Express / Connect middleware that implement various security headers. [with sane defaults where applicable]
- csp (Content Security Policy)
- HSTS (HTTP Strict Transport Security)
- xframe (X-FRAME-OPTIONS)
- iexss (X-XSS-PROTECTION for IE8+)
- contentTypeOptions (X-Content-Type-Options nosniff)
- cacheControl (Cache-Control no-store, no-cache)
npm install helmet
var helmet = require('helmet');
To use a particular middleware application wide just add it to your app configuration. Make sure it is listed before app.router.
app.configure(function(){
app.use(express.methodOverride());
app.use(express.bodyParser());
app.use(helmet.csp());
app.use(helmet.xframe());
app.use(helmet.contentTypeOptions());
app.use(app.router);
});
Content Security Policy (W3C Draft) <- Pretty much required reading if you want to do anything with CSP
Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP headers are set by helmet.
There are two different ways to build CSP policies with helmet.
policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default helmet has a defaultPolicy that looks like;
Content-Security-Policy: default-src 'self'
To override this and create a new policy you could do something like
policy = {
defaultPolicy: {
'default-src': ["'self'"],
'img-src': ['static.andyet.net','*.cdn.example.com'],
}
}
helmet.csp.policy(policy);
The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'
helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);
CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.
helmet.csp.reportTo('http://example.com/csp');
draft-ietf-websec-strict-transport-sec-04
This middleware adds the Strict-Transport-Security header to the response
To use the default header of Strict-Transport-Security: maxAge=15768000
helmet.hsts();
To adjust other values for maxAge and to include subdomains
helmet.hsts(1234567, true); // hsts(maxAge, includeSubdomains)
xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.
- IE8+
- Opera 10.50+
- Safari 4+
- Chrome 4.1.249.1042+
- Firefox 3.6.9 (or earlier with NoScript)
Here is an example for both SAMEORIGIN and ALLOW-FROM
helmet.xframe('sameorigin');
helmet.xframe('allow-from', 'http://example.com');
The following example sets the X-XSS-PROTECTION: 1; mode=block header
helmet.iexss();
The following example sets the X-Content-Type-Options header to it's only and default option 'nosniff'
helmet.contentTypeOptions();
The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
helmet.cacheControl();
- Warn when self, unsafe-inline or unsafe-eval are not single quoted
- Warn when unsafe-inline or unsafe-eval are used
- Caching of generated CSP headers
- Device to capture and parse reported CSP violations