think-helmet
v1.0.2
Published
Important security headers for ThinkJS 3.x
Downloads
8
Keywords
Readme
think-helmet
think-helmet is a wrapper for helmet to work with ThinkJS 3.x. It provides important security headers to make your app more secure by default.
Installation
npm install think-helmet --save
Usage
// src/config/middleware.js
module.exports = [{
handle: require('think-helmet'),
options: {
}
}]
Helmet offers 11 security headers:
| Module | Default? | |---|---| | contentSecurityPolicy for setting Content Security Policy | | | dnsPrefetchControl controls browser DNS prefetching | ✓ | | frameguard to prevent clickjacking | ✓ | | hidePoweredBy to remove the X-Powered-By header | ✓ | | hpkp for HTTP Public Key Pinning | | | hsts for HTTP Strict Transport Security | ✓ | | ieNoOpen sets X-Download-Options for IE8+ | ✓ | | noCache to disable client-side caching | | | noSniff to keep clients from sniffing the MIME type | ✓ | | referrerPolicy to hide the Referer header | | | xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
Note:
In order to work well with the helmet HSTS module, think-helmet will augment
this.request
to include a secure
boolean to determine if the request
is over HTTPS.
Examples
// src/config/middleware.js
module.exports = [{
handle: require('think-helmet'),
options: {
contentSecurityPolicy: { // set content security policy directives
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']
}
},
dnsPrefetchControl: false // disable dns prefetch control
}
}]