. CIDR notation is supported. |
| modules[name].enabled | boolean | true, except "Block Tor Exit Nodes" | This option allows you to completely disable a specific module. |
| modules[name].excludePaths | boolean | undefined | Exclude paths from being checked by this module with a regex. |
| postBlockHook | callback | undefined | Run your own code after a request is blocked. For example, you can send a notification. |
| preBlockHook | callback | undefined | Run your own code before a request is blocked. Return false if the request should not be blocked. |
| trustProxy | string / array | [] | If a reverse proxy is used, this setting must be configured. See npm/proxy-addr for possible values. |
The following table shows which user input is checked by which module:
| Name | URL | Body* | Headers** | IP |
|---|---|---|---|---|
| Bad Bots | ❌ | ❌ | ✅ | ❌ |
| Block Tor Exit Nodes | ❌ | ❌ | ❌ | ✅ |
| CRLF Injection | ✅ | ✅ | ❌ | ❌ |
| Cross-Site-Scripting (XSS) | ✅ | ✅ | ✅ | ❌ |
| Directory Traversal | ✅ | ✅ | ❌ | ❌ |
| Fake Crawlers | ❌ | ❌ | ✅ | ✅ |
| HTTP Parameter Pollution | ✅*** | ❌ | ❌ | ❌ |
| NoSQL Injections | ✅ | ✅ | ✅ | ❌ |
| Open Redirect / SSRF | ✅ | ❌ | ❌ | ❌ |
| Prototype Pollution | ✅ | ✅ | ✅ | ❌ |
| SQL Injections | ✅ | ✅ | ✅ | ❌ |
| XML Injections (Basic) | ❌ | ✅ | ❌ | ❌ |
* Bodies are only checked if req.body is set by a middleware or the web framework itself before EasyWAF.
** Includes user agent and cookies
*** Only if req.query is set by a framework.
A short description of all modules can be found in src/modules.
If a public GitHub issue or discussion is not the right choice for your concern, you can contact me directly:
© Timo Kössler 2024
Released under the MIT license
FAQs
An easy-to-use Web Application Firewall (WAF) for Node.js
The npm package easy-waf receives a total of 422 weekly downloads. As such, easy-waf popularity was classified as not popular.
We found that easy-waf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.