1 | Helmet
|
2 | ======
|
3 | [![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
|
4 | [![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
|
5 | [![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet)
|
6 | [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
|
7 |
|
8 | Helmet helps you secure your Express apps by setting various HTTP headers. *It's not a silver bullet*, but it can help!
|
9 |
|
10 | [Looking for a version of Helmet that supports the Koa framework?](https://github.com/venables/koa-helmet)
|
11 |
|
12 | Quick start
|
13 | -----------
|
14 |
|
15 | First, run `npm install helmet --save` for your app. Then, in an Express (or Connect) app:
|
16 |
|
17 | ```js
|
18 | const express = require('express')
|
19 | const helmet = require('helmet')
|
20 |
|
21 | const app = express()
|
22 |
|
23 | app.use(helmet())
|
24 |
|
25 | // ...
|
26 | ```
|
27 |
|
28 | It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.
|
29 |
|
30 | You can also use its pieces individually:
|
31 |
|
32 | ```js
|
33 | app.use(helmet.xssFilter())
|
34 | app.use(helmet.frameguard())
|
35 | ```
|
36 |
|
37 | You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults.
|
38 |
|
39 | ```js
|
40 | app.use(helmet({
|
41 | frameguard: false
|
42 | }))
|
43 | ```
|
44 |
|
45 | You can also set options for a middleware. Setting options like this will *always* include the middleware, whether or not it's a default.
|
46 |
|
47 | ```js
|
48 | app.use(helmet({
|
49 | frameguard: {
|
50 | action: 'deny'
|
51 | }
|
52 | }))
|
53 | ```
|
54 |
|
55 | *If you're using Express 3, make sure these middlewares are listed before `app.router`.*
|
56 |
|
57 | How it works
|
58 | ------------
|
59 |
|
60 | Helmet is a collection of 12 smaller middleware functions that set HTTP response headers. Running `app.use(helmet())` will not include all of these middleware functions by default.
|
61 |
|
62 | | Module | Default? |
|
63 | |---|---|
|
64 | | [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy | |
|
65 | | [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests | |
|
66 | | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |
|
67 | | [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency | |
|
68 | | [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features | |
|
69 | | [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |
|
70 | | [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |
|
71 | | [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security | ✓ |
|
72 | | [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+ | ✓ |
|
73 | | [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type | ✓ |
|
74 | | [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header | |
|
75 | | [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections | ✓ |
|
76 |
|
77 | You can see more in [the documentation](https://helmetjs.github.io/docs/).
|