How to use the helmet.noSniff function in helmet

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github react-in-action / letters-social / server / server.js View on Github external
import { routes } from '../src/routes';
import { loginSuccess } from '../src/actions/auth';
import { getPostsForPage } from '../src/actions/posts';
import { createError } from '../src/actions/error';

// Create the express app and database
const app = express();
const backend = DB();

// Add some boilerplate middlware
app.use(logger(__PRODUCTION__ ? 'combined' : 'dev'));
app.use(helmet.xssFilter({ setOnOldIE: true }));
app.use(responseTime());
app.use(helmet.frameguard());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.hidePoweredBy({ setTo: 'react' }));
app.use(compression());
app.use(cookieParser());
app.use(bodyParser.json());
app.use(hpp());
app.use(cors({ origin: config.get('ORIGINS') }));

// other Route handlers
app.use('/api', backend);
app.use('/static', express.static(resolve(__dirname, '..', 'static')));
app.use(favicon(resolve(__dirname, '..', 'static', 'assets', 'meta', 'favicon.ico')));
app.use('*', (req, res) => {
    // Use React Router to match the incoming URL to a path
    match({ routes: routes, location: req.originalUrl }, async (err, redirectLocation, props) => {
        // Only redirect if necessary and if the user isn't on the login page (to prevent a loop)
        if (redirectLocation && req.originalUrl !== '/login') {
github sebastian-software / edge / packages / edge-core / src / server / createExpressServer.js View on Github external
server.use(helmet.xssFilter())

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // @see https://helmetjs.github.io/docs/frameguard/
  server.use(helmet.frameguard("deny"))

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  server.use(helmet.ieNoOpen())

  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  server.use(helmet.noSniff())

  if (customMiddleware)
    customMiddleware.forEach(
      (middleware) => {
        if (middleware instanceof Array)
          server.use(...middleware)
        else
          server.use(middleware)
      }
    )

  // Parse cookies via standard express tooling
  server.use(cookieParser())

  // Detect client locale and match it with configuration
  server.use(createLocaleMiddleware({
github gardener / dashboard / backend / lib / app.js View on Github external
}

// configure app
const app = express()
app.set('port', port)
app.set('logger', logger)
app.set('healthCheck', healthCheck)
app.set('periodSeconds ', periodSeconds)
app.set('io', api.io)
app.set('trust proxy', 1)
app.set('etag', false)
app.set('x-powered-by', false)

app.use(helmet.dnsPrefetchControl())
app.use(helmet.permittedCrossDomainPolicies())
app.use(helmet.noSniff())
app.use(helmet.hsts())
app.use('/auth', auth.router)
app.use('/api', api.router)
app.use('/webhook', githubWebhook.router)
app.get('/config.json', api.frontendConfig)

app.use(helmet.xssFilter())
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ['\'self\''],
    connectSrc,
    styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://fonts.googleapis.com', 'https://cdn.materialdesignicons.com'],
    fontSrc: ['\'self\'', 'https://fonts.gstatic.com', 'https://cdn.materialdesignicons.com'],
    imgSrc,
    scriptSrc: ['\'self\'', '\'unsafe-eval\''],
    frameAncestors: ['\'none\'']
github sebastian-software / edge / packages / edge-builder / src / express / createExpressServer.js View on Github external
server.use(helmet.xssFilter())

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // @see https://helmetjs.github.io/docs/frameguard/
  server.use(helmet.frameguard("deny"))

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  server.use(helmet.ieNoOpen())

  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  server.use(helmet.noSniff())

  if (customMiddleware)
    customMiddleware.forEach(
      (middleware) => {
        if (middleware instanceof Array)
          server.use(...middleware)
        else
          server.use(middleware)
      }
    )

  // Parse cookies via standard express tooling
  server.use(cookieParser())

  // Detect client locale and match it with configuration
  server.use(createLocaleMiddleware({
github dlebedynskyi / react-playground / src / server / server.js View on Github external
server.use(helmet.xssFilter());

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // @see https://helmetjs.github.io/docs/frameguard/
  server.use(helmet.frameguard('deny'));

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  server.use(helmet.ieNoOpen());

  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  server.use(helmet.noSniff());

  server.use(compression());
  server.enable('view cache');
  server.enable('strict routing');

  setRoutes(config, getAssets);
  server.use('/', routingApp);
  // Don't expose any software information to potential hackers.
  server.disable('X-Powered-By');

  return server;
};
github mikesparr / typescript-postgres-auth-example / src / app.ts View on Github external
private initializeSecurity() {
    this.app.use(helmet.noCache());
    this.app.use(helmet.frameguard());
    this.app.use(helmet.hidePoweredBy());
    this.app.use(helmet.hsts());
    this.app.use(helmet.ieNoOpen());
    this.app.use(helmet.noSniff());
    this.app.use(helmet.xssFilter());
  }
github wireapp / wire-webapp / server / Server.ts View on Github external
private initSecurityHeaders() {
    this.app.disable('x-powered-by');
    this.app.use(
      helmet({
        frameguard: {action: 'deny'},
      }),
    );
    this.app.use(helmet.noSniff());
    this.app.use(helmet.xssFilter());
    this.app.use(
      helmet.hsts({
        includeSubDomains: true,
        maxAge: 31536000,
        preload: true,
      }),
    );
    this.app.use(
      helmet.contentSecurityPolicy({
        browserSniff: true,
        directives: this.config.SERVER.CSP,
        disableAndroid: false,
        loose: !this.config.SERVER.DEVELOPMENT,
        reportOnly: false,
        setAllHeaders: false,
github huluoyang / freecodecamp.cn / app.js View on Github external
app.use(session({
    resave: true,
    saveUninitialized: true,
    secret: secrets.sessionSecret,
    store: new MongoStore({
        url: secrets.db,
        'autoReconnect': true
    })
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.disable('x-powered-by');

app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.xframe());
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
});

var trusted = [
    "'self'",
    '*.freecodecamp.com',
    '*.gstatic.com',
    '*.google-analytics.com',
    '*.googleapis.com',
    '*.google.com',
    '*.gstatic.com',
    '*.doubleclick.net',
github denali-js / core / dist / runtime / application.js View on Github external
router.use(requestid());
    router.use(this.loggerMiddleware());
    let securityConfig = this.config.security || {};
    router.use(helmet.csp({
      directives: merge({ reportUri: '/_report-csp-violations' }, securityConfig && securityConfig.csp),
      reportOnly: this.environment === 'development',
      disableAndroid: true
    }));
    if (this.environment === 'development') {
      router.post('/_report-csp-violations', (req, res) => { res.sendStatus(200); });
    }
    router.use(helmet.xssFilter());
    router.use(helmet.frameguard());
    router.use(helmet.hidePoweredBy());
    router.use(helmet.ieNoOpen());
    router.use(helmet.noSniff());
    router.use(compression());
    router.use(cors(securityConfig.cors));
    router.use(cookies());
    router.use(blackburn({
      adapters: this.container.lookupType('adapters'),
      serializers: this.container.lookupType('serializers')
    }));

    if (securityConfig.requireSSL) {
      router.use((req, res, next) => {
        res.locals = res.locals || {};
        res.locals.forceSSLOptions = { enable301Redirects: securityConfig.redirectToSSL };
        forceSSL(req, res, next);
      });
    }
github stefanteixeira / fav-organizer / config / express.js View on Github external
app.use(require('method-override')());

	app.use(cookieParser());
	app.use(session(
		{
			secret: 'fav-organizer',
			resave: true,
			saveUninitialized: true
		}
	));
	app.use(passport.initialize());
	app.use(passport.session());

	app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.noSniff());
	app.disable('x-powered-by');

	load('models', {cwd: 'app'})
    .then('controllers')
    .then('routes')
    .into(app);

	app.get('*', function(req, res) {
		res.status(404).render('404');
	});

	return app;
};