dijkstra-backend-cloudron/node_modules/helmet/README.md

80 lines
3.4 KiB
Markdown
Raw Normal View History

Helmet
======
[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
[![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
[![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
Helmet helps you secure your Express apps by setting various HTTP headers. *It's not a silver bullet*, but it can help!
[Looking for a version of Helmet that supports the Koa framework?](https://github.com/venables/koa-helmet)
Quick start
-----------
First, run `npm install helmet --save` for your app. Then, in an Express (or Connect) app:
```js
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
// ...
```
It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
```js
app.use(helmet.xssFilter())
app.use(helmet.frameguard())
```
You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults.
```js
app.use(helmet({
frameguard: false
}))
```
You can also set options for a middleware. Setting options like this will *always* include the middleware, whether or not it's a default.
```js
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
```
*If you're using Express 3, make sure these middlewares are listed before `app.router`.*
How it works
------------
Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running `app.use(helmet())` will not include all of these middleware functions by default.
| Module | Default? |
|---|---|
| [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy | |
| [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests | |
| [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |
| [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency | |
| [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features | |
| [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |
| [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |
| [hpkp](https://helmetjs.github.io/docs/hpkp/) for HTTP Public Key Pinning | |
| [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security | ✓ |
| [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+ | ✓ |
| [noCache](https://helmetjs.github.io/docs/nocache/) to disable client-side caching | |
| [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type | ✓ |
| [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header | |
| [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections | ✓ |
You can see more in [the documentation](https://helmetjs.github.io/docs/).