Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »

@skazka/server-helmet

0.0.9 • Public • Published

Server Helmet

It helps to secure your Skazka server by setting various HTTP headers.

NPM

How to install

npm i @skazka/server @skazka/server-helmet

With yarn:

yarn add @skazka/server @skazka/server-helmet

Optionally you can add http server, error handler, logger, router, request and response:

npm i @skazka/server-http @skazka/server-router @skazka/server-error @skazka/server-logger @skazka/server-request @skazka/server-response

With yarn:

yarn add @skazka/server-http @skazka/server-router @skazka/server-error @skazka/server-logger @skazka/server-request @skazka/server-response

How to use

const App = require('@skazka/server');
const Router = require('@skazka/server-router');
 
const helmet = require('@skazka/server-helmet');
        
const error = require('@skazka/server-error');
const logger = require('@skazka/server-logger');
 
const request = require('@skazka/server-request');
const response = require('@skazka/server-response');
        
const server = require('@skazka/server-http');
        
const app = new App();
const router = new Router();
        
app.all([
  error(),
  logger(),
  request(),
  response(),
  helmet(),
]);
    
app.then(async (ctx) => {
  // it works for each request
});
    
router.get('/data').then(async (ctx) => {
  return ctx.response('data'); 
});
        
app.then(router.resolve());
        
server.createHttpServer(app);

Or with options:

app.all([
  helmet({
    frameguard: false,
    ...
  })
]);

You can also use its pieces individually:

 app.all([
   helmet.contentSecurityPolicy({
     directives: {
       defaultSrc: ["'self'", 'default.com'],
     },
   }),
   helmet.dnsPrefetchControl(),
   helmet.expectCt(),
   helmet.featurePolicy({
     features: {
       fullscreen: ['"self"'],
     },
   }),
   helmet.frameguard(),
   helmet.hidePoweredBy(),
   helmet.hpkp({
     maxAge: 7776000,
     sha256s: ['AbCdEf123=', 'ZyXwVu456='],
   }),
   helmet.hsts({
     maxAge: 7776000,
   }),
   helmet.ieNoOpen(),
   helmet.noCache(),
   helmet.noSniff(),
   helmet.permittedCrossDomainPolicies(),
   helmet.referrerPolicy(),
   helmet.xssFilter(),
 ]);

How it works

Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running app.than(helmet()) will not include all of these middleware functions by default.

Module Default?
contentSecurityPolicy for setting Content Security Policy
crossdomain for handling Adobe products' crossdomain requests
dnsPrefetchControl controls browser DNS prefetching
expectCt for handling Certificate Transparency
featurePolicy to limit your site's features
frameguard to prevent clickjacking
hidePoweredBy to remove the X-Powered-By header
hpkp for HTTP Public Key Pinning
hsts for HTTP Strict Transport Security
ieNoOpen sets X-Download-Options for IE8+
noCache to disable client-side caching
noSniff to keep clients from sniffing the MIME type
referrerPolicy to hide the Referer header
xssFilter adds some small XSS protections

You can see more in the documentation.

Install

npm i @skazka/server-helmet

DownloadsWeekly Downloads

35

Version

0.0.9

License

MIT

Unpacked Size

5.78 kB

Total Files

3

Last publish

Collaborators

  • avatar
  • avatar