How to use the helmet.contentTypeOptions function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
mozilla / thimble.mozilla.org / services / login.webmaker.org / app / http / server.js View on Github 
http.configure(function () {
nunjucksEnv.express(http);
http.disable("x-powered-by");
if (!!env.get("ENABLE_GELF_LOGS")) {
messina = require("messina");
logger = messina("login.webmaker.org-" + env.get("NODE_ENV") || "development");
logger.init();
http.use(logger.middleware());
} else if (!env.get("DISABLE_HTTP_LOGGING")) {
http.use(express.logger());
}
http.use(helmet.iexss());
http.use(helmet.contentTypeOptions());
http.use(helmet.xframe());
if (!!env.get("FORCE_SSL")) {
http.use(helmet.hsts());
http.enable("trust proxy");
}
http.use(express.json());
http.use(express.urlencoded());
http.use(webmakerAuth.cookieParser());
http.use(webmakerAuth.cookieSession());
// Setup locales with i18n
http.use(i18n.middleware({
supported_languages: env.get("SUPPORTED_LANGS"),
default_lang: "en-US",app.use(log.middleware());
app.disable('x-powered-by');
app.use(function(req, res, next) {
var d = domain.create();
d.add(req);
d.add(res);
d.on('error', function(err) {
// Bubble this fatal error up to the top-level server
log.fatal(err, 'Web Server domain error');
module.exports.emit('error', err);
});
d.run(next);
});
app.use(middleware.crossOriginHandler);
app.use(helmet.contentTypeOptions());
app.use(helmet.hsts());
app.enable('trust proxy');
app.use(express.compress());
app.use(express.static(Path.join(__dirname, '../client')));
if(env.get('NODE_ENV') === 'development') {
app.use('/demo', express.static(Path.join(__dirname, '../demo')));
}
app.use(express.json());
app.use(express.urlencoded());
auth.init(app);
app.use(app.router);
app.use(middleware.errorHandler);app.configure(function(){
app.set('port', process.env.PORT || Config.PROCESS.port);
app.set('views', __dirname + '/views'); // folder for templating engine to look in
app.set('view engine', 'jade'); // templating engine
app.use(require('stylus').middleware({ src: __dirname + '/public' })); // styling engine and folder
app.use(express.favicon()); // auto generate a favicon
app.use(express.logger('dev')); // log everything that happens in the server
app.use(express.bodyParser());
// helmet for increased security
app.use(express.methodOverride());
app.use(helmet.xframe());
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
app.use(helmet.cacheControl());
// Session & Cookies
app.use(express.cookieParser());
app.use(express.session({
secret: "187n mnko21908qnxxgy1n9x1",
cookie: {httpOnly: true, maxAge: 10*60*1000},
store: sessionStore
}));
// Implement Express' built in CSRF
app.use(express.csrf());
app.use(function (req, res, next) {
// make sure we pass a token to our jade templates. These tokens could be embedded in HTML forms.
res.locals.csrftoken = req.session._csrf;
next();
});
app.use(app.router);http.configure(function () {
nunjucksEnv.express(http);
http.disable("x-powered-by");
if (!env.get("DISABLE_HTTP_LOGGING")) {
http.use(express.logger());
}
http.use(helmet.iexss());
http.use(helmet.contentTypeOptions());
http.use(helmet.xframe());
if (!!env.get("FORCE_SSL")) {
http.use(helmet.hsts());
http.enable("trust proxy");
}
http.use(express.json());
http.use(express.urlencoded());
http.use(webmakerAuth.cookieParser());
http.use(webmakerAuth.cookieSession());
// Setup locales with i18n
http.use(i18n.middleware({
supported_languages: env.get("SUPPORTED_LANGS"),
default_lang: "en-US",// -----------------
serverApp.use(express.compress());
serverApp.use(express.static(__dirname + '/public'));
// we only want to expose tests in dev
if (config.isDev) {
serverApp.use(express.static(__dirname + '/clienttests/assets'));
serverApp.use(express.static(__dirname + '/clienttests/spacemonkey'));
}
serverApp.use(express.bodyParser());
serverApp.use(express.cookieParser());
// in order to test this with spacemonkey we need frames
if (!config.isDev) {
serverApp.use(helmet.xframe());
}
serverApp.use(helmet.iexss());
serverApp.use(helmet.contentTypeOptions());
serverApp.set('view engine', 'jade');
// ---------------------------------------------------
// Configure Moonboots to serve our client application
// ---------------------------------------------------
var clientApp = clientApp(serverApp, {developmentMode: config.isDev});
// Enable the functional test site in development
if (config.isDev) {
serverApp.get('/test*', semiStatic({
folderPath: __dirname + '/clienttests',
root: '/test'
}));
}if ( config.security.xframe ) {
if (config.security.xframe.mode === 'allow-from') {
app.use(helmet.xframe('allow-from', config.security.xframe.from));
} else {
app.use(helmet.xframe(config.security.xframe.mode));
}
}
// X-XSS-PROTECTION for IE8+
if ( config.security.iexss) {
app.use(helmet.iexss());
}
// X-Content-Type-Options nosniff
if ( config.security.contentTypeOptions ) {
app.use(helmet.contentTypeOptions());
}
// Cache-Control no-store, no-cache
if ( config.security.cacheControl ) {
app.use(helmet.cacheControl());
}
};if (env.get("ENABLE_GELF_LOGS")) {
messina = require("messina");
logger = messina("Make-API-" + env.get("NODE_ENV") || "development");
logger.init();
app.use(logger.middleware());
} else {
app.use(express.logger("dev"));
}
app.use(express.favicon("public/images/favicon.ico", {
maxAge: 31556952000
}));
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
app.use(helmet.xframe());
if (!!env.get("FORCE_SSL")) {
app.use(helmet.hsts());
app.enable("trust proxy");
}
app.use(express.compress());
app.use(express.static(path.join(__dirname + "/public")));
app.use(express.json());
app.use(express.urlencoded());
app.use(webmakerAuth.cookieParser());
app.use(webmakerAuth.cookieSession());
var optimize = env.get("NODE_ENV") !== "development",
tmpDir = path.join(require("os").tmpDir(), "makeapi.webmaker.org");
app.use(lessMiddleware({app.use( logger.middleware() );
} else {
app.use( express.logger( config.logger ) );
}
app.use( function( req, res, next ) {
var allowed = [ "/static/bower/font-awesome/font/" ];
for ( var i = 0; i < allowed.length; i++ ) {
if ( req.url.substring( 0, allowed[ i ].length ) === allowed[ i ] ) {
res.header( "Access-Control-Allow-Origin", "*" );
}
}
next();
});
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
if ( !!config.FORCE_SSL ) {
app.use( helmet.hsts() );
app.enable( "trust proxy" );
}
app.use( express.compress() )
.use( lessMiddleware(rtltrForLess({
once: config.OPTIMIZE_CSS,
dest: tmpDir,
src: WWW_ROOT,
compress: config.OPTIMIZE_CSS,
yuicompress: config.OPTIMIZE_CSS,
optimization: config.OPTIMIZE_CSS ? 0 : 2
})))
.use( requirejsMiddleware({
src: WWW_ROOT,
dest: tmpDir,var Moonboots = require('moonboots');
var config = require('getconfig');
var templatizer = require('templatizer');
var oembed = require('oembed');
var async = require('async');
var app = express();
app.use(express.compress());
app.use(express.static(__dirname + '/public'));
if (!config.isDev) {
app.use(helmet.xframe());
}
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
oembed.EMBEDLY_URL = config.embedly.url || 'https://api.embed.ly/1/oembed';
oembed.EMBEDLY_KEY = config.embedly.key;
var clientApp = new Moonboots({
main: __dirname + '/clientapp/app.js',
templateFile: __dirname + '/clientapp/templates/main.html',
developmentMode: config.isDev,
cachePeriod: 0,
libraries: [
__dirname + '/clientapp/libraries/jquery.js',
__dirname + '/clientapp/libraries/ui.js',
__dirname + '/clientapp/libraries/resampler.js',
__dirname + '/clientapp/libraries/IndexedDBShim.min.js'
],
browserify: {helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter