How to use the helmet.contentTypeOptions function in helmet

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github mozilla / thimble.mozilla.org / services / login.webmaker.org / app / http / server.js View on Github external
http.configure(function () {
    nunjucksEnv.express(http);

    http.disable("x-powered-by");

    if (!!env.get("ENABLE_GELF_LOGS")) {
      messina = require("messina");
      logger = messina("login.webmaker.org-" + env.get("NODE_ENV") || "development");
      logger.init();
      http.use(logger.middleware());
    } else if (!env.get("DISABLE_HTTP_LOGGING")) {
      http.use(express.logger());
    }

    http.use(helmet.iexss());
    http.use(helmet.contentTypeOptions());
    http.use(helmet.xframe());

    if (!!env.get("FORCE_SSL")) {
      http.use(helmet.hsts());
      http.enable("trust proxy");
    }

    http.use(express.json());
    http.use(express.urlencoded());
    http.use(webmakerAuth.cookieParser());
    http.use(webmakerAuth.cookieSession());

    // Setup locales with i18n
    http.use(i18n.middleware({
      supported_languages: env.get("SUPPORTED_LANGS"),
      default_lang: "en-US",
github mozilla / makedrive / server / web-server.js View on Github external
app.use(log.middleware());
app.disable('x-powered-by');
app.use(function(req, res, next) {
  var d = domain.create();
  d.add(req);
  d.add(res);
  d.on('error', function(err) {
    // Bubble this fatal error up to the top-level server
    log.fatal(err, 'Web Server domain error');
    module.exports.emit('error', err);
  });
  d.run(next);
});
app.use(middleware.crossOriginHandler);
app.use(helmet.contentTypeOptions());
app.use(helmet.hsts());
app.enable('trust proxy');
app.use(express.compress());
app.use(express.static(Path.join(__dirname, '../client')));
if(env.get('NODE_ENV') === 'development') {
  app.use('/demo', express.static(Path.join(__dirname, '../demo')));
}

app.use(express.json());
app.use(express.urlencoded());

auth.init(app);

app.use(app.router);

app.use(middleware.errorHandler);
github geekyme / openshop / app.js View on Github external
app.configure(function(){
  app.set('port', process.env.PORT || Config.PROCESS.port);
  app.set('views', __dirname + '/views'); // folder for templating engine to look in
  app.set('view engine', 'jade'); // templating engine
  app.use(require('stylus').middleware({ src: __dirname + '/public' })); // styling engine and folder
  app.use(express.favicon()); // auto generate a favicon
  app.use(express.logger('dev')); // log everything that happens in the server
  app.use(express.bodyParser());
  // helmet for increased security
  app.use(express.methodOverride());
  app.use(helmet.xframe()); 
  app.use(helmet.iexss());
  app.use(helmet.contentTypeOptions());
  app.use(helmet.cacheControl());
  // Session & Cookies
  app.use(express.cookieParser());
  app.use(express.session({
    secret: "187n mnko21908qnxxgy1n9x1",
    cookie: {httpOnly: true, maxAge: 10*60*1000},
    store: sessionStore
  }));
  // Implement Express' built in CSRF
  app.use(express.csrf());  
  app.use(function (req, res, next) {
    // make sure we pass a token to our jade templates. These tokens could be embedded in HTML forms.
    res.locals.csrftoken = req.session._csrf;
    next();
  });
  app.use(app.router);
github mozilla / login.webmaker.org / app / http / server.js View on Github external
http.configure(function () {
    nunjucksEnv.express(http);

    http.disable("x-powered-by");

    if (!env.get("DISABLE_HTTP_LOGGING")) {
      http.use(express.logger());
    }

    http.use(helmet.iexss());
    http.use(helmet.contentTypeOptions());
    http.use(helmet.xframe());

    if (!!env.get("FORCE_SSL")) {
      http.use(helmet.hsts());
      http.enable("trust proxy");
    }

    http.use(express.json());
    http.use(express.urlencoded());
    http.use(webmakerAuth.cookieParser());
    http.use(webmakerAuth.cookieSession());

    // Setup locales with i18n
    http.use(i18n.middleware({
      supported_languages: env.get("SUPPORTED_LANGS"),
      default_lang: "en-US",
github AmpersandJS / tools.ampersandjs.com / server.js View on Github external
// -----------------
serverApp.use(express.compress());
serverApp.use(express.static(__dirname + '/public'));
// we only want to expose tests in dev
if (config.isDev) {
    serverApp.use(express.static(__dirname + '/clienttests/assets'));
    serverApp.use(express.static(__dirname + '/clienttests/spacemonkey'));
}
serverApp.use(express.bodyParser());
serverApp.use(express.cookieParser());
// in order to test this with spacemonkey we need frames
if (!config.isDev) {
    serverApp.use(helmet.xframe());
}
serverApp.use(helmet.iexss());
serverApp.use(helmet.contentTypeOptions());
serverApp.set('view engine', 'jade');


// ---------------------------------------------------
// Configure Moonboots to serve our client application
// ---------------------------------------------------
var clientApp = clientApp(serverApp, {developmentMode: config.isDev});

// Enable the functional test site in development
if (config.isDev) {
    serverApp.get('/test*', semiStatic({
        folderPath: __dirname + '/clienttests',
        root: '/test'
    }));
}
github CleverStack / node-seed / security.js View on Github external
if ( config.security.xframe ) {
        if (config.security.xframe.mode === 'allow-from') {
            app.use(helmet.xframe('allow-from', config.security.xframe.from));
        } else {
            app.use(helmet.xframe(config.security.xframe.mode));
        }
    }

    // X-XSS-PROTECTION for IE8+
    if ( config.security.iexss) {
        app.use(helmet.iexss());
    }

    // X-Content-Type-Options nosniff
    if ( config.security.contentTypeOptions ) {
        app.use(helmet.contentTypeOptions());
    }

    // Cache-Control no-store, no-cache
    if ( config.security.cacheControl ) {
        app.use(helmet.cacheControl());
    }

};
github mozilla / MakeAPI / server.js View on Github external
if (env.get("ENABLE_GELF_LOGS")) {
  messina = require("messina");
  logger = messina("Make-API-" + env.get("NODE_ENV") || "development");
  logger.init();
  app.use(logger.middleware());
} else {
  app.use(express.logger("dev"));
}

app.use(express.favicon("public/images/favicon.ico", {
  maxAge: 31556952000
}));

app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
app.use(helmet.xframe());

if (!!env.get("FORCE_SSL")) {
  app.use(helmet.hsts());
  app.enable("trust proxy");
}
app.use(express.compress());
app.use(express.static(path.join(__dirname + "/public")));
app.use(express.json());
app.use(express.urlencoded());
app.use(webmakerAuth.cookieParser());
app.use(webmakerAuth.cookieSession());

var optimize = env.get("NODE_ENV") !== "development",
  tmpDir = path.join(require("os").tmpDir(), "makeapi.webmaker.org");
app.use(lessMiddleware({
github mozilla / popcorn.webmaker.org / server.js View on Github external
app.use( logger.middleware() );
  } else {
    app.use( express.logger( config.logger ) );
  }

  app.use( function( req, res, next ) {
    var allowed = [ "/static/bower/font-awesome/font/" ];
    for ( var i = 0; i < allowed.length; i++ ) {
      if ( req.url.substring( 0, allowed[ i ].length ) === allowed[ i ] ) {
        res.header( "Access-Control-Allow-Origin", "*" );
      }
    }
    next();
  });
  app.use(helmet.iexss());
  app.use(helmet.contentTypeOptions());
  if ( !!config.FORCE_SSL ) {
    app.use( helmet.hsts() );
    app.enable( "trust proxy" );
  }
  app.use( express.compress() )
    .use( lessMiddleware(rtltrForLess({
      once: config.OPTIMIZE_CSS,
      dest: tmpDir,
      src: WWW_ROOT,
      compress: config.OPTIMIZE_CSS,
      yuicompress: config.OPTIMIZE_CSS,
      optimization: config.OPTIMIZE_CSS ? 0 : 2
    })))
    .use( requirejsMiddleware({
      src: WWW_ROOT,
      dest: tmpDir,
github otalk / otalk-im-client / server.js View on Github external
var Moonboots = require('moonboots');
var config = require('getconfig');
var templatizer = require('templatizer');
var oembed = require('oembed');
var async = require('async');


var app = express();

app.use(express.compress());
app.use(express.static(__dirname + '/public'));
if (!config.isDev) {
    app.use(helmet.xframe());
}
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());

oembed.EMBEDLY_URL = config.embedly.url || 'https://api.embed.ly/1/oembed';
oembed.EMBEDLY_KEY = config.embedly.key;

var clientApp = new Moonboots({
    main: __dirname + '/clientapp/app.js',
    templateFile: __dirname + '/clientapp/templates/main.html',
    developmentMode: config.isDev,
    cachePeriod: 0,
    libraries: [
        __dirname + '/clientapp/libraries/jquery.js',
        __dirname + '/clientapp/libraries/ui.js',
        __dirname + '/clientapp/libraries/resampler.js',
        __dirname + '/clientapp/libraries/IndexedDBShim.min.js'
    ],
    browserify: {