How to use koa-helmet - 10 common examples
To help you get started, we’ve selected a few koa-helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
OXOYO / X-RESTful-API-Generator-Koa / src / middleware / index.js View on Github 
export default function middleware (app) {
return compose([
logger(),
helmet(),
KoaStatic('.'),
// 跨域处理
convert(cors({
origin: function (request) {
let host = request.header.origin
let isIncludes = false
// console.log('host', request.header)
// FIXME 安全起见,上线时需注掉如下判断
if (!host) {
return '*'
}
for (let i in SystemConfig.accessHost) {
if (host.includes(SystemConfig.accessHost[i])) {
isIncludes = true
break
}});
process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],// we don't need to report every time a request stops to the bug tracker
if (error.code === 'EPIPE' || error.code === 'ECONNRESET') {
console.warn('Connection error', { error });
} else {
bugsnag.koaHandler(error, ctx);
}
});
}
}
app.use(mount('/auth', auth));
app.use(mount('/api', api));
app.use(helmet());
app.use(
contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
'gist.github.com',
'www.google-analytics.com',
'd2wy8f7a9ursnm.cloudfront.net',
],
styleSrc: ["'self'", "'unsafe-inline'", 'github.githubassets.com'],
imgSrc: ['*', 'data:', 'blob:'],
frameSrc: ['*'],
connectSrc: compact([
"'self'",
process.env.AWS_S3_UPLOAD_BUCKET_URL,process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [
'DELETE',process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [
'DELETE',import winston from 'winston';
import slack from 'node-slack';
require('winston-daily-rotate-file');
// Setup logging
winston.remove(winston.transports.Console);
winston.add(winston.transports.Console, { colorize: true, timestamp: true, prettyPrint: true });
var slackAPIKey = process.env.SLACK_HOOK_URL;
var mySlack = new slack(slackAPIKey, {});
// Create Koa Application
const app = new Koa();
app
.use(logger())
.use(bodyParser())
.use(helmet())
.use(cors());
routing(app);
// Start the application
app.listen(port, () => logToSlack(`Lighthouse API server is running at http://localhost:${port}/`));
export default app;
export function logToSlack (message) {
winston.log('info', 'SentToSlack: ' + message);
mySlack.send({
text : message,
channel : '#lighthouse-status',
username : 'Lighthouse',
icon_emoji: 'lighthouse',export const securityLayer = (app: Object) => {
app.keys = [process.env.SECRET_KEY];
const csrf = new CSRF();
app
.use(session({ maxAge: 86400000 }, app)) // https://github.com/koajs/session
.use((ctx, next) => {
// don't check csrf for request coming from the server
if (ctx.get("x-app-secret") === process.env.SECRET_KEY) {
return next();
}
return csrf(ctx, next);
}) // https://github.com/koajs/csrf
.use(helmet()); // https://github.com/venables/koa-helmet
};import Router from 'koa-router'
import convert from 'koa-convert'
import router from './router'
import config from '../internals/config/private'
import { apiPrefix } from '../internals/config/public'
const app = new Koa()
const env = process.env.NODE_ENV || 'development'
// add header `X-Response-Time`
app.use(responseTime())
app.use(convert(logger()))
// various security headers
app.use(helmet())
const cacheOpts = { maxAge: 86400000, gzip: true }
app.use(favicon(path.join(__dirname, '../app/images/favicon.ico')))
if (env === 'production') {
// set debug env to `koa` only
// must be set programmaticaly for windows
debug.enable('koa')
// load production middleware
app.use(require('koa-conditional-get')())
app.use(convert(require('koa-etag')()))
app.use(require('koa-compress')())
app.use(mount('/assets', staticCache(path.join(__dirname, '../dist'), cacheOpts)))
// mount static folder for SWkoa-helmet
Security header middleware collection for koa
