How to use the helmet.csp function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
CleverStack / node-seed / security.js View on Github 
module.exports = function( app, config ) {
// Content Security Policy
if ( config.security.csp ) {
app.use(helmet.csp());
if ( config.security.csp.policy ) {
helmet.csp.policy(config.security.csp.policy);
}
}
// HTTP Strict Transport Security
if ( config.security.hsts ) {
app.use(helmet.hsts(config.security.hsts.maxAge, config.security.hsts.includeSubdomains));
}
// X-FRAME-OPTIONS
if ( config.security.xframe ) {
if (config.security.xframe.mode === 'allow-from') {
app.use(helmet.xframe('allow-from', config.security.xframe.from));
} else {
app.use(helmet.xframe(config.security.xframe.mode));)
app.use(expressValidator())
app.use(csrf({cookie: {secure: config.cookie.secure}}))
app.use(function(req, res, next) {
if (req.url.indexOf('/abe/') > -1) {
res.locals._csrf = req.csrfToken()
}
next()
})
app.use(bodyParser.json({limit: '1gb'}))
if (config.security === true) {
app.use(helmet())
app.use(
helmet.csp({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"].concat(config.csp.scriptSrc),
styleSrc: ["'self'", "'unsafe-inline'"].concat(config.csp.styleSrc),
imgSrc: ["'self'", 'data:'].concat(config.csp.imgSrc),
// frameSrc: ["'self'"],
childSrc: ["'self'"].concat(config.csp.childSrc),
frameAncestors: ["'self'"].concat(config.csp.frameAncestors),
mediaSrc: ["'self'"].concat(config.csp.mediaSrc),
fontSrc: ["'self'"].concat(config.csp.fontSrc),
connectSrc: ["'self'"].concat(config.csp.connectSrc),
sandbox: [
'allow-same-origin',
'allow-scripts',
'allow-modals',
'allow-popups',export default (DI, app, config) => {
app.use(helmet.csp({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:"],
reportUri: `${config.cspReportUrl}`,
},
}));
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
// Force convert parameters to strings
app.use((req, res, next) => {
req.body = _.mapValues(req.body, v => String(v));'localhost:3000',
'ws://localhost:3000/',
'http://localhost:3000',
'*.ionicframework.com',
'https://syndication.twitter.com',
'*.youtube.com',
'*.jsdelivr.net',
'https://*.jsdelivr.net',
'*.ytimg.com',
'*.bitly.com',
'http://cdn.inspectlet.com/',
'wss://inspectletws.herokuapp.com/',
'http://hn.inspectlet.com/'
];
app.use(helmet.csp({
defaultSrc: trusted,
scriptSrc: [
'*.optimizely.com',
'*.aspnetcdn.com',
'*.d3js.org'
].concat(trusted),
'connect-src': [
].concat(trusted),
styleSrc: trusted,
imgSrc: [
/* allow all input since we have user submitted images for public profile*/
'*'
].concat(trusted),
fontSrc: ['*.googleapis.com'].concat(trusted),
mediaSrc: [
'*.amazonaws.com',module.exports = function (){
var app = express()
app.use(requireHTTPS)
if(isProduction()){
var proxyHost = process.env.PROXY_URL.replace("https://", '')
app.use(helmet.csp({
'default-src': ["'self'"],
'connect-src': [
"'self'",
'api.bitcoinaverage.com', 'chain.so', // tickers
'btc.blockr.io', 'tbtc.blockr.io', 'ltc.blockr.io', // blockchain APIs
process.env.DB_HOST, proxyHost
],
'font-src': ['s3.amazonaws.com'],
'img-src': ["'self'", 'data:', 'www.gravatar.com'],
'style-src': ["'self'", 's3.amazonaws.com'],
'script-src': ["'self'", 'blob:', "'unsafe-eval'"], // http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html, https://github.com/ractivejs/ractive/issues/285
reportOnly: false,
setAllHeaders: false,
safari5: true
}))
app.use(helmet.xssFilter())initDone = initDone || function () {}
var app = express()
app.enable('strict routing')
app.use(morgan('dev'))
app.use(helmet())
app.use(compression())
app.use(helmet.hsts({
maxAge: 10886400000, // Must be at least 18 weeks to be approved by Google
includeSubDomains: true, // Must be enabled to be approved by Google
setIf: function () {
return env.api.secret !== '12345678'
}
}))
if (0) {
app.use(helmet.csp({
// Specify directives as normal.
directives: {
defaultSrc: ["'self'", 'doclets.io'],
fontSrc: ['fonts.gstatic.com', 'cdnjs.cloudflare.com', 'data:'],
scriptSrc: ["'self'", "'unsafe-inline'", 'cdnjs.cloudflare.com', 'buttons.github.io', 'platform.twitter.com', 'www.google-analytics.com', 'api.github.com'],
styleSrc: ["'self'", "'unsafe-inline'", 'cdnjs.cloudflare.com', 'fonts.googleapis.com', 'platform.twitter.com', 'buttons.github.io'],
imgSrc: ["'self'", 'data:', 'syndication.twitter.com', 'www.google-analytics.com', 'avatars.githubusercontent.com', 'img.shields.io'],
sandbox: ['allow-forms', 'allow-scripts', 'allow-same-origin'],
childSrc: ['*.youtube.com', '*.twitter.com', 'youtube.com', 'buttons.github.io'],
frameSrc: ['*.youtube.com', '*.twitter.com', 'youtube.com', 'buttons.github.io'],
objectSrc: ['*.youtube.com'] // An empty array allows nothing through
}
}))
}
app.use(bodyParser.urlencoded({ extended: true }))
app.use(bodyParser.json())routes = require('./routes'),
app = express();
const CSP_DIRECTIVES = require('./scripts/csp-directives.js');
app.set('trust proxy', true);
app.use(bodyParser.json());
app.use(compression());
app.use(helmet());
app.use(frameguard({
action: "allow-from",
domain: "https://pontoon.mozilla.org"
}));
app.use(helmet.csp(CSP_DIRECTIVES));
app.use(helmet.hsts({
maxAge: 90 * 24 * 60 * 60 * 1000 // 90 days
}));
// Redirect to SSL if set
app.use(function(req, resp, next){
if (!req.secure && env.get('FORCE_SSL')){
if (req.method === "GET") {
resp.redirect(301, `https://${req.headers.host}${req.originalUrl}`);
}
else{
resp.status(403).send("Please use HTTPS when submitting data to this server.");
}
}function expressInit(express, expressApp) {
expressApp.use(addRequestId)
if(global.devMode){
expressApp.use(logger('dev'))
}
expressApp.use(compression())
expressApp.set('views', path.join(__dirname, 'views'))
expressApp.set('view engine', 'jade')
/****
* Content Security Policy
*/
expressApp.use(helmet.csp({
directives: {
defaultSrc: ["'self'"]
},
reportOnly: false,
setAllHeaders: false,
disableAndroid: false,
browserSniff: true
}))
/****
* xssFilter header FWIW
* https://github.com/helmetjs/helmet#xss-filter-xssfilter
*/
expressApp.use(helmet.xssFilter())
/****
* Frameguard stops the page being put in a or defaultMiddleware() {
let router = express.Router();
router.use(this.errorMiddleware());
router.use(timing());
router.use(requestid());
router.use(this.loggerMiddleware());
let securityConfig = this.config.security || {};
router.use(helmet.csp({
directives: merge({ reportUri: '/_report-csp-violations' }, securityConfig && securityConfig.csp),
reportOnly: this.environment === 'development',
disableAndroid: true
}));
if (this.environment === 'development') {
router.post('/_report-csp-violations', (req, res) => { res.sendStatus(200); });
}
router.use(helmet.xssFilter());
router.use(helmet.frameguard());
router.use(helmet.hidePoweredBy());
router.use(helmet.ieNoOpen());
router.use(helmet.noSniff());
router.use(compression());
router.use(cors(securityConfig.cors));
router.use(cookies());
router.use(blackburn({export default function csp() {
return helmet.csp({
directives: {
defaultSrc: trusted,
scriptSrc: [
"'unsafe-eval'",
"'unsafe-inline'",
'*.google-analytics.com',
'*.gstatic.com',
'https://*.googleapis.com',
'https://*.cloudflare.com',
'*.cloudflare.com',
'https://*.gitter.im',
'https://*.cdnjs.com',
'*.cdnjs.com',
'https://*.jsdelivr.com',
'*.jsdelivr.com',
'*.twimg.com',helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter