Server Helmet
It helps to secure your Skazka server by setting various HTTP headers.
How to install
npm i @skazka/server @skazka/server-helmet
With yarn:
yarn add @skazka/server @skazka/server-helmet
Optionally you can add http server, error handler, logger, router, request and response:
npm i @skazka/server-http @skazka/server-router @skazka/server-error @skazka/server-logger @skazka/server-request @skazka/server-response
With yarn:
yarn add @skazka/server-http @skazka/server-router @skazka/server-error @skazka/server-logger @skazka/server-request @skazka/server-response
How to use
const App = require('@skazka/server');
const Router = require('@skazka/server-router');
const helmet = require('@skazka/server-helmet');
const error = require('@skazka/server-error');
const logger = require('@skazka/server-logger');
const request = require('@skazka/server-request');
const response = require('@skazka/server-response');
const server = require('@skazka/server-http');
const app = new App();
const router = new Router();
app.all([
error(),
logger(),
request(),
response(),
helmet(),
]);
app.then(async (ctx) => {
// it works for each request
});
router.get('/data').then(async (ctx) => {
return ctx.response('data');
});
app.then(router.resolve());
server.createHttpServer(app);
Or with options:
app.all([
helmet({
frameguard: false,
...
})
]);
You can also use its pieces individually:
app.all([
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'", 'default.com'],
},
}),
helmet.dnsPrefetchControl(),
helmet.expectCt(),
helmet.featurePolicy({
features: {
fullscreen: ['"self"'],
},
}),
helmet.frameguard(),
helmet.hidePoweredBy(),
helmet.hpkp({
maxAge: 7776000,
sha256s: ['AbCdEf123=', 'ZyXwVu456='],
}),
helmet.hsts({
maxAge: 7776000,
}),
helmet.ieNoOpen(),
helmet.noCache(),
helmet.noSniff(),
helmet.permittedCrossDomainPolicies(),
helmet.referrerPolicy(),
helmet.xssFilter(),
]);
How it works
Helmet is a collection of 14 smaller middleware functions that set HTTP response headers.
Running app.than(helmet()) will not include all of these middleware functions by default.
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| crossdomain for handling Adobe products' crossdomain requests | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| expectCt for handling Certificate Transparency | |
| featurePolicy to limit your site's features | |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hpkp for HTTP Public Key Pinning | |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noCache to disable client-side caching | |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.