How to use the helmet.frameguard function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
bwbwbwbw / DummyCTFPlatform / src / services / web / security.js View on Github 
export default (DI, app, config) => {
app.use(helmet.csp({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:"],
reportUri: `${config.cspReportUrl}`,
},
}));
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
// Force convert parameters to strings
app.use((req, res, next) => {
req.body = _.mapValues(req.body, v => String(v));
req.query = _.mapValues(req.query, v => String(v));
next();
});
app.use(expressValidator());
// Expose CSRF token to view
app.use(csrf());
app.use((req, res, next) => {
if (req.csrfToken) {
res.locals.csrfToken = req.csrfToken();app.locals.captchaId = 0
app.locals.captchaReqId = 1
app.locals.captchaBypassReqTimes = []
app.locals.abused_ssti_bug = false
app.locals.abused_ssrf_bug = false
/* Compression for all requests */
app.use(compression())
/* Bludgeon solution for possible CORS problems: Allow everything! */
app.options('*', cors())
app.use(cors())
/* Security middleware */
app.use(helmet.noSniff())
app.use(helmet.frameguard())
// app.use(helmet.xssFilter()); // = no protection from persisted XSS via RESTful API
/* Remove duplicate slashes from URL which allowed bypassing subsequent filters */
app.use((req, res, next) => {
req.url = req.url.replace(/[/]+/g, '/')
next()
})
/* Security Policy */
app.get('/.well-known/security.txt', verify.accessControlChallenges())
app.use('/.well-known/security.txt', securityTxt({
contact: config.get('application.securityTxt.contact'),
encryption: config.get('application.securityTxt.encryption'),
acknowledgements: config.get('application.securityTxt.acknowledgements')
}))}
: null;
if (enableCSP) {
app.use(helmet.contentSecurityPolicy(cspConfig));
}
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
app.use(helmet.xssFilter());
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// We disable this for embedding
// @see https://helmetjs.github.io/docs/frameguard/
app.use(helmet.frameguard('false'));
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
app.use(helmet.ieNoOpen());
// Strict-Transport-Security: https://github.com/helmetjs/hsts
app.use(
helmet.hsts({
maxAge: ms(hstsMA) / 1000,
includeSubdomains: true,
preload: true,
}),
);
// Public-Key-Pins: https://github.com/helmetjs/hpkp
app.use(
helmet.hpkp({private frameguardConfiguration(app) {
// Pour empĂŞcher la mise en iframe
if (checkSecurityConfiguration("security.frameguard", true, "frameguard", SecurityMiddleware.logger)) {
app.use(helmet.frameguard(
utils.config.getOrDefault("security.frameguard.mode", "deny"),
utils.config.getOrDefault("security.frameguard.allowFromPattern", "")));
}
}// Content Security Policy
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'", 'cdn.polyfill.io'],
styleSrc: ["'self' 'unsafe-inline'", 'fonts.googleapis.com', 'blob:;'],
imgSrc: ["'self' 'unsafe-inline'", 'data:;'],
connectSrc: ["'self'", 'ws:', 'swapi.co'],
fontSrc: ["'self'", 'fonts.gstatic.com'],
objectSrc: ["'none'"],
mediaSrc: ["'none'"],
frameSrc: ["'none'"],
},
}));
app.use(helmet.xssFilter());
app.use(helmet.frameguard('deny'));
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
// Set view engine
app.use(compression());
app.use(express.static('./src/assets/favicon'));
app.use(express.static('./build'));
// Route handler that rules them all!
app.get('*', (req, res, next) => {
res.set('content-type', 'text/html');
// Some debugging info
debug(color.cyan('http'), '%s - %s %s', req.ip, req.method, req.url);const securityMiddleware = [
nonceMiddleware,
// Prevent HTTP Parameter pollution.
// @see http://bit.ly/2f8q7Td
hpp(),
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
helmet.xssFilter(),
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
helmet.frameguard('deny'),
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
helmet.ieNoOpen(),
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
helmet.noSniff(),
];
export default (securityMiddleware: Array);childSrc: [ "'self'" ]
}
} : null
if (cspConfig) {
server.use(helmet.contentSecurityPolicy(cspConfig))
}
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
server.use(helmet.xssFilter())
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
server.use(helmet.frameguard("deny"))
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
server.use(helmet.ieNoOpen())
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
server.use(helmet.noSniff())
if (customMiddleware)
customMiddleware.forEach(
(middleware) => {
if (middleware instanceof Array)defaultSrc: ["'self'"]
},
reportOnly: false,
setAllHeaders: false,
disableAndroid: false,
browserSniff: true
}))
/****
* xssFilter header FWIW
* https://github.com/helmetjs/helmet#xss-filter-xssfilter
*/
expressApp.use(helmet.xssFilter())
/****
* Frameguard stops the page being put in a or }
if (isEnabled('cookies')) {
router.use(cookies(config.get('cookies')));
}
if (isEnabled('cors')) {
router.use(cors(config.get('cors')));
}
if (isEnabled('xssFilter')) {
router.use(helmet.xssFilter());
}
if (isEnabled('frameguard')) {
router.use(helmet.frameguard());
}
if (isEnabled('hidePoweredBy')) {
router.use(helmet.hidePoweredBy());
}
if (isEnabled('ieNoOpen')) {
router.use(helmet.ieNoOpen());
}
if (isEnabled('noSniff')) {
router.use(helmet.noSniff());
}
}helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter