Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including express-defend with all npm packages installed. Try it out:

var expressDefend = require("express-defend")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

express-defend v1.0.9

Express middleware that detects malicious requests, like XSS or Path Traversal

express-defend Build Status


NodeJS Express middleware that detects malicious requests on your site (originated from automated website vulnerability scanner, or an attacker) like:

http://<your website>/page.html?name=<script>alert('hello world')</script>
http://<your website>/page.html?path=../../etc/passwd

Once a possible security threat is detected by express-defend, you can block all other requests sent from the attacker. If file logging is enabled, you can check the logfile and see how attackers try to find a security vulnerabilties on your server (it makes sense to see it, there might be real issues as well).

Current implementation supports the followings:

  • Cross Site Scripting detection
  • Path Traversal detection
  • SQL Injection detection

Please note that this module will never be able to detect security threats with 100% precision. The goal of this project is to catch and report the very first 'obvious' attempts, if possible.


$ npm install express-defend

Setting up your express server with express-defend support

var expressDefend = require('express-defend');

    maxAttempts: 5,                   // (default: 5) number of attempts until "onMaxAttemptsReached" gets triggered
    dropSuspiciousRequest: true,      // respond 403 Forbidden when max attempts count is reached
    consoleLogging: true,             // (default: true) enable console logging
    logFile: 'suspicious.log',        // if specified, express-defend will log it's output here
    onMaxAttemptsReached: function(ipAddress, url){
        console.log('IP address ' + ipAddress + ' is considered to be malicious, URL: ' + url);

Above example in action


Please note that only suspicious traffic will be dropped from a malicious host when "dropSuspiciousRequest" is enabled. If you want to put the host on blacklist on your server, you might want to use this module with express-blacklist.

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free