think-helmet
think-helmet is a wrapper for helmet to work with ThinkJS 3.x. It provides important security headers to make your app more secure by default.
Installation
npm install think-helmet --save
Usage
// src/config/middleware.jsmoduleexports = handle: options:
Helmet offers 11 security headers:
Module | Default? |
---|---|
contentSecurityPolicy for setting Content Security Policy | |
dnsPrefetchControl controls browser DNS prefetching | ✓ |
frameguard to prevent clickjacking | ✓ |
hidePoweredBy to remove the X-Powered-By header | ✓ |
hpkp for HTTP Public Key Pinning | |
hsts for HTTP Strict Transport Security | ✓ |
ieNoOpen sets X-Download-Options for IE8+ | ✓ |
noCache to disable client-side caching | |
noSniff to keep clients from sniffing the MIME type | ✓ |
referrerPolicy to hide the Referer header | |
xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
Note:
In order to work well with the helmet HSTS module, think-helmet will augment
this.request
to include a secure
boolean to determine if the request
is over HTTPS.
Examples
// src/config/middleware.jsmoduleexports = handle: options: contentSecurityPolicy: // set content security policy directives directives: defaultSrc: "'self'" styleSrc: "'self'" 'maxcdn.bootstrapcdn.com' dnsPrefetchControl: false // disable dns prefetch control