How to use the helmet function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
tokopedia / treats / packages / treats / server / init.js View on Github 
const initWDSProxy = require("./wds-proxy").default;
if (!global.__WDS_PROXY) {
initWDSProxy();
}
app.use("/__TREATS_WDS__", global.__WDS_PROXY);
}
if (envVars.serveAssets) {
console.info(
`[Assets] Serving assets locally from ${ASSETS_PATH} on ${envVars.serveAssetsURL}`
);
app.use(envVars.serveAssetsURL, express.static(ASSETS_PATH));
}
/*External Middleware Initialization */
/* Helmet - Secure HTTP Header*/
app.use(
helmet({
xssFilter: false
})
);
/* Cookie Parser - Parse Cookies from Client (available in req object) */
app.use(cookieParser());
/* Morgan - HTTP logger */
if (process.env.NODE_ENV === "production") {
app.use(
morgan("dev", {
stream: logger.stream
})
);
} else {
app.use(import compression from 'compression';
import { v1Router } from './api/v1';
import { isProduction } from '../../../config';
const origin = {
// origin: isProduction ? 'https://dddforum.com' : '*',
origin: "*"
}
const app = express();
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use(cors(origin))
app.use(compression())
app.use(helmet())
app.use(morgan('combined'))
app.use('/api/v1', v1Router)
const port = process.env.PORT || 5000;
app.listen(port, () => {
console.log(`[App]: Listening on port ${port}`)
})export default function createExpressApp(config: Config): express.Express {
const app: express.Express = express()
// handle basename
let list: string[] = Array.isArray(config.basename)
? config.basename
: [config.basename || ""]
list.forEach((basename: string) => {
app.use(shareRoot(basename))
})
// handle helmet
if (config.helmet) {
app.use(helmet(config.helmet))
}
// handle compression
if (config.compression) {
app.use(compression(config.compression))
}
// handle favicon
if (config.favicon) {
app.use(favicon(config.favicon))
}
// handle view engine
const viewsConfig = {
...config.ReactViews,
babel: {import reactCookie from 'react-cookies';
import cookieParser from 'cookie-parser';
import createHistory from 'history/createMemoryHistory';
import configureStore from './configureStore';
import Html from './utils/Html';
import App from './containers/App';
import routes from './routes';
import { port, host } from './config';
const app = express();
// Add Cookie parser
app.use(cookieParser());
// Using helmet to secure Express with various HTTP headers
app.use(helmet());
// Prevent HTTP parameter pollution.
app.use(hpp());
// Compress all requests
app.use(compression());
// Use morgan for http request debug (only show error)
app.use(morgan('dev', { skip: (req, res) => res.statusCode < 400 }));
app.use(favicon(path.join(process.cwd(), './public/favicon.ico')));
app.use(express.static(path.join(process.cwd(), './public')));
// Run express as webpack dev server
if (__DEV__) {
const webpack = require('webpack');
const webpackConfig = require('../tools/webpack/config.babel');
const compiler = webpack(webpackConfig);const app = express();
if (config.env === 'development') {
app.use(logger('dev'));
}
// parse body params and attache them to req.body
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(cookieParser());
app.use(compress());
app.use(methodOverride());
// secure apps by setting various HTTP headers
app.use(helmet());
// enable CORS - Cross Origin Resource Sharing
app.use(cors());
// enable detailed API logging in dev env
if (config.env === 'development') {
expressWinston.requestWhitelist.push('body');
expressWinston.responseWhitelist.push('body');
app.use(expressWinston.logger({
winstonInstance,
meta: true, // optional: log meta data about request (defaults to true)
msg: 'HTTP {{req.method}} {{req.url}} {{res.statusCode}} {{res.responseTime}}ms',
colorStatus: true // Color the status code (default green, 3XX cyan, 4XX yellow, 5XX red).
}));
}import api from "./api";
import { isDev } from "./env";
const app = express();
const pathToPublic = path.resolve(process.cwd(), "dist", "public");
const universalApp = require(path.resolve(process.cwd(), "dist", "app", "server")).default;
const expectedReferrers = ["http://" + config.hostname + ":" + config.port];
if (isDev) {
expectedReferrers.push("http://" + config.hostname + ":" + config.devServerPort);
}
app.server = http.createServer(app);
app.use(morgan("dev"));
app.use(helmet());
// "same-origin" would be the best, but "origin-when-cross-origin" has the best cross-browser support
app.use(helmet.referrerPolicy({ policy: "origin-when-cross-origin" }));
app.use(
bodyParser.json({
limit: config.bodyLimit,
})
);
app.use(
bodyParser.urlencoded({
limit: config.bodyLimit,
extended: true,
})
);
app.use(session(config.session));
api(app);
app.use(private setupSecureServer = (app: Express) => {
// Header for XSS protection, etc
app.use(helmet());
// Header for CSP
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
__CSP__ && app.use(helmet.contentSecurityPolicy(this.options.csp));
};import express from 'express'
import bodyParser from 'body-parser'
import helmet from 'helmet'
import morgan from 'morgan'
import responseHandler from './utils/response-handler'
import errorHandler from './utils/error-handler'
import nextAsync from './utils/next-async'
import { API_CORS } from '../src/config'
const app = express()
export default app
app.use(bodyParser.json())
app.use(morgan())
app.use(helmet())
import cors from 'cors'
if ( API_CORS ) {
app.use(cors(typeof API_CORS == 'object' ? API_CORS : {}))
}
// load up middlewares
import * as middlewares from '../src/middlewares'
for( let name in middlewares ) {
let middleware = middlewares[name]
if ( typeof middleware == 'function' ) {
app.use( nextAsync( middleware ) )
}
}let app
if (createServer) {
app = createServer.call(this, options, context)
} else {
app = this.framework()
}
if (serverWasCreated) {
serverWasCreated.call(this, app, options, context)
}
if (helmet !== false) {
this.runtime.debug('Setting up helmet security middleware')
app.use(helmetSecurity(typeof helmet === 'object' ? helmet : DEFAULT_HELMET_SETTINGS))
}
if (cors) {
this.runtime.debug('Enabling CORS', { cors })
setupCors.call(this, app, cors)
}
if (pretty) {
this.runtime.debug('Enabling pretty printing of JSON responses')
app.use(require('express-prettify')({ query: 'pretty' }))
}
if (enableLogging) {
const winston = require('winston')
const expressWinston = require('express-winston')routes,
Html
})
const sessionMiddleware = session({
secret: process.env.HTTP_SESSION_SECRET,
resave: false,
saveUninitialized: true,
cookie: {secure: process.env.HTTP_SESSION_SECURE === 'yes'},
})
const corsMiddleware = cors({
origin: '*',
})
app.use(helmet());
app.configure(socketio(function(io) {
io.use(function(socket, next) {
sessionMiddleware(socket.request, socket.request.res, next);
})
io.use(function(socket, next) {
socket.feathers.request = socket.request;
next();
})
}))
app.use('/assets', express.static('assets'))
app.use(corsMiddleware)
app.use(sessionMiddleware)
app.use(express.json())helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
95 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter