Helmet helps you secure your Express apps by setting various HTTP headers. It’s not a silver bullet, but it can help!
To install helmet, below is what to be done
npm install helmet --save
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
Helmet is a collection of 13 smaller middleware functions that set HTTP response headers. Running app.use(helmet()) will not include all of these middleware functions by default.
Below are the various headers that can be set via Helmet
contentSecurityPolicy => For setting Content Security Policy Header
dnsPrefetchControl => controls browser DNS prefetching
expectCt for handling Certificate Transparency
featurePolicy -> to limit site features
frameGuard -> to prevent click jacking
hidePoweredBy => to remove X-Powered-By Header
Hsts => for HTTP strict transport security
ieNoOpen => sets X-Download-Options for IE8+
noCache => to disable client side caching
noSniff => To keep clients from sniffing the MIME type
permittedCrossDomainPolicies for handling Adobe products cross domain requests
referrerPolicy to hide the referrer header
xssFilter => adds some small XSS protections
References:
https://helmetjs.github.io
To install helmet, below is what to be done
npm install helmet --save
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
Helmet is a collection of 13 smaller middleware functions that set HTTP response headers. Running app.use(helmet()) will not include all of these middleware functions by default.
Below are the various headers that can be set via Helmet
contentSecurityPolicy => For setting Content Security Policy Header
dnsPrefetchControl => controls browser DNS prefetching
expectCt for handling Certificate Transparency
featurePolicy -> to limit site features
frameGuard -> to prevent click jacking
hidePoweredBy => to remove X-Powered-By Header
Hsts => for HTTP strict transport security
ieNoOpen => sets X-Download-Options for IE8+
noCache => to disable client side caching
noSniff => To keep clients from sniffing the MIME type
permittedCrossDomainPolicies for handling Adobe products cross domain requests
referrerPolicy to hide the referrer header
xssFilter => adds some small XSS protections
References:
https://helmetjs.github.io
No comments:
Post a Comment