How to use helmet - 10 common examples

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github tokopedia / treats / packages / treats / server / init.js View on Github external
const initWDSProxy = require("./wds-proxy").default;
        if (!global.__WDS_PROXY) {
            initWDSProxy();
        }
        app.use("/__TREATS_WDS__", global.__WDS_PROXY);
    }
    if (envVars.serveAssets) {
        console.info(
            `[Assets] Serving assets locally from ${ASSETS_PATH} on ${envVars.serveAssetsURL}`
        );
        app.use(envVars.serveAssetsURL, express.static(ASSETS_PATH));
    }
    /*External Middleware Initialization */
    /* Helmet - Secure HTTP Header*/
    app.use(
        helmet({
            xssFilter: false
        })
    );

    /* Cookie Parser - Parse Cookies from Client (available in req object) */
    app.use(cookieParser());

    /* Morgan - HTTP logger */
    if (process.env.NODE_ENV === "production") {
        app.use(
            morgan("dev", {
                stream: logger.stream
            })
        );
    } else {
        app.use(
github stemmlerjs / ddd-forum / src / shared / infra / http / app.ts View on Github external
import compression from 'compression';
import { v1Router } from './api/v1';
import { isProduction } from '../../../config';

const origin = {
  // origin: isProduction ? 'https://dddforum.com' : '*',
  origin: "*"
}

const app = express();

app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use(cors(origin))
app.use(compression())
app.use(helmet())
app.use(morgan('combined'))

app.use('/api/v1', v1Router)

const port = process.env.PORT || 5000;

app.listen(port, () => {
  console.log(`[App]: Listening on port ${port}`)
})
github duyetdev / node-rtb-server / server.js View on Github external
extended: true
	}));
	
	app.use(bodyParser.json());
	app.use(compression({level: 9})); //use compression 
	app.use(methodOverride());

	// CookieParser should be above session
	app.use(cookieParser());

	// connect flash for flash messages
	//app.use(flash());

	// Use helmet to secure Express headers
	// app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	app.use(function(req, res, next) {
	   res.header("Access-Control-Allow-Origin", "*");
	   res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
	   res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
	   res.header("X-Frame-Options", "ALLOWALL");
	   if (req.method === 'OPTIONS') {
	   		console.log("INFO: Browser send OPTIONS request.");
			res.statusCode = 204;
			return res.end();
	  } else {
	    return next();
	  }
github mozilla / thimble.mozilla.org / services / login.webmaker.org / app / http / server.js View on Github external
if (!!env.get("ENABLE_GELF_LOGS")) {
      messina = require("messina");
      logger = messina("login.webmaker.org-" + env.get("NODE_ENV") || "development");
      logger.init();
      http.use(logger.middleware());
    } else if (!env.get("DISABLE_HTTP_LOGGING")) {
      http.use(express.logger());
    }

    http.use(helmet.iexss());
    http.use(helmet.contentTypeOptions());
    http.use(helmet.xframe());

    if (!!env.get("FORCE_SSL")) {
      http.use(helmet.hsts());
      http.enable("trust proxy");
    }

    http.use(express.json());
    http.use(express.urlencoded());
    http.use(webmakerAuth.cookieParser());
    http.use(webmakerAuth.cookieSession());

    // Setup locales with i18n
    http.use(i18n.middleware({
      supported_languages: env.get("SUPPORTED_LANGS"),
      default_lang: "en-US",
      mappings: require("webmaker-locale-mapping"),
      translation_directory: path.resolve(__dirname, "../../locale")
    }));
github partio-scout / reki / src / server / server.js View on Github external
done(null, models.User.toClientFormat(user, sessionType));
    } catch (e) {
      done(e);
    }
  });

  app.use(helmet());
  app.use(helmet.noCache()); // noCache disabled by default

  if (appConfig.standalone) {
    app.use(morgan('dev'));
  }

  const validConnectSrc = appConfig.isDev ? ['*'] : ["'self'"];

  app.use(helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
      connectSrc: validConnectSrc,
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'"],
    },
  }));

  app.use((err, req, res, next) => {
    console.error(err);
    res.status(500).send('Internal server error');
  });

  await updateDatabase(app);
  errorHandling(app);
github embark-framework / embark / lib / modules / webserver / server.js View on Github external
const coverageStyle = serveStatic(fs.dappPath('coverage/'));
    const main = serveStatic(this.buildDir, {'index': ['index.html', 'index.htm']});

    this.app = express();
    const expressWs = expressWebSocket(this.app);
    // Assign Logging Function
    this.app.use(function(req, res, next) {
      if (self.logging) {
        if (!req.headers.upgrade) {
          console.log('Webserver> ' + req.method + " " + req.originalUrl);
        }
      }
      next();
    });

    this.app.use(helmet.noCache());
    this.app.use(cors());
    this.app.use(main);
    this.app.use('/coverage', coverage);
    this.app.use(coverageStyle);

    this.app.use(express.static(path.join(fs.dappPath(this.dist)), {'index': ['index.html', 'index.htm']}));
    this.app.use('/embark', express.static(path.join(__dirname, '../../../embark-ui/build')));

    this.app.use(bodyParser.json()); // support json encoded bodies
    this.app.use(bodyParser.urlencoded({extended: true})); // support encoded bodies

    this.app.ws('/logs', function(ws, _req) {
      self.events.on("log", function(logLevel, logMsg) {
        ws.send(JSON.stringify({msg: logMsg, msg_clear: logMsg.stripColors, logLevel: logLevel}), () => {});
      });
    });
github Preetam007 / hyperledger_composer_file_storage / index.js View on Github external
* because you don’t want to make it easy for an attacker to figure what you are
 * running The X-Powered-By header can be extremely useful to an attacker for
 * building a site’s risk profile
 */
app.disable('x-powered-by');

app.use(compression());
app.use(bodyParser.json({ limit: '50mb' }));
app.use(bodyParser.urlencoded({ limit: '50mb', extended: true }));
app.use(cookieParser());
app.use(helmet());
// using a single line of code will attach 7 protecting middleware to Express
// appapp.use(helmet());
// additional configurations can be applied on demand, this one mislead the
// caller to think we’re using PHP 🙂
app.use(helmet.hidePoweredBy({
  setTo: 'PHP 4.2.0'
}));  // other middleware are not activated by default and requires explicit
      // configuration .
// app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
// app.use(flash());
app.use('*', (req, res, next) => {
  console.log(`URL: ${req.baseUrl}`);
  next();
});

app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'PUT, GET, POST, DELETE, OPTIONS');
  res.header(
      'Access-Control-Allow-Headers',
      'Origin, X-Requested-With, Content-Type, Accept');
github manu354 / cryptocurrency-arbitrage / main.js View on Github external
*
 */

'use strict';

console.log('Starting app...');

const request = require('request'), Promise = require("bluebird"); //request for pulling JSON from api. Bluebird for Promises.

const express = require('express'),
    app = express(),
    helmet = require('helmet'),
    http = require('http').Server(app),
    io = require('socket.io')(http); // For websocket server functionality

app.use(helmet.hidePoweredBy({setTo: 'PHP/5.4.0'}));

const port = process.env.PORT || 3000;

app.use(express.static(__dirname + '/docs'));

http.listen(port, function () {
    console.log('listening on', port);
});


require('./settings.js')(); //Includes settings file.
// let db = require('./db.js'); //Includes db.js


let coinNames = [];
io.on('connection', function (socket) {
github dmoll1974 / targets-io / config / express.js View on Github external
//		db: db.connection.db,
	//		collection: config.sessionCollection
	//	}, function () {
	//		console.log("db connection open");
	//	})
	//}));

	// use passport session
	app.use(passport.initialize());
	app.use(passport.session());

	// connect flash for flash messages
	app.use(flash());

	// Use helmet to secure Express headers
	app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');


	// Setting the app router and static folder
	app.use(express.static(path.resolve('./public')));

	// Globbing routing files
	config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
		require(path.resolve(routePath))(app);
	});

	// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
	app.use(function(err, req, res, next) {
github duyetdev / node-rtb-server / server.js View on Github external
}));
	
	app.use(bodyParser.json());
	app.use(compression({level: 9})); //use compression 
	app.use(methodOverride());

	// CookieParser should be above session
	app.use(cookieParser());

	// connect flash for flash messages
	//app.use(flash());

	// Use helmet to secure Express headers
	// app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	app.use(function(req, res, next) {
	   res.header("Access-Control-Allow-Origin", "*");
	   res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
	   res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
	   res.header("X-Frame-Options", "ALLOWALL");
	   if (req.method === 'OPTIONS') {
	   		console.log("INFO: Browser send OPTIONS request.");
			res.statusCode = 204;
			return res.end();
	  } else {
	    return next();
	  }
	});