Tuesday, October 22, 2013

evilpacket helmet · GitHub

相关的主题文章:
README.mdIncluded MiddlewareInstallation

npm install helmetBasic Express Usage

To use a particular middleware application-wide, just use it from your app.Make sure it is listed before app.router.

If you just want to use the default-level policies, all you need to do is:

Defaults are semi-configurable too. If you wanted all the defaults but wanted your own xframe options you could do this:

Content Security Policy

The is pretty much required reading if you want to do anything with CSP.

Browser Support

Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSPheaders are set by Helmet.

There are two different ways to build CSP policies with Helmet.

Using policy()

policy() eats a JSON blob (including the output of it's own toJSON() function) to create a policy. By defaulthelmet has a defaultPolicy that looks like,kids bmx helmets;

Content-Security-Policy: default-src 'self'

To override this and create a new policy you could do something like

Using add()

The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self':

Reporting Violations

CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.

HTTP Strict Transport Security

This middleware adds the Strict-Transport-Security header to the response.

Basic Usage

To use the default header of Strict-Transport-Security: maxAge=15768000:

To adjust other values for maxAge and to include subdomains:

X-FRAME-OPTIONS

xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN,snowboarding helmets, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.

Browser Support

Here is an example for both SAMEORIGIN and ALLOW-FROM:

X-XSS-PROTECTION

The following example sets the X-XSS-PROTECTION: 1; mode=block header:

X-Content-Type-Options

The following example sets the X-Content-Type-Options header to it's only and default option, nosniff:

Cache-Control

The following example sets the Cache-Control header to no-store,vintage motorcycle helmets, no-cache. This is not configurable at this time.

To Be Implemented

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)