1 | var deprecate = require('depd')('helmet')
|
2 |
|
3 | var DEFAULT_MIDDLEWARE = [
|
4 | 'dnsPrefetchControl',
|
5 | 'frameguard',
|
6 | 'hidePoweredBy',
|
7 | 'hsts',
|
8 | 'ieNoOpen',
|
9 | 'noSniff',
|
10 | 'xssFilter'
|
11 | ]
|
12 |
|
13 | var middlewares
|
14 | function helmet (options) {
|
15 | options = options || {}
|
16 |
|
17 | if (options.constructor.name === 'IncomingMessage') {
|
18 | throw new Error('It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.')
|
19 | }
|
20 |
|
21 | var stack = middlewares.reduce(function (result, middlewareName) {
|
22 | var middleware = helmet[middlewareName]
|
23 | var middlewareOptions = options[middlewareName]
|
24 | var isDefault = DEFAULT_MIDDLEWARE.indexOf(middlewareName) !== -1
|
25 |
|
26 | if (middlewareOptions === false) {
|
27 | return result
|
28 | } else if (middlewareOptions === true) {
|
29 | middlewareOptions = {}
|
30 | }
|
31 |
|
32 | if (middlewareOptions != null) {
|
33 | return result.concat(middleware(middlewareOptions))
|
34 | } else if (isDefault) {
|
35 | return result.concat(middleware({}))
|
36 | }
|
37 | return result
|
38 | }, [])
|
39 |
|
40 | return function helmet (req, res, next) {
|
41 | var index = 0
|
42 |
|
43 | function internalNext () {
|
44 | if (arguments.length > 0) { return next.apply(null, arguments) }
|
45 |
|
46 | var middleware = stack[index]
|
47 | if (!middleware) { return next() }
|
48 |
|
49 | index++
|
50 |
|
51 | middleware(req, res, internalNext)
|
52 | }
|
53 |
|
54 | internalNext()
|
55 | }
|
56 | }
|
57 |
|
58 | helmet.contentSecurityPolicy = require('helmet-csp')
|
59 | helmet.dnsPrefetchControl = require('dns-prefetch-control')
|
60 | helmet.expectCt = require('expect-ct')
|
61 | helmet.featurePolicy = require('feature-policy')
|
62 | helmet.frameguard = require('frameguard')
|
63 | helmet.hidePoweredBy = require('hide-powered-by')
|
64 | helmet.hsts = require('hsts')
|
65 | helmet.ieNoOpen = require('ienoopen')
|
66 | helmet.noSniff = require('dont-sniff-mimetype')
|
67 | helmet.permittedCrossDomainPolicies = require('helmet-crossdomain')
|
68 | helmet.referrerPolicy = require('referrer-policy')
|
69 | helmet.xssFilter = require('x-xss-protection')
|
70 |
|
71 | helmet.hpkp = deprecate.function(require('hpkp'), 'helmet.hpkp is deprecated and will be removed in helmet@4. You can use the `hpkp` module instead. For more, see https://github.com/helmetjs/helmet/issues/180.')
|
72 | helmet.noCache = deprecate.function(require('nocache'), 'helmet.noCache is deprecated and will be removed in helmet@4. You can use the `nocache` module instead. For more, see https://github.com/helmetjs/helmet/issues/215.')
|
73 |
|
74 | middlewares = Object.keys(helmet)
|
75 |
|
76 | module.exports = helmet
|