@axiomify/security
v7.0.0
Published
Request-level defence in depth for Axiomify — XSS sanitisation, HPP normalisation, prototype-pollution + null-byte filtering, bot UA detection.
Maintainers
Readme
@axiomify/security
Request security hardening for Axiomify. XSS sanitization, HTTP Parameter Pollution protection, prototype pollution prevention, null-byte blocking, opt-in NoSQL injection heuristics, and bot detection.
Install
npm install @axiomify/securityQuick start
import { useSecurity } from '@axiomify/security';
useSecurity(app);All protections are enabled by default, except noSqlInjectionProtection, which is opt-in (see Options).
Options
| Option | Type | Default | Description |
| ------------------------------ | ---------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------- |
| xssProtection | boolean | true | Strip <script>, event handlers, javascript: from strings |
| hppProtection | boolean | true | Deduplicate repeated query params (last value wins) |
| prototypePollutionProtection | boolean | true | Remove __proto__, constructor, prototype keys |
| nullByteProtection | boolean | true | Remove null bytes (\0) from strings |
| botProtection | boolean | true | Block known scanner/crawler User-Agent patterns |
| ~~sqlInjectionProtection~~ | removed | — | Removed in v6.0 — TypeScript excess-property error. Use parameterised queries. |
| noSqlInjectionProtection | boolean | false | Heuristic NoSQL operator-key detection. Opt-in — supplementary defense for code without full Zod schema coverage; prefer schema validation. |
| maxBodySize | number | 1048576 | Reject requests where Content-Length exceeds this value |
| blockedUserAgentPatterns | RegExp[] | DEFAULT_BLOCKED_UA_PATTERNS | Override the User-Agent patterns blocked when botProtection is on. |
| noSqlPatterns | RegExp[] | DEFAULT_NOSQL_PATTERNS | Override the NoSQL operator patterns matched when noSqlInjectionProtection is on. |
| sanitizerMaxDepth | number | 64 | Maximum object depth the body/query/params sanitizer recurses into. |
Caveats
- SQL/NoSQL injection detection is heuristic — not a replacement for parameterized queries.
maxBodySizechecksContent-Lengthheader only. Enforce stream limits at the adapter level too.- Bot patterns target known scanners; a custom
blockedUserAgentPatternsarray covers bespoke cases.
Performance
Body sanitization uses direct property assignment (not Object.defineProperty) — V8 hidden-class optimisation is preserved.
