How to use the helmet.ieNoOpen function in helmet

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github sdelements / lets-chat / app.js View on Github external
resave: false,
    saveUninitialized: true
};

// Set compression before any routes
app.use(compression({ threshold: 512 }));

app.use(cookieParser());
app.io.session(session);

auth.setup(app, session, core);

// Security protections
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.hsts({
    maxAge: 31536000,
    includeSubdomains: true,
    force: httpsEnabled,
    preload: true
}));
app.use(helmet.contentSecurityPolicy({
    defaultSrc: ['\'none\''],
    connectSrc: ['*'],
    scriptSrc: ['\'self\'', '\'unsafe-eval\''],
    styleSrc: ['\'self\'', 'fonts.googleapis.com', '\'unsafe-inline\''],
    fontSrc: ['\'self\'', 'fonts.gstatic.com'],
    mediaSrc: ['\'self\''],
    objectSrc: ['\'self\''],
github Jacky-fe / react-isomorphic-skeleton / src / server.js View on Github external
global.config = config;
// view engine setu
app.set('views', `${__dirname}/views`);
app.set('view engine', 'ejs');
app.use(morgan('dev'));
// 方便随时获取req, res 参见https://github.com/Jacky-fe/express-httpcontext
app.use(contextMiddleware);
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
  extended: false,
}));
app.use(hpp());
app.use(helmet.contentSecurityPolicy(config.csp));
app.use(helmet.xssFilter());
app.use(helmet.frameguard('deny'));
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(cookieParser());
app.use(express.static(path.join(__dirname, './static')));
// API
app.use('/api/v0/posts', require('./api/posts').default);
app.use('/api/v0/post', require('./api/post').default);
// core render
app.get('*', async (req, res, next) => {
  const store = configureStore();
  const routes = createRoutes(store);
  const history = createMemoryHistory(req.path);
  const { dispatch } = store;
  try{
    match({ routes, history }, async (error, redirectLocation, renderProps) => {
      if (error){
        next(error);
github strues / boldr / packages / backend / src / middleware / initSecurity.js View on Github external
}

  // The xssFilter middleware sets the X-XSS-Protection header to prevent
  // reflected XSS attacks.
  // @see https://helmetjs.github.io/docs/xss-filter/
  app.use(helmet.xssFilter());

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // We disable this for embedding
  // @see https://helmetjs.github.io/docs/frameguard/
  app.use(helmet.frameguard('false'));

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  app.use(helmet.ieNoOpen());
  // Strict-Transport-Security: https://github.com/helmetjs/hsts
  app.use(
    helmet.hsts({
      maxAge: ms(hstsMA) / 1000,
      includeSubdomains: true,
      preload: true,
    }),
  );
  // Public-Key-Pins: https://github.com/helmetjs/hpkp
  app.use(
    helmet.hpkp({
      maxAge: ms(hstsMA) / 1000,
      sha256s: [
        'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
        'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
      ],
github strues / boldr / packages / server / src / middleware / initSecurity.js View on Github external
}

  // The xssFilter middleware sets the X-XSS-Protection header to prevent
  // reflected XSS attacks.
  // @see https://helmetjs.github.io/docs/xss-filter/
  app.use(helmet.xssFilter());

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // We disable this for embedding
  // @see https://helmetjs.github.io/docs/frameguard/
  app.use(helmet.frameguard('false'));

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  app.use(helmet.ieNoOpen());
  // Strict-Transport-Security: https://github.com/helmetjs/hsts
  app.use(
    helmet.hsts({
      maxAge: ms(hstsMA) / 1000,
      includeSubdomains: true,
      preload: true,
    }),
  );
  // Public-Key-Pins: https://github.com/helmetjs/hpkp
  app.use(
    helmet.hpkp({
      maxAge: ms(hstsMA) / 1000,
      sha256s: [
        'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
        'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
      ],
github withspectrum / spectrum / shared / middlewares / security.js View on Github external
// Prevent HTTP Parameter pollution.
  server.use(hpp());

  // The xssFilter middleware sets the X-XSS-Protection header to prevent
  // reflected XSS attacks.
  // @see https://helmetjs.github.io/docs/xss-filter/
  server.use(helmet.xssFilter());

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // @see https://helmetjs.github.io/docs/frameguard/
  server.use(helmet.frameguard('deny'));

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  server.use(helmet.ieNoOpen());

  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  server.use(helmet.noSniff());

  if (enableNonce) {
    // Attach a unique "nonce" to every response. This allows use to declare
    // inline scripts as being safe for execution against our content security policy.
    // @see https://helmetjs.github.io/docs/csp/
    server.use(
      (
        request: express$Request,
        response: express$Response,
        next: express$NextFunction
github weareopensource / Node / lib / services / express.js View on Github external
module.exports.initHelmetHeaders = (app) => {
  const SIX_MONTHS = 15778476000;
  app.use(helmet.frameguard());
  app.use(helmet.xssFilter());
  app.use(helmet.noSniff());
  app.use(helmet.ieNoOpen());
  app.use(helmet.hsts({
    maxAge: SIX_MONTHS,
    includeSubDomains: true,
    force: true,
  }));
  app.disable('x-powered-by');
};
github mike-engel / bkmrkd / config / middleware.js View on Github external
directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "'unsafe-inline'"],
        styleSrc: ["'self'"],
        imgSrc: ["'none'"],
        connectSrc: ["'self'", "ws:", "wss:"],
        fontSrc: ["'none'"],
        objectSrc: ["'none'"],
        mediaSrc: ["'none'"],
        frameSrc: ["'none'"]
      }
    })
  );
  app.use(helmet.xssFilter());
  app.use(helmet.frameguard("deny"));
  app.use(helmet.ieNoOpen());
  app.use(helmet.noSniff());
};
github Soluto / tweek / services / editor / server / createServer.js View on Github external
server.use(
    helmet.contentSecurityPolicy({
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'"],
      imgSrc: ["'self'"],
      connectSrc: ["'self'", 'ws:'],
      fontSrc: ["'self'"],
      objectSrc: ["'none'"],
      mediaSrc: ["'none'"],
      frameSrc: ["'none'"],
    }),
  );
  server.use(helmet.xssFilter());
  server.use(helmet.frameguard('deny'));
  server.use(helmet.ieNoOpen());
  server.use(helmet.noSniff());
}
github tvvignesh / node-skeleton / dist / config / express.js View on Github external
else if (process.env.NODE_ENV === 'secure') {
        let morgan = require('morgan');
        app.use(morgan('dev'));
    }
    app.use(bodyParser.urlencoded({
        extended: true
    }));
    app.use(bodyParser.json());
    app.use(xss());
    app.use(methodOverride());
    app.use(helmet({
        frameguard: false
    }));
    app.use(helmet.xssFilter());
    app.use(helmet.noSniff());
    app.use(helmet.ieNoOpen());
    app.disable('x-powered-by');
    app.use(function (req, res, next) {
        res.header('Access-Control-Allow-Origin', '*');
        res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
        res.removeHeader('X-Frame-Options');
        next();
    });
    app.set('jsonp callback', true);
    if (config_1.config.toggle.apidoc) {
        const swaggerDocument = YAML.load(path.join(__dirname, '../../apidoc.yaml'));
        app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
    }
    glob.sync('./**/routes/**/*.js').forEach(function (routePath) {
        require(path.resolve(routePath))(app);
    });
    app.use(express.static(path.join(__dirname, '../app/public')));