cf-workers-helmet

cf-workers-helmet is a wrapper for helmet to work with Cloudflare Workers. It provides important security headers to make your app more secure by default. cf-workers-helmet has been heavily inspired by koa-helmet.

Installation

npm install cf-workers-helmet --save

Usage

Usage is the same as helmet.

Helmet is a collection of 11 smaller middleware functions that set HTTP response headers.

| Module | Default? | | ------------------------------------------------------------------------------------------------------------- | -------- | | contentSecurityPolicy for setting Content Security Policy | | | crossdomain for handling Adobe products' crossdomain requests | | | dnsPrefetchControl controls browser DNS prefetching | ✓ | | expectCt for handling Certificate Transparency | | | frameguard to prevent clickjacking | ✓ | | hidePoweredBy to remove the X-Powered-By header | ✓ | | hsts for HTTP Strict Transport Security | ✓ | | ieNoOpen sets X-Download-Options for IE8+ | ✓ | | noSniff to keep clients from sniffing the MIME type | ✓ | | referrerPolicy to hide the Referer header | | | xssFilter adds some small XSS protections | ✓ |

You can see more in the documentation.

Example

import Helmet from 'cf-workers-helmet';
import {getAssetFromKV} from '@cloudflare/kv-asset-handler';

let helmet = new Helmet();

addEventListener('fetch', event => {
    event.respondWith(serverResponse(event));
});

async function serverResponse(event) {
    try {
        let response = await handleEvent(event);

        return helmet(event.request, response);
    } catch (e) {
        return new Response('Internal Error', {
            status: 500
        });
    }
}

async function handleEvent(event) {
    try {
        return await getAssetFromKV(event)
    } catch (e) {
        let pathname = new URL(event.request.url).pathname;

        return new Response(`"${pathname}" not found`, {
            status: 404,
            statusText: 'not found',
        });
    }
}