Protect

Proactively protect your Node.js web services

Generate Convert Improve

Install / Use

/learn @RisingStack/Protect

About this skill

Quality Score

0/100

README

Protect by RisingStack

Works on Node.js v6 and newer.

The purpose of this module is to provide out-of-box, proactive protection for common security problems, like SQL injection attacks, XSS attacks, brute force, etc...

This module is not a silver bullet, and is not a substitute for security-minded engineering work. But it can help you to achieve your goals.

protect by risingstack

Basic usage

npm i @risingstack/protect --save

With Express

const protect = require('@risingstack/protect')
const express = require('express')
const bodyParser = require('body-parser')
const redis = require('redis')

const client = redis.createClient()

const app = express()

app.use(bodyParser.json({
  extended: false
}))

app.use(protect.express.sqlInjection({
  body: true,
  loggerFunction: console.error
}))

app.use(protect.express.xss({
  body: true,
  loggerFunction: console.error
}))

app.use(protect.express.rateLimiter({
  db: client,
  id: (request) => request.connection.remoteAddress
}))

app.get('/', (request, response) => {
  response.send('hello protect!')
})

app.post('/login', protect.express.rateLimiter({
  db: client,
  id: (request) => request.body.email,
  // max 10 tries per 2 minutes
  max: 10,
  duration: 120000
}), (request, response) => {
  response.send('wuut logged in')
})

app.listen(3000)

API

`protect.express.sqlInjection([options])`

Returns an Express middleware, which checks for SQL injections.

options.body: if this options is set (true), the middleware will check for request bodies as well
- default: false
- prerequisite: you must have the body-parser module used before adding the protect middleware
options.loggerFunction: you can provide a logger function for the middleware to log attacks
- default: noop

`protect.express.xss([options])`

Returns an Express middleware, which checks for XSS attacks.

options.body: if this options is set (true), the middleware will check for request bodies
- default: false
- prerequisite: you must have the body-parser module used before adding the protect middleware
options.loggerFunction: you can provide a logger function for the middleware to log attacks
- default: noop

`protect.express.rateLimiter([options])`

Returns an Express middleware, which ratelimits

options.id: function that returns the id used for ratelimiting - gets the request as its' first parameter
- required
- example: (request) => request.connection.remoteAddress
options.db: redis connection instance
- required
options.max: max requests within options.duration
- default: 2500
options.max: of limit in milliseconds
- default: 3600000
options.loggerFunction: you can provide a logger function for the middleware to log attacks
- default: noop

`protect.express.headers([options])`

The headers object is a reference to the main helmet object exported. For docs on the options object, please refer to the helmet documentation.

Roadmap

block security scanners
schell / code injection protection
what would you add?

Security Recommendations

As mentioned, this module isn't a silver bullet to solve your security issues completely. The following information is provided to hopefully point you in the right direction for solving other security concerns or alternatives that may be useful based on your budget or scale.

Other Aspects

There are plenty of other areas that you should be concerned about when it comes to security, that this module doesn't cover (yet or won't) for various reasons. Here are a few that are worth researching:

Password Hashing
- Bcrypt modules: bcrypt,bcryptjs, bcrypt-as-promised
- Scrypt modules: scrypt, scryptsy, scrypt-async
NoSQL Injection
Session management
CSRF - Cross Site Request Forgery
- CSURF Express Module
Signed Cookies: cookie-parser Express Module

Resources

Dedicated WAF

If you have the resources available (budget or hosting environment), a dedicated WAF (Web Application Firewall) can offer a robust solution to various security issues, such as blocking potential attackers and flagging their activity.

OWASP WAF information
Hosting providers:
- AWS WAF
- Microsoft Azure WAF
ModSecurity - Apache, nginX and other web servers.
CloudFlare - External WAF features.

Related Skills

healthcheck

337.3k

Host security hardening and risk-tolerance configuration for OpenClaw deployments

prose

337.3k

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.

Writing Hookify Rules

83.2k

This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.

Agent Development

83.2k

This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.

RisingStack

View profile

View on GitHub

GitHub Stars399

CategoryData

Updated2mo ago

Forks23

RisingStack/protect

Languages

JavaScript

Security Score

100/100

Audited on Jan 7, 2026

No findings