├── .gitignore
├── .travis.yml
├── package.json
├── index.js
├── LICENSE
├── README.md
└── test
    └── index.js


/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules/
2 | *.log
3 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: node_js
2 | node_js:
3 |   - "0.10"
4 |   - "0.12"
5 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "frameguard",
 3 |   "author": "Adam Baldwin <baldwin@andyet.net> (http://andyet.net/team/baldwin)",
 4 |   "contributors": [
 5 |     "Evan Hahn <me@evanhahn.com> (http://evanhahn.com)"
 6 |   ],
 7 |   "description": "Middleware to set X-Frame-Options headers",
 8 |   "version": "0.2.2",
 9 |   "keywords": [
10 |     "helmet",
11 |     "security",
12 |     "express",
13 |     "connect",
14 |     "x-frame-options",
15 |     "clickjack",
16 |     "frame"
17 |   ],
18 |   "repository": {
19 |     "type": "git",
20 |     "url": "git://github.com/helmetjs/frameguard.git"
21 |   },
22 |   "bugs": "https://github.com/helmetjs/frameguard/issues",
23 |   "scripts": {
24 |     "test": "mocha"
25 |   },
26 |   "devDependencies": {
27 |     "connect": "^3.3.1",
28 |     "mocha": "^2.0.1",
29 |     "supertest": "^0.15.0"
30 |   },
31 |   "dependencies": {
32 |     "lodash.isstring": "3.0.1"
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
 1 | var isString = require('lodash.isstring');
 2 | 
 3 | module.exports = function frameguard(action, options) {
 4 | 
 5 |   var header;
 6 | 
 7 |   if (action === undefined) {
 8 |     header = 'SAMEORIGIN';
 9 |   } else if (isString(action)) {
10 |     header = action.toUpperCase();
11 |   }
12 | 
13 |   if (header === 'ALLOWFROM') {
14 |     header = 'ALLOW-FROM';
15 |   } else if (header === 'SAME-ORIGIN') {
16 |     header = 'SAMEORIGIN';
17 |   }
18 | 
19 |   if (['DENY', 'ALLOW-FROM', 'SAMEORIGIN'].indexOf(header) === -1) {
20 |     throw new Error('X-Frame must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN"');
21 |   }
22 | 
23 |   if (header === 'ALLOW-FROM') {
24 |     if (!isString(options)) {
25 |       throw new Error('X-Frame: ALLOW-FROM requires a second parameter');
26 |     }
27 |     header = 'ALLOW-FROM ' + options;
28 |   }
29 | 
30 |   return function frameguard(req, res, next) {
31 |     res.setHeader('X-Frame-Options', header);
32 |     next();
33 |   };
34 | 
35 | };
36 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Evan Hahn, Adam Baldwin
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Frameguard
 2 | 
 3 | [![Build Status](https://travis-ci.org/helmetjs/frameguard.svg?branch=master)](https://travis-ci.org/helmetjs/frameguard)
 4 | 
 5 | **Trying to prevent:** Your page being put in a `<frame>` or `<iframe>` without your consent. This helps to prevent things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking).
 6 | 
 7 | **How do we mitigate this:** The `X-Frame-Options` HTTP header restricts who can put your site in a frame. It has three modes: `DENY`, `SAMEORIGIN`, and `ALLOW-FROM`. If your app does not need to be framed (and most don't) you can use the default `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`. If you want to allow it from a specific URL, you can allow that with `ALLOW-FROM` and a URL.
 8 | 
 9 | Usage:
10 | 
11 | ```javascript
12 | var frameguard = require('frameguard');
13 | 
14 | // Don't allow me to be in ANY frames:
15 | app.use(frameguard('deny'));
16 | 
17 | // Only let me be framed by people of the same origin:
18 | app.use(frameguard('sameorigin'));
19 | app.use(frameguard());  // defaults to this
20 | 
21 | // Allow from a specific host:
22 | app.use(frameguard('allow-from', 'http://example.com'));
23 | ```
24 | 
25 | **Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
26 | 


--------------------------------------------------------------------------------
/test/index.js:
--------------------------------------------------------------------------------
  1 | var frameguard = require('..');
  2 | 
  3 | var connect = require('connect');
  4 | var request = require('supertest');
  5 | var assert = require('assert');
  6 | 
  7 | describe('frameguard', function () {
  8 | 
  9 |   describe('with proper input', function () {
 10 | 
 11 |     function hello(req, res) {
 12 |       res.end('Hello world!');
 13 |     };
 14 | 
 15 |     var app;
 16 |     beforeEach(function () {
 17 |       app = connect();
 18 |     });
 19 | 
 20 |     it('sets header to SAMEORIGIN with no arguments', function (done) {
 21 |       app.use(frameguard()).use(hello);
 22 |       request(app).get('/')
 23 |       .expect('X-Frame-Options', 'SAMEORIGIN', done);
 24 |     });
 25 | 
 26 |     it('sets header to DENY when called with lowercase "deny"', function (done) {
 27 |       app.use(frameguard('deny')).use(hello);
 28 |       request(app).get('/')
 29 |       .expect('X-Frame-Options', 'DENY', done);
 30 |     });
 31 | 
 32 |     it('sets header to DENY when called with uppercase "DENY"', function (done) {
 33 |       app.use(frameguard('DENY')).use(hello);
 34 |       request(app).get('/')
 35 |       .expect('X-Frame-Options', 'DENY', done);
 36 |     });
 37 | 
 38 |     it('sets header to SAMEORIGIN when called with lowercase "sameorigin"', function (done) {
 39 |       app.use(frameguard('sameorigin')).use(hello);
 40 |       request(app).get('/')
 41 |       .expect('X-Frame-Options', 'SAMEORIGIN', done);
 42 |     });
 43 | 
 44 |     it('sets header to SAMEORIGIN when called with lowercase "same-origin"', function (done) {
 45 |       app.use(frameguard('same-origin')).use(hello);
 46 |       request(app).get('/')
 47 |       .expect('X-Frame-Options', 'SAMEORIGIN', done);
 48 |     });
 49 | 
 50 |     it('sets header to SAMEORIGIN when called with uppercase "SAMEORIGIN"', function (done) {
 51 |       app.use(frameguard('SAMEORIGIN')).use(hello);
 52 |       request(app).get('/')
 53 |       .expect('X-Frame-Options', 'SAMEORIGIN', done);
 54 |     });
 55 | 
 56 |     it('sets header properly when called with lowercase "allow-from"', function (done) {
 57 |       app.use(frameguard('allow-from', 'http://example.com')).use(hello);
 58 |       request(app).get('/')
 59 |       .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
 60 |     });
 61 | 
 62 |     it('sets header properly when called with uppercase "ALLOW-FROM"', function (done) {
 63 |       app.use(frameguard('ALLOW-FROM', 'http://example.com')).use(hello);
 64 |       request(app).get('/')
 65 |       .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
 66 |     });
 67 | 
 68 |     it('sets header properly when called with lowercase "allowfrom"', function (done) {
 69 |       app.use(frameguard('allowfrom', 'http://example.com')).use(hello);
 70 |       request(app).get('/')
 71 |       .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
 72 |     });
 73 | 
 74 |     it('sets header properly when called with uppercase "ALLOWFROM"', function (done) {
 75 |       app.use(frameguard('ALLOWFROM', 'http://example.com')).use(hello);
 76 |       request(app).get('/')
 77 |       .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
 78 |     });
 79 | 
 80 |     it('works with String object set to "SAMEORIGIN" and doesn\'t change them', function (done) {
 81 |       /* jshint -W053 */
 82 |       var str = new String('SAMEORIGIN');
 83 |       /* jshint +W053 */
 84 |       app.use(frameguard(str)).use(hello);
 85 |       request(app).get('/')
 86 |       .expect('X-Frame-Options', 'SAMEORIGIN', done);
 87 |       assert.equal(str, 'SAMEORIGIN');
 88 |     });
 89 | 
 90 |     it('works with ALLOW-FROM with String objects and doesn\'t change them', function (done) {
 91 |       /* jshint -W053 */
 92 |       var directive = new String('ALLOW-FROM');
 93 |       var url = new String('http://example.com');
 94 |       /* jshint +W053 */
 95 |       app.use(frameguard(directive, url));
 96 |       app.use(hello);
 97 |       request(app).get('/')
 98 |       .expect('X-Frame-Options', 'ALLOW-FROM http://example.com', done);
 99 |       assert.equal(directive, 'ALLOW-FROM');
100 |       assert.equal(url, 'http://example.com');
101 |     });
102 | 
103 |   });
104 | 
105 |   it('names its function and middleware', function () {
106 |     assert.equal(frameguard.name, 'frameguard');
107 |     assert.equal(frameguard.name, frameguard().name);
108 |   });
109 | 
110 |   describe('with improper input', function () {
111 | 
112 |     function callWith() {
113 |       var args = arguments;
114 |       return function () {
115 |         return frameguard.apply(this, args);
116 |       };
117 |     }
118 | 
119 |     it('fails with a bad first argument', function () {
120 |       assert.throws(callWith(' '));
121 |       assert.throws(callWith('denyy'));
122 |       assert.throws(callWith('DENNY'));
123 |       assert.throws(callWith(' deny '));
124 |       assert.throws(callWith(' DENY '));
125 |       assert.throws(callWith(123));
126 |       assert.throws(callWith(false));
127 |       assert.throws(callWith(null));
128 |       assert.throws(callWith({}));
129 |       assert.throws(callWith([]));
130 |       assert.throws(callWith(['ALLOW-FROM', 'http://example.com']));
131 |       assert.throws(callWith(/cool_regex/g));
132 |     });
133 | 
134 |     it('fails with a bad second argument if the first is "ALLOW-FROM"', function () {
135 |       assert.throws(callWith('ALLOW-FROM'));
136 |       assert.throws(callWith('ALLOW-FROM', null));
137 |       assert.throws(callWith('ALLOW-FROM', false));
138 |       assert.throws(callWith('ALLOW-FROM', 123));
139 |       assert.throws(callWith('ALLOW-FROM', ['http://website.com', 'http//otherwebsite.com']));
140 |     });
141 | 
142 |   });
143 | 
144 | });
145 | 


--------------------------------------------------------------------------------