@rossetta-api/express

v0.1.0

Published

24 days ago

Zero-config network request obfuscation middleware for Express.js - protect your APIs from reverse engineering

0High
0Medium
0Low

express middleware encryption obfuscation security rossetta api-security endpoint-obfuscation request-encryption aes-256 hmac

@rossetta-api/express

Zero-config network request obfuscation middleware for Express.js

Features

🔒 Automatic endpoint obfuscation - API endpoints are hashed and unreadable
🔐 Request/response encryption - AES-256-CBC encryption for all data
✅ Session-based key management - No hardcoded secrets in frontend
🛡️ Anti-replay protection - Timestamp validation prevents replay attacks
📝 Request signatures - HMAC-SHA256 ensures request integrity

Installation

npm install @rossetta-api/express

Quick Start

import express from 'express';
import { rossettaMiddleware } from '@rossetta-api/express';

const app = express();

// Add Rossetta middleware
app.use(rossettaMiddleware());

// Define your routes normally
app.get('/api/users', (req, res) => {
  res.json({ users: [] });
});

app.listen(3000);

That's it! All API endpoints are now automatically obfuscated and encrypted.

Usage

Basic Setup

import { rossettaMiddleware, createSessionInitHandler } from '@rossetta-api/express';

app.use(rossettaMiddleware({
  secret: process.env.SECRET_KEY, // Optional: auto-generated if not provided
  sessionMaxAge: 24 * 60 * 60 * 1000, // 24 hours (default)
  timestampWindow: 5 * 60 * 1000 // 5 minutes (default)
}));

// Add session initialization endpoint for frontend
app.post('/api/init-session', createSessionInitHandler());

Encrypting Responses

app.get('/api/data', (req, res) => {
  const data = { message: 'Hello, World!' };
  res.encryptResponse(data); // Automatically encrypted
});

Accessing Request Data

app.post('/api/create', (req, res) => {
  // req.body is automatically decrypted
  const { name } = req.body;
  
  const result = { id: 1, name };
  res.encryptResponse(result);
});

Using Rossetta Helpers

app.use((req, res, next) => {
  // Access Rossetta utilities
  const obfuscatedPath = req.rossetta.obfuscateEndpoint('my-endpoint');
  const encrypted = req.rossetta.encrypt({ data: 'test' });
  const decrypted = req.rossetta.decrypt(encrypted);
  
  next();
});

How It Works

Session Initialization: Client requests session keys from /api/init-session
Key Generation: Server generates unique encryption keys per session
Endpoint Obfuscation: All endpoints are hashed using SHA-256
Request Encryption: Client encrypts requests with session key
Server Decryption: Middleware automatically decrypts and validates requests
Response Encryption: Responses are encrypted before sending to client

Security Features

No Hardcoded Secrets: Keys are generated per session
Perfect Forward Secrecy: Each session has unique keys
Replay Attack Prevention: Timestamp-based validation
Request Integrity: HMAC signatures prevent tampering
Endpoint Obfuscation: API structure hidden from inspection

⚠️ Production Deployment

IMPORTANT: This package provides obfuscation and encryption at the application layer. For production use, you MUST also implement:

Required for Production:

HTTPS/TLS: Always use HTTPS in production
- Obfuscation is NOT a replacement for TLS
- Use valid SSL/TLS certificates
- Configure HSTS headers

Environment Variables: Never hardcode secrets

ROSSETTA_SECRET_KEY=your-secure-random-key-here
NODE_ENV=production

Rate Limiting: Add rate limiting to prevent abuse

import rateLimit from 'express-rate-limit';
   
app.use(rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100
}));

Authentication & Authorization: Add proper auth layer
- This package only handles obfuscation
- Implement JWT, OAuth, or session-based auth
Database Security: Use parameterized queries
Input Validation: Validate all user inputs
CORS Configuration: Restrict allowed origins
Logging & Monitoring: Track security events

Recommended Security Stack:

[Client] → HTTPS/TLS → [Rate Limiter] → [Auth Middleware] → [Rossetta Middleware] → [Your API]

Environment Variables

ROSSETTA_SECRET_KEY=your-secret-key-here  # Optional: for key derivation
NODE_ENV=production  # Enables secure cookies

API Reference

`rossettaMiddleware(options)`

Main middleware function.

Options:

secret (string): Secret key for encryption (auto-generated if not provided)
sessionMaxAge (number): Session duration in milliseconds (default: 24 hours)
timestampWindow (number): Request validity window in milliseconds (default: 5 minutes)

`createSessionInitHandler()`

Creates a route handler for session initialization.

Returns session keys to the client.

Request Extensions

req.rossetta.sessionKey: Current session encryption key
req.rossetta.endpointSalt: Salt for endpoint obfuscation
req.rossetta.obfuscateEndpoint(name): Obfuscate an endpoint name
req.rossetta.encrypt(data): Encrypt data
req.rossetta.decrypt(data): Decrypt data

Response Extensions

res.encryptResponse(data): Encrypt and send response

License

MIT

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

@rossetta-api/express

Features

Installation

Quick Start

Usage

Basic Setup

Encrypting Responses

Accessing Request Data

Using Rossetta Helpers

How It Works

Security Features

⚠️ Production Deployment

Required for Production:

Recommended Security Stack:

Environment Variables

API Reference

rossettaMiddleware(options)

createSessionInitHandler()

Request Extensions

Response Extensions

License

`rossettaMiddleware(options)`

`createSessionInitHandler()`