Route-Based Security
XyPriss supports fine-grained route-based security configuration, allowing developers to selectively apply security modules to specific routes. This prevents false positives on legitimate data while maintaining a strong defensive posture.
Core Configuration
Use the routeConfig option to define includeRoutes (whitelist) or excludeRoutes (blacklist) for individual security modules.
import { createServer } from "xypriss";
const app = createServer({
security: {
enabled: true,
pathTraversal: true,
sqlInjection: true,
// Route-based configuration
routeConfig: {
pathTraversal: {
// Exclude template routes from path traversal detection
excludeRoutes: [
"/api/templates/*",
"/api/content/*"
]
},
sqlInjection: {
// Only apply SQL injection detection to database routes
includeRoutes: [
"/api/db/*",
"/api/query/*"
]
}
}
}
});Route Pattern Formats
XyPriss supports three flexible formats for specifying routes:
Wildcards
Use * to match sub-paths or exact strings for specific endpoints.
excludeRoutes: ["/api/templates/*", "/exact/path"]Regular Expressions
Use standard JS regex for complex matching logic.
excludeRoutes: [/^/api/templates/.+$/]RoutePattern Objects
Filter exclusions by specific HTTP methods.
excludeRoutes: [{ path: "/api/templates/*", methods: ["POST", "PUT"] }]Available Modules
The following modules can be configured with route-specific rules:
- xss
- sqlInjection
- pathTraversal
- commandInjection
- xxe
- ldapInjection
Priority & Logic
Whitelist Priority
If both includeRoutes and excludeRoutes are specified, the whitelist takes priority.
Early Blocking
Route matching is performed early in the request lifecycle using optimized regex patterns.
includeRoutes for highly sensitive modules like SQL injection to ensure it only runs on routes interacting with databases.Configure trusted proxy headers for load balancers and container environments.