How to use the helmet.dnsPrefetchControl function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
tellform / tellform / config / express.js View on Github 
// Request body parsing middleware should be above methodOverride
app.use(bodyParser.urlencoded({
extended: true,
limit: '100mb'
}));
app.use(bodyParser.json({ limit: '100mb' }));
app.use(methodOverride());
// Use helmet to secure Express headers
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.ieNoOpen());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.hidePoweredBy());
// Setting the app router and static folder
app.use('/static', express.static(path.resolve('./public')));
app.use('/uploads', express.static(path.resolve('./uploads')));
// CookieParser should be above session
app.use(cookieParser());
// Express MongoDB session storage
app.use(session({
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
store: new MongoStore({reportUri: config.csp.reportUri
},
setAllHeaders: false,
reportOnly: false,
browserSniff: false
})); /* eslint-enable */
// Public-Key-Pins: https://github.com/helmetjs/hpkp
app.use(helmet.hpkp({
maxAge: ms(config.hpkp.maxAge) / 1000,
sha256s: config.hpkp.sha256s,
includeSubdomains: true,
reportUri: config.hpkp.reportUri,
reportOnly: false
}));
// X-DNS-Prefetch-Control: https://github.com/helmetjs/dns-prefetch-control
app.use(helmet.dnsPrefetchControl({ allow: false }));
// https://github.com/helmetjs/referrer-policy
app.use(helmet.referrerPolicy({ policy: 'origin' }));
// https://helmetjs.github.io/docs/expect-ct/
app.use(helmet.expectCt({
enforce: true,
maxAge: ms(config.expectCT.maxAge) / 1000,
reportUri: config.expectCT.reportUri
}));
}url.hostname = 'avatars.' + url.hostname
imgSrc.push(url.origin)
}
// configure app
const app = express()
app.set('port', port)
app.set('logger', logger)
app.set('healthCheck', healthCheck)
app.set('periodSeconds ', periodSeconds)
app.set('io', api.io)
app.set('trust proxy', 1)
app.set('etag', false)
app.set('x-powered-by', false)
app.use(helmet.dnsPrefetchControl())
app.use(helmet.permittedCrossDomainPolicies())
app.use(helmet.noSniff())
app.use(helmet.hsts())
app.use('/auth', auth.router)
app.use('/api', api.router)
app.use('/webhook', githubWebhook.router)
app.get('/config.json', api.frontendConfig)
app.use(helmet.xssFilter())
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ['\'self\''],
connectSrc,
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://fonts.googleapis.com', 'https://cdn.materialdesignicons.com'],
fontSrc: ['\'self\'', 'https://fonts.gstatic.com', 'https://cdn.materialdesignicons.com'],
imgSrc,const createServer = () => {
const server = express();
// Compressing all assets in dev slows things down.
// Only use this in production if your assets are cdn cached and proxy doesn't do br natively
if (!dev) {
server.use(shrinkRay());
}
// It is important to have real cors value so service worker caches proper response code
server.use(cors(corsOptions));
server.use(helmet()); // Basic best practice security settings
server.use(helmet.dnsPrefetchControl({allow: true})); // Performance desired in this case
server.use(helmet.hsts({includeSubDomains: false})); // Lets not force our summary domain to https
// https://github.com/zeit/next.js/pull/5727#issuecomment-441181614
// Must only use on node 8 for now ... https://github.com/zeit/next.js/pull/5727#issuecomment-443279483
server.use(Sentry.Handlers.requestHandler());
server.use(cookieParser());
server.use((req, res, next) => {
const htmlPage = !req.path.match(/^\/(_next|static)/)
&& !req.path.match(/\.(js|map)$/)
&& req.accepts("text/html", "text/css", "image/png") === "text/html";
if (!htmlPage) {
next();
return;
}const samlCallbackUrl = config.get('samlCallbackUrl');
const samlCert = config.get('samlCert');
const samlAuthContext = config.get('samlAuthContext');
/* Express setup
============================================================================= */
const bodyParser = require('body-parser');
const favicon = require('serve-favicon');
const morgan = require('morgan');
const passport = require('passport');
const errorhandler = require('errorhandler');
const app = express();
// Default helmet protections, minus frameguard (becaue of sqlpad iframe embed), adding referrerPolicy
app.use(helmet.dnsPrefetchControl());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts({}));
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
app.set('env', debug ? 'development' : 'production');
if (debug) {
app.use(errorhandler());
}
app.use(favicon(path.join(__dirname, '/public/favicon.ico')));
app.use(bodyParser.json());
app.use(
bodyParser.urlencoded({*/
expressApp.use(helmet.xssFilter())
/****
* Frameguard stops the page being put in a or */
expressApp.use(helmet.xssFilter())
/****
* Frameguard stops the page being put in a or helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter