How to use the helmet.nosniff function in helmet

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github duyetdev / node-rtb-server / server.js View on Github external
}));
	
	app.use(bodyParser.json());
	app.use(compression({level: 9})); //use compression 
	app.use(methodOverride());

	// CookieParser should be above session
	app.use(cookieParser());

	// connect flash for flash messages
	//app.use(flash());

	// Use helmet to secure Express headers
	// app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	app.use(function(req, res, next) {
	   res.header("Access-Control-Allow-Origin", "*");
	   res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
	   res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
	   res.header("X-Frame-Options", "ALLOWALL");
	   if (req.method === 'OPTIONS') {
	   		console.log("INFO: Browser send OPTIONS request.");
			res.statusCode = 204;
			return res.end();
	  } else {
	    return next();
	  }
	});
github meanjs / generator-meanjs / app / templates / config / express.js View on Github external
db: db.connection.db,
			collection: config.sessionCollection
		})
	}));

	// use passport session
	app.use(passport.initialize());
	app.use(passport.session());

	// connect flash for flash messages
	app.use(flash());

	// Use helmet to secure Express headers
	app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	// Setting the app router and static folder
	app.use(express.static(path.resolve('./public')));

	// Globbing routing files
	config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
		require(path.resolve(routePath))(app);
	});

	// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
	app.use(function(err, req, res, next) {
		// If the error object doesn't exists
		if (!err) return next();
github hivewallet / hive-ios / server / express.js View on Github external
'connect-src': [
        "'self'",
        'api.bitcoinaverage.com', 'chain.so', // tickers
        'btc.blockr.io', 'tbtc.blockr.io', 'ltc.blockr.io', // blockchain APIs
        process.env.DB_HOST, proxyHost
      ],
      'font-src': ['s3.amazonaws.com'],
      'img-src': ["'self'", 'data:', 'www.gravatar.com'],
      'style-src': ["'self'", 's3.amazonaws.com'],
      'script-src': ["'self'", 'blob:', "'unsafe-eval'"], // http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html, https://github.com/ractivejs/ractive/issues/285
      reportOnly: false,
      setAllHeaders: false,
      safari5: true
    }))
    app.use(helmet.xssFilter())
    app.use(helmet.nosniff())
    app.use(helmet.xframe('sameorigin'))

    var ninetyDaysInMilliseconds = 90 * 24 * 60 * 60 * 1000
    app.use(helmet.hsts({
      maxAge: ninetyDaysInMilliseconds,
      includeSubdomains: true
    }))
  }

  var anHour = 1000*60*60
  app.use(express.bodyParser())
  app.use(express.cookieParser(process.env.COOKIE_SALT))
  app.use(express.cookieSession({
    proxy: true,
    cookie: {
      maxAge: anHour,
github martinmicunda / ionic-photo-gallery / server / src / config / express.js View on Github external
function initHelmetHeaders(app) {
    // Use helmet to secure Express headers
    app.use(helmet.xframe());
    app.use(helmet.xssFilter());
    app.use(helmet.nosniff());
    app.use(helmet.ienoopen());
    app.disable('x-powered-by');
}
github castlewhitehall / meanjs-with-token-auth / config / express.js View on Github external
db: db.connection.db,
			collection: config.sessionCollection
		})
	}));

	// use passport session
	app.use(passport.initialize());
	app.use(passport.session());

	// connect flash for flash messages
	app.use(flash());

	// Use helmet to secure Express headers
	app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	// Setting the app router and static folder
	app.use(express.static(path.resolve('./public')));

	// Globbing routing files
	config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
		require(path.resolve(routePath))(app);
	});

	// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
	app.use(function(err, req, res, next) {
		// If the error object doesn't exists
		if (!err) return next();
github dreamerkumar / bizsitegenie / website / config / express.js View on Github external
db: db.connection.db,
			collection: config.sessionCollection
		})
	}));

	// use passport session
	app.use(passport.initialize());
	app.use(passport.session());

	// connect flash for flash messages
	app.use(flash());

	// Use helmet to secure Express headers
	app.use(helmet.xframe());
	app.use(helmet.xssFilter());
	app.use(helmet.nosniff());
	app.use(helmet.ienoopen());
	app.disable('x-powered-by');

	// Setting the app router and static folder
	app.use(express.static(path.resolve('./public')));
	app.use('/builder/public', express.static(path.resolve('./builder/public')));
	app.use('/shared/public', express.static(path.resolve('./shared/public')));

	// Globbing routing files
	config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
		require(path.resolve(routePath))(app);
	});

	config.getGlobbedFiles('./builder/app/routes/**/*.js').forEach(function(routePath) {
		require(path.resolve(routePath))(app);
	});
github BitTigerInst / ElasticSearch / config / lib / express.js View on Github external
module.exports.initHelmetHeaders = function (app) {
  // Use helmet to secure Express headers
  var SIX_MONTHS = 15778476000;
  app.use(helmet.xframe());
  app.use(helmet.xssFilter());
  app.use(helmet.nosniff());
  app.use(helmet.ienoopen());
  app.use(helmet.hsts({
    maxAge: SIX_MONTHS,
    includeSubdomains: true,
    force: true
  }));
  app.disable('x-powered-by');
};
github Rahul-Raviprasad / Library / config / lib / express.js View on Github external
module.exports.initHelmetHeaders = function (app) {
  // Use helmet to secure Express headers
  var SIX_MONTHS = 15778476000;
  app.use(helmet.xframe());
  app.use(helmet.xssFilter());
  app.use(helmet.nosniff());
  app.use(helmet.ienoopen());
  app.use(helmet.hsts({
    maxAge: SIX_MONTHS,
    includeSubdomains: true,
    force: true
  }));
  app.disable('x-powered-by');
};
github bright-sea / brightbi / app / express.js View on Github external
}

    // Request body parsing middleware should be above methodOverride
    app.use(bodyParser.urlencoded({
        limit: '100mb',
        extended: true
    }));
    app.use(bodyParser.json({
        limit: '100mb'
    }));
    app.use(methodOverride());

    // Use helmet to secure Express headers
    app.use(helmet.xframe('allow-from', 'http://webpivottable.com'));
    app.use(helmet.xssFilter());
    app.use(helmet.nosniff());
    app.use(helmet.ienoopen());
    app.disable('x-powered-by');

    // Setting the app router and static folder
    app.use(express.static(path.resolve('./public')));


    // CookieParser should be above session
    app.use(cookieParser());

    // Express MongoDB session storage
    app.use(session({
        saveUninitialized: true,
        resave: true,
        secret: config.sessionSecret,
        store: new mongoStore({
github vesparny / morpheus / server / express-loader.js View on Github external
server.use(requestLogger.call(null, morpheus.getLogger('express-loader')));
  server.use(robotstxt);
  server.use(methodOverride());
  server.use(bodyParser.json());
  server.use(bodyParser.urlencoded({
    extended: true
  }));
  server.use(multer());
  server.use('/content/images', express.static(path.join(morpheus.config.appRoot, '/content/images/')));
  server.use(favicon(path.join(morpheus.config.appRoot, 'content/favicon.ico')));
  server.use(express.static(path.join(morpheus.config.appRoot, '/content/themes/', morpheus.config.theme)));

  // Use helmet to secure Express headers
  server.use(helmet.xframe());
  server.use(helmet.xssFilter());
  server.use(helmet.nosniff());
  server.use(helmet.ienoopen());

  // powered by Morpheus
  server.use(helmet.hidePoweredBy());

  server.use(sslRedirection);

  server.use(fluxibleContext.call(null, appContext));

  fetchrPlugin.registerService(morpheus.services.content);
  server.use(fetchrPlugin.getXhrPath(), fetchrPlugin.getMiddleware());

  server.use(sanitize);

  server.use(slashes());