JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 4423752
  • Score
    100M100P100Q195229F

Security header middleware collection for express

Package Exports

  • helmet

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (helmet) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Express / Connect middleware that implement various security headers. [with sane defaults where applicable]

Included Middleware

  • csp (Content Security Policy)
  • xframe (X-FRAME-OPTIONS)
  • iexss (X-XSS-PROTECTION for IE8+)

Installation

npm install helmet

Basic Express Usage

    var helmet = require('helmet');

To use a particular middleware application wide just add it to your app configuration.

    app.configure(function(){
        app.use(express.methodOverride());
        app.use(express.bodyParser());
        app.use(helmet.csp());
        app.use(helmet.xframe());
        app.use(app.router);
    });

Content Security Policy

Content Security Policy (W3C Draft) <- Pretty much required reading if you want to do anything with CSP

Browser Support

Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP headers are set by helmet.

There are two different ways to build CSP policies with helmet.

Using policy()

policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default helmet has a defaultPolicy that looks like;

Content-Security-Policy: default-src 'self'

To override this and create a new policy you could do something like

policy = {
  defaultPolicy: {
    'default-src': ["'self'"],
    'img-src': ['static.andyet.net','*.cdn.example.com'],
  }
}

helmet.csp.policy(policy);

Using add()

The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'

helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);

Reporting Violations

CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.

helmet.csp.reportTo('http://example.com/csp');

X-FRAME-OPTIONS

xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.

Browser Support

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome 4.1.249.1042+
  • Firefox 3.6.9 (or earlier with NoScript)

Here is an example for both SAMEORIGIN and ALLOW-FROM

helmet.xframe('sameorigin');
helmet.xframe('allow-from', 'http://example.com');

X-XSS-PROTECTION

The following example sets the X-XSS-PROTECTION: 1; mode=block header

helmet.iexss();

To Be Implemented

  • HTTP Strict Transport Security
  • Warn when self, unsafe-inline or unsafe-eval are not single quoted
  • Warn when unsafe-inline or unsafe-eval are used
  • Caching of generated CSP headers
  • Device to capture and parse reported CSP violations