Package Exports
- helmet
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (helmet) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Express / Connect middleware that implement various security headers. [with sane defaults where applicable]
Included Middleware
- csp (Content Security Policy)
- HSTS (HTTP Strict Transport Security)
- xframe (X-FRAME-OPTIONS)
- iexss (X-XSS-PROTECTION for IE8+)
- contentTypeOptions (X-Content-Type-Options nosniff)
- cacheControl (Cache-Control no-store, no-cache)
Installation
npm install helmetBasic Express Usage
var helmet = require('helmet');To use a particular middleware application wide just use it from your app. Make sure it is listed before app.router.
app.use(express.methodOverride());
app.use(express.bodyParser());
app.use(helmet.csp());
app.use(helmet.xframe());
app.use(helmet.contentTypeOptions());
app.use(app.router);If you just want to use the default-level policies, all you need to do is:
helmet.defaults(app);Defaults is semi-configurable too. If you wanted for instance all the defaults but wanted your own xframe options you could do this:
helmet.defaults(app, {xframe: false});
app.use(helmet.xframe('DENY'));Content Security Policy
Content Security Policy (W3C Draft) <- Pretty much required reading if you want to do anything with CSP
Browser Support
Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP headers are set by helmet.
There are two different ways to build CSP policies with helmet.
Using policy()
policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default helmet has a defaultPolicy that looks like;
Content-Security-Policy: default-src 'self'To override this and create a new policy you could do something like
policy = {
defaultPolicy: {
'default-src': ["'self'"],
'img-src': ['static.andyet.net','*.cdn.example.com'],
}
}
helmet.csp.policy(policy);Using add()
The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'
helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);Reporting Violations
CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.
helmet.csp.reportTo('http://example.com/csp');HTTP Strict Transport Security
draft-ietf-websec-strict-transport-sec-04
This middleware adds the Strict-Transport-Security header to the response
Basic Usage
To use the default header of Strict-Transport-Security: maxAge=15768000
helmet.hsts();To adjust other values for maxAge and to include subdomains
helmet.hsts(1234567, true); // hsts(maxAge, includeSubdomains)X-FRAME-OPTIONS
xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.
Browser Support
- IE8+
- Opera 10.50+
- Safari 4+
- Chrome 4.1.249.1042+
- Firefox 3.6.9 (or earlier with NoScript)
Here is an example for both SAMEORIGIN and ALLOW-FROM
helmet.xframe('sameorigin');helmet.xframe('allow-from', 'http://example.com');X-XSS-PROTECTION
The following example sets the X-XSS-PROTECTION: 1; mode=block header
helmet.iexss();X-Content-Type-Options
The following example sets the X-Content-Type-Options header to it's only and default option 'nosniff'
helmet.contentTypeOptions();Cache-Control
The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
helmet.cacheControl();To Be Implemented
- Warn when self, unsafe-inline or unsafe-eval are not single quoted
- Warn when unsafe-inline or unsafe-eval are used
- Caching of generated CSP headers
- Device to capture and parse reported CSP violations