Feature Policy Header
An Express middleware for adding a FeaturePolicy header to web traffic. Exposes a single function, init
, which decorates a response
object with a Feature-Policy
header.
Usage
This module is compatible with Node 16+ and is distributed on npm.
npm install --save @financial-times/feature-policy-header
After installing the module you can initialise it in your app's server file. This should be done before any routes are declared which will require the middleware.
+ const featurePolicy = require('@financial-times/feature-policy-header');
app.use(
+ featurePolicy.init()
)
Run your app and check in the Network tab to confirm that the expected headers have been set.
Restricted Features
The restricted features can be found in src/restricted-features.json
. Each feature relates to a browser API which we want to disallow on our user-facing pages. Any attempt to access a restricted API will throw a console error.
The full list of compatible features is listed on https://featurepolicy.info/.
Report-To Header
The Report-To header is required to integrate with our Report URI account and dashboards. The Cyber Security team use Report URI to collect reports relating to security headers, such as Feature-Policy
, to gain visibility on their use, monitor trends and detect problems.