securexpress
v2.0.2
Published
Reliable Express security middleware with anti-DDoS L7 protection, API key auth, CAPTCHA gate, CORS guard, cache guard, maintenance mode, request IDs, and safe defaults.
Maintainers
kangwifi.idReadme
securexpress
Express security middleware dengan safe defaults, anti-DDoS Layer 7, bot guard, API key auth, CAPTCHA gate, CORS guard, cache guard, maintenance mode, request ID, dan error handler.
Catatan penting: tidak ada middleware Node.js yang bisa menahan semua DDoS. Untuk serangan bandwidth besar / Layer 3-4, tetap gunakan Cloudflare, firewall, reverse proxy, atau proteksi hosting.
securexpressfokus memperkuat Layer 7 / HTTP.
Install
npm install securexpressUntuk development lokal:
npm install
npm test
npm startBasic Usage
const express = require("express");
const securexpress = require("securexpress");
const app = express();
app.use(express.json({ limit: "1mb" }));
app.use(securexpress({
preset: "balanced",
trustProxy: true
}));
app.get("/health", securexpress.health());
app.get("/", (req, res) => {
res.json({
success: true,
requestId: req.id
});
});
app.use(securexpress.notFoundHandler);
app.use(securexpress.errorHandler());
app.listen(3000);Preset
preset: "loose" // web santai
preset: "balanced" // default recommended
preset: "strict" // mode lebih galakFitur
1. Request ID
Aktif default.
app.use(securexpress({
requestId: true
}));Header response:
X-Request-ID: uuid2. Security Headers
Pakai Helmet, aktif default.
app.use(securexpress({
headers: true
}));3. Anti-DDoS Layer 7
Aktif default.
Melindungi dari:
- HTTP flood
- burst request
- request concurrent berlebihan
- URL terlalu panjang
- header terlalu besar
- body terlalu besar
- scanner path umum
app.use(securexpress({
preset: "strict",
ddos: true,
bodyGuardOptions: {
maxBodySize: "512kb",
maxUrlLength: 2048,
timeoutMs: 15000
}
}));4. Bot Guard
Aktif default.
app.use(securexpress({
botGuard: true,
botGuardOptions: {
strict: true
}
}));5. API Key Auth
Default off. Aktifkan manual.
app.use(securexpress({
apiKeyAuth: {
enabled: true,
keys: ["secret-key-1", "secret-key-2"],
exclude: ["/health", "/public"]
}
}));Client:
curl http://localhost:3000/private \
-H "x-api-key: secret-key-1"6. CORS Guard
Default off.
app.use(securexpress({
cors: true,
corsOptions: {
origins: ["https://domainmu.com"],
credentials: true
}
}));Untuk semua origin:
corsOptions: {
origins: ["*"]
}7. Cache Guard
Aktif default.
File static akan diberi cache:
Cache-Control: public, max-age=86400, immutableRoute dinamis akan diberi:
Cache-Control: no-store8. Maintenance Mode
Default off.
app.use(securexpress({
maintenance: {
enabled: true,
message: "Server sedang maintenance",
exclude: ["/health"]
}
}));9. CAPTCHA Gate
Default off.
Cloudflare Turnstile:
app.use(securexpress({
captchaGate: {
enabled: true,
provider: "turnstile",
title: "Verifikasi keamanan",
turnstile: {
siteKey: process.env.TURNSTILE_SITE_KEY,
secretKey: process.env.TURNSTILE_SECRET_KEY
},
exclude: ["/api", "/health"]
}
}));Google reCAPTCHA v3:
app.use(securexpress({
captchaGate: {
enabled: true,
provider: "recaptcha",
recaptcha: {
siteKey: process.env.RECAPTCHA_SITE_KEY,
secretKey: process.env.RECAPTCHA_SECRET_KEY,
minScore: 0.5
},
exclude: ["/api", "/health"]
}
}));10. Error Handler
app.use(securexpress.notFoundHandler);
app.use(securexpress.errorHandler());Mode Recommended Production
app.use(securexpress({
preset: "strict",
trustProxy: true,
cors: true,
corsOptions: {
origins: ["https://domainmu.com"]
},
bodyGuardOptions: {
maxBodySize: "1mb",
timeoutMs: 15000
},
apiKeyAuth: {
enabled: false
},
captchaGate: {
enabled: false
}
}));Publish ke npm
Login:
npm loginCek package:
npm test
npm run check
npm pack --dry-runNaikkan versi:
npm version patchPublish public:
npm publish --access publicJika package sudah pernah publish dan ingin update:
npm version patch
npm publish --access publicPrinsip desain
- Semua fitur berat default off.
- Tidak ada API key hardcode.
- Tidak ada endpoint CDN.
- Tidak membaca body stream manual.
- Tidak memblokir API JSON secara agresif.
- Error response selalu JSON untuk middleware API.
- CAPTCHA hanya aktif kalau dinyalakan manual.