How to use the helmet.referrerPolicy function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
mozilla / addons-code-manager / src / server / index.tsx View on Github 
helmet.contentSecurityPolicy({
directives: baseCSP,
browserSniff: false,
}),
);
// Set other security headers.
app.use(helmet.frameguard({ action: 'deny' }));
app.use(
helmet.hsts({
includeSubDomains: false,
maxAge: 31536000, // 1 year in seconds
}),
);
app.use(helmet.noSniff());
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
app.use(helmet.xssFilter());
// Express configuration.
app.set('host', env.SERVER_HOST || DEFAULT_HOST);
app.set('port', env.PORT || DEFAULT_PORT);
app.disable('x-powered-by');
app.use(cookiesMiddleware());
// We use a proxy to forward API requests to REACT_APP_API_HOST (i.e. the
// AMO/addons-server API). This is useful for local development.
if (useInsecureProxy) {
if (isProduction) {
console.warn(`Using an insecure proxy with NODE_ENV=production is risky`);
}
app.use(module.exports.serve = async (electronApp) => {
/* Initiate database */
await db.init();
/* Allow both JSON and URL encoded bodies */
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
/* Set security headers */
app.use(helmet());
app.use(helmet.referrerPolicy());
/* Set EJS config */
app.set('view engine', 'ejs');
app.set('views',path.join(__dirname,'views/pages'));
app.locals.environment = process.env.NODE_ENV;
app.locals.announcement = config.announcement;
/* Compress pages */
app.use(require('compression')());
/* Serve static content*/
app.use(express.static(path.join(__dirname,'views/static')));
/* Configuration middleware */
app.use(async (req,res,next) => {
const {NODE_ENV} = process.env;const drive = require('./server/routes/drive.js');
const links = require('./server/routes/links.js');
const oauth = require('./server/routes/oauth.js');
const clientConfig = require('./server/routes/clientConfig.js');
const corrections = require('./server/routes/corrections.js');
const errorHandler = require('./server/middlewares/boom.js');
const authRequired = require('./server/middlewares/oauth.js');
const app = express();
console.log(`Environment is: ${config.env}`);
// Helmet Middleware
app.use(helmet());
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
app.use(helmet.hsts({
maxAge: 63072000, // 2 years
includeSubDomains: true,
preload: true,
}));
let corsOptions = {
origin: 'https://lyrgard.github.io',
}
if (!config.isProd && process.env.DEV_USE_DIST != "yes") {
corsOptions.origin = [corsOptions.origin, 'http://localhost:4444', 'http://localhost:3001'];
}
console.log(!config.isProd && process.env.DEV_USE_DIST != "yes");
console.log(corsOptions);
app.use(cors(corsOptions));})
}
// production error handler, no stacktraces leaked to user
app.use((err, req, res, next) => {
res.status(err.status || 500)
res.send({message: err.message, error: {}})
})
// -----------------------------------------------------------------------------
// USE SECURITY MIDDLEWARES
// -----------------------------------------------------------------------------
app.use(helmet())
app.use(helmet.noCache())
app.use(helmet.referrerPolicy({policy: 'same-origin'}))
// app.use(csrf())
// app.use((req, res, next) => {
// // Expose variable to templates via locals
// res.locals.csrftoken = req.csrfToken()
// next()
// })
// -----------------------------------------------------------------------------
// CONFIGURE ROUTERS
// -----------------------------------------------------------------------------
// LIMITER
limiter({
lookup: ['connection.remoteAddress'],
total: 800, // 800 requests per hourfunction configureApplication(options: AppOptions) {
const { parent, config } = options;
// Trust the proxy in front of us, this will enable us to trust the fact that
// SSL was terminated correctly.
const trust = options.config.get("trust_proxy");
if (trust) {
parent.set("trust proxy", compileTrust(trust));
}
// Configure security middleware and options.
parent.disable("x-powered-by");
parent.use(noSniff());
parent.use(referrerPolicy({ policy: "same-origin" }));
parent.use(xssFilter());
// If we're in production mode, configure some production security settings.
if (config.get("env") === "production") {
if (config.get("disable_force_ssl")) {
logger.warn(
"SSL enforcement has been disabled in production, this should not be used except for testing"
);
} else {
// Coral in production requires SSL, so we'll send the HSTS headers here as
// well as force the use of HTTPS with a 301 redirect.
parent.use(
hsts({
// We don't want to break existing other services that run with SSL.
includeSubDomains: false,
})var securityHeaders = function (app, forceSecure) {
app.set('x-powered-by', false);
var ninetyDaysInSeconds = 7776000;
app.use(helmet.hsts({ maxAge: ninetyDaysInSeconds, force: forceSecure, includeSubDomains: false }));
app.use(helmet.frameguard({action: 'deny'}));
app.use(helmet.hidePoweredBy());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
// can't currently use CSP as i would like because various 3rd party libs are using inline style and javascript eval()
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'none'"],
scriptSrc: ["'self'"],
connectSrc: ["'self'"],
styleSrc: ["'self'", 'https://fonts.googleapis.com', "'unsafe-inline'"], //needed for jquery
imgSrc: ["'self'", 'data:'],
fontSrc: ["'self'", 'https://fonts.gstatic.com', 'data:'],
formAction: ["'self'", 'https://github.com'],
reportUri: 'https://owaspthreatdragon.report-uri.com/r/d/csp/enforce'
}
}));
};private setupSecurityMiddlewares(server: Express) {
server.use(hpp())
server.use(helmet())
server.use(helmet.referrerPolicy({ policy: 'same-origin' }))
server.use(helmet.noCache())
server.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'unsafe-inline'"],
scriptSrc: ["'unsafe-inline'", "'self'"]
}
})
)
}maxAge: 31536000,
preload: true,
}),
);
this.app.use(
helmet.contentSecurityPolicy({
browserSniff: true,
directives: this.config.SERVER.CSP,
disableAndroid: false,
loose: !this.config.SERVER.DEVELOPMENT,
reportOnly: false,
setAllHeaders: false,
}),
);
this.app.use(
helmet.referrerPolicy({
policy: 'same-origin',
}),
);
}});
app.use(
csp({
directives: {
defaultSrc: ['"self"']
}
}),
helmet.featurePolicy({
features: {
fullscreen: ['"self"'],
vibrate: ['"none"'],
payment: ['"none"'],
syncXhr: ['"none"']
}
}),
helmet.referrerPolicy({ policy: 'same-origin' }),
helmet.frameguard({
action: 'deny'
}),
helmet.hsts({
maxAge: 15768000 //Six Months in Seconds
}),
helmet.xssFilter(),
helmet.noSniff(),
cors({
origin: '*',
methods: 'GET',
preflightContinue: false,
optionsSuccessStatus: 204
})
);helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter