node package manager

hood

cover your head. security headers middleware.

hood

Cover your head.

Security headers middleware for connect or express.

Further readings on middlewares can be found here

var hood = require('hood');
app.use(hood());

This will setup sane defaults for most apps. You can also pass options to configure each middleware.

app.use(hood({
  csp: "default-src 'unsafe-inline'",
  hsts: false // pass false to disable a middlware 
}));

Each middleware is also available individually.

app.use(hood.csp());
app.use(hood.csp({
  policy: {
    'default-src': ['self', 'unsafe-inline']
  }
}));
app.use(hood.csp("default-src 'self';"));
 
// to use Report-Only 
app.use(hood.csp({
  policy: somePolicy,
  reportOnly: true
}))
app.use(hood.csp(policyStr, true));

Only applies header if request is secure. Checks req.connection.encrypted and req.connection.proxySecure.

app.use(hood.hsts());
app.use(hood.hsts({
  maxAge: 1000, // seconds 
  includeSubdomains: true // default false 
}));
app.use(hood.hsts(1000, true));
app.use(hood.xframe()) // DENY 
app.use(hood.xframe({
  sameOrigin: true
}));
app.use(hood.xframe({
  allow: 'http://example.domain'
}));
app.use(hood.xframe('SAMEORIGIN'));
app.use(hood.xframe('ALLOW-FROM http://example.domain'));
app.use(hood.nosniff());

A convenience method when you need to add arbitrary headers to all requests.

app.use(hood.header('x-foo', 'bar'));
app.use(hood.header({
  'x-foo': 'bar',
  'x-baz': 'quux'
}));