How to use helmet - 10 common examples
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
tokopedia / treats / packages / treats / server / init.js View on Github 
const initWDSProxy = require("./wds-proxy").default;
if (!global.__WDS_PROXY) {
initWDSProxy();
}
app.use("/__TREATS_WDS__", global.__WDS_PROXY);
}
if (envVars.serveAssets) {
console.info(
`[Assets] Serving assets locally from ${ASSETS_PATH} on ${envVars.serveAssetsURL}`
);
app.use(envVars.serveAssetsURL, express.static(ASSETS_PATH));
}
/*External Middleware Initialization */
/* Helmet - Secure HTTP Header*/
app.use(
helmet({
xssFilter: false
})
);
/* Cookie Parser - Parse Cookies from Client (available in req object) */
app.use(cookieParser());
/* Morgan - HTTP logger */
if (process.env.NODE_ENV === "production") {
app.use(
morgan("dev", {
stream: logger.stream
})
);
} else {
app.use(import compression from 'compression';
import { v1Router } from './api/v1';
import { isProduction } from '../../../config';
const origin = {
// origin: isProduction ? 'https://dddforum.com' : '*',
origin: "*"
}
const app = express();
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use(cors(origin))
app.use(compression())
app.use(helmet())
app.use(morgan('combined'))
app.use('/api/v1', v1Router)
const port = process.env.PORT || 5000;
app.listen(port, () => {
console.log(`[App]: Listening on port ${port}`)
})extended: true
}));
app.use(bodyParser.json());
app.use(compression({level: 9})); //use compression
app.use(methodOverride());
// CookieParser should be above session
app.use(cookieParser());
// connect flash for flash messages
//app.use(flash());
// Use helmet to secure Express headers
// app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
res.header("X-Frame-Options", "ALLOWALL");
if (req.method === 'OPTIONS') {
console.log("INFO: Browser send OPTIONS request.");
res.statusCode = 204;
return res.end();
} else {
return next();
}if (!!env.get("ENABLE_GELF_LOGS")) {
messina = require("messina");
logger = messina("login.webmaker.org-" + env.get("NODE_ENV") || "development");
logger.init();
http.use(logger.middleware());
} else if (!env.get("DISABLE_HTTP_LOGGING")) {
http.use(express.logger());
}
http.use(helmet.iexss());
http.use(helmet.contentTypeOptions());
http.use(helmet.xframe());
if (!!env.get("FORCE_SSL")) {
http.use(helmet.hsts());
http.enable("trust proxy");
}
http.use(express.json());
http.use(express.urlencoded());
http.use(webmakerAuth.cookieParser());
http.use(webmakerAuth.cookieSession());
// Setup locales with i18n
http.use(i18n.middleware({
supported_languages: env.get("SUPPORTED_LANGS"),
default_lang: "en-US",
mappings: require("webmaker-locale-mapping"),
translation_directory: path.resolve(__dirname, "../../locale")
}));done(null, models.User.toClientFormat(user, sessionType));
} catch (e) {
done(e);
}
});
app.use(helmet());
app.use(helmet.noCache()); // noCache disabled by default
if (appConfig.standalone) {
app.use(morgan('dev'));
}
const validConnectSrc = appConfig.isDev ? ['*'] : ["'self'"];
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
connectSrc: validConnectSrc,
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'"],
},
}));
app.use((err, req, res, next) => {
console.error(err);
res.status(500).send('Internal server error');
});
await updateDatabase(app);
errorHandling(app);const coverageStyle = serveStatic(fs.dappPath('coverage/'));
const main = serveStatic(this.buildDir, {'index': ['index.html', 'index.htm']});
this.app = express();
const expressWs = expressWebSocket(this.app);
// Assign Logging Function
this.app.use(function(req, res, next) {
if (self.logging) {
if (!req.headers.upgrade) {
console.log('Webserver> ' + req.method + " " + req.originalUrl);
}
}
next();
});
this.app.use(helmet.noCache());
this.app.use(cors());
this.app.use(main);
this.app.use('/coverage', coverage);
this.app.use(coverageStyle);
this.app.use(express.static(path.join(fs.dappPath(this.dist)), {'index': ['index.html', 'index.htm']}));
this.app.use('/embark', express.static(path.join(__dirname, '../../../embark-ui/build')));
this.app.use(bodyParser.json()); // support json encoded bodies
this.app.use(bodyParser.urlencoded({extended: true})); // support encoded bodies
this.app.ws('/logs', function(ws, _req) {
self.events.on("log", function(logLevel, logMsg) {
ws.send(JSON.stringify({msg: logMsg, msg_clear: logMsg.stripColors, logLevel: logLevel}), () => {});
});
});* because you don’t want to make it easy for an attacker to figure what you are
* running The X-Powered-By header can be extremely useful to an attacker for
* building a site’s risk profile
*/
app.disable('x-powered-by');
app.use(compression());
app.use(bodyParser.json({ limit: '50mb' }));
app.use(bodyParser.urlencoded({ limit: '50mb', extended: true }));
app.use(cookieParser());
app.use(helmet());
// using a single line of code will attach 7 protecting middleware to Express
// appapp.use(helmet());
// additional configurations can be applied on demand, this one mislead the
// caller to think we’re using PHP 🙂
app.use(helmet.hidePoweredBy({
setTo: 'PHP 4.2.0'
})); // other middleware are not activated by default and requires explicit
// configuration .
// app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
// app.use(flash());
app.use('*', (req, res, next) => {
console.log(`URL: ${req.baseUrl}`);
next();
});
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'PUT, GET, POST, DELETE, OPTIONS');
res.header(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept');*
*/
'use strict';
console.log('Starting app...');
const request = require('request'), Promise = require("bluebird"); //request for pulling JSON from api. Bluebird for Promises.
const express = require('express'),
app = express(),
helmet = require('helmet'),
http = require('http').Server(app),
io = require('socket.io')(http); // For websocket server functionality
app.use(helmet.hidePoweredBy({setTo: 'PHP/5.4.0'}));
const port = process.env.PORT || 3000;
app.use(express.static(__dirname + '/docs'));
http.listen(port, function () {
console.log('listening on', port);
});
require('./settings.js')(); //Includes settings file.
// let db = require('./db.js'); //Includes db.js
let coinNames = [];
io.on('connection', function (socket) {// db: db.connection.db,
// collection: config.sessionCollection
// }, function () {
// console.log("db connection open");
// })
//}));
// use passport session
app.use(passport.initialize());
app.use(passport.session());
// connect flash for flash messages
app.use(flash());
// Use helmet to secure Express headers
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
// Setting the app router and static folder
app.use(express.static(path.resolve('./public')));
// Globbing routing files
config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
require(path.resolve(routePath))(app);
});
// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
app.use(function(err, req, res, next) {}));
app.use(bodyParser.json());
app.use(compression({level: 9})); //use compression
app.use(methodOverride());
// CookieParser should be above session
app.use(cookieParser());
// connect flash for flash messages
//app.use(flash());
// Use helmet to secure Express headers
// app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
res.header("X-Frame-Options", "ALLOWALL");
if (req.method === 'OPTIONS') {
console.log("INFO: Browser send OPTIONS request.");
res.statusCode = 204;
return res.end();
} else {
return next();
}
});helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter