Helmet is a series of middlewares for Express/Connect apps that implement various security headers to make your app more secure. It's not a silver bullet, but it can help!
Helmet includes the following middlewares:
csp(Content Security Policy)hsts(HTTP Strict Transport Security)xframe(X-Frame-Options)iexss(X-XSS-Protection for IE8+)ienoopen(X-Download-Options for IE8+)contentTypeOptions(X-Content-Type-Options)cacheControl(Cache-Control)crossdomain(crossdomain.xml)hidePoweredBy(remove X-Powered-By)
npm install helmet
To use a particular middleware application-wide, just use it:
var helmet = require('helmet')
var app = express() // or connect
app.use(helmet.csp())
app.use(helmet.xframe('deny'))
app.use(helmet.contentTypeOptions())If you're using Express 3, make sure these middlewares are listed before app.router.
If you just want to use the default-level policies, all you need to do is:
app.use(helmet.defaults())Don't want all the defaults?
helmet.defaults(app, { xframe: false })
app.use(helmet.xframe('sameorigin'))Setting an appropriate Content Security Policy can protect your users against a variety of attacks (perhaps the largest of which is XSS). To learn more about CSP, check out the HTML5 Rocks guide.
Usage:
app.use(helmet.csp({
'default-src': ["'self'", 'default.com'],
'script-src': ['scripts.com'],
'style-src': ['style.com'],
'img-src': ['img.com'],
'connect-src': ['connect.com'],
'font-src': ['font.com'],
'object-src': ['object.com'],
'media-src': ['media.com'],
'frame-src': ['frame.com'],
'sandbox': ['allow-forms', 'allow-scripts'],
'report-uri': ['/report-violation'],
reportOnly: false, // set to true if you only want to report errors
setAllHeaders: false, // set to true if you want to set all headers
safari5: false // set to true if you want to force buggy CSP in Safari 5
})There are a lot of inconsistencies in how browsers implement CSP. Helmet sniffs the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is found, it will set all the headers with the 1.0 spec.
This middleware adds the Strict-Transport-Security header to the response. See the spec.
To use the default header of Strict-Transport-Security: maxAge=15768000 (about 6 months):
app.use(helmet.hsts())To adjust other values for maxAge and to include subdomains:
app.use(helmet.hsts(1234567, true))Note that the max age is in seconds, not milliseconds (as is typical in JavaScript).
X-Frame specifies whether your app can be put in a frame or iframe. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.
Usage:
// These are equivalent:
app.use(helmet.xframe())
app.use(helmet.xframe('deny'))
// Only let me be framed by people of the same origin:
app.use(helmet.xframe('sameorigin'))
// Allow from a specific host:
app.use(helmet.xframe('allow-from', 'http://example.com'))- IE8+
- Opera 10.50+
- Safari 4+
- Chrome 4.1.249.1042+
- Firefox 3.6.9 (or earlier with NoScript)
The X-XSS-Protection header is a basic protection against XSS.
Usage:
app.use(helmet.iexss())This sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0. To force the header on all versions of IE, add the option:
app.use(helmet.iexss({ setOnOldIE: true }))Sets the X-Download-Options header to noopen to prevent IE users from executing downloads in your site's context. For more, see this MSDN blog post.
app.use(helmet.ienoopen())The following example sets the X-Content-Type-Options header to its only and default option, nosniff:
app.use(helmet.contentTypeOptions())The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
app.use(helmet.cacheControl())The following example sets the most restrictive crossdomain.xml:
app.use(helmet.crossdomain())This middleware will remove the X-Powered-By header if it is set.
app.use(helmet.hidePoweredBy())Note: if you're using Express, you can skip Helmet's middleware if you want:
app.disable('x-powered-by')