Express / Connect middleware that implement various security headers. [with sane defaults where applicable]

Included Middleware

• csp (Content Security Policy)
• HSTS (HTTP Strict Transport Security)
• xframe (X-FRAME-OPTIONS)
• iexss (X-XSS-PROTECTION for IE8+)
• contentTypeOptions (X-Content-Type-Options nosniff)
• cacheControl (Cache-Control no-store, no-cache)

Installation

npm install helmet

Basic Express Usage

    var helmet = require('helmet');

To use a particular middleware application wide just add it to your app configuration. Make sure it is listed before app.router.

    app.configure(function(){
        app.use(express.methodOverride());
        app.use(express.bodyParser());
        app.use(helmet.csp());
        app.use(helmet.xframe());
        app.use(helmet.contentTypeOptions());
        app.use(app.router);
    });

Content Security Policy

Content Security Policy (W3C Draft) <- Pretty much required reading if you want to do anything with CSP

Browser Support

Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP headers are set by helmet.

There are two different ways to build CSP policies with helmet.

Using policy()

policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default helmet has a defaultPolicy that looks like;

Content-Security-Policy: default-src 'self'

To override this and create a new policy you could do something like

policy = {
  defaultPolicy: {
    'default-src': ["'self'"],
    'img-src': ['static.andyet.net','*.cdn.example.com'],
  }
}

helmet.csp.policy(policy);

Using add()

The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'

helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);

Reporting Violations

CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.

helmet.csp.reportTo('http://example.com/csp');

HTTP Strict Transport Security

draft-ietf-websec-strict-transport-sec-04

This middleware adds the Strict-Transport-Security header to the response

Basic Usage

To use the default header of Strict-Transport-Security: maxAge=15768000

helmet.hsts();

To adjust other values for maxAge and to include subdomains

helmet.hsts(1234567, true);  // hsts(maxAge, includeSubdomains)

X-FRAME-OPTIONS

xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.

Browser Support

• IE8+
• Opera 10.50+
• Safari 4+
• Chrome 4.1.249.1042+
• Firefox 3.6.9 (or earlier with NoScript)

Here is an example for both SAMEORIGIN and ALLOW-FROM

helmet.xframe('sameorigin');

helmet.xframe('allow-from', 'http://example.com');

X-XSS-PROTECTION

The following example sets the X-XSS-PROTECTION: 1; mode=block header

helmet.iexss();

X-Content-Type-Options

The following example sets the X-Content-Type-Options header to it's only and default option 'nosniff'

helmet.contentTypeOptions();

Cache-Control

The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.

helmet.cacheControl();

To Be Implemented

• Warn when self, unsafe-inline or unsafe-eval are not single quoted
• Warn when unsafe-inline or unsafe-eval are used
• Caching of generated CSP headers
• Device to capture and parse reported CSP violations