Js Node (Helmet.js)
Dimitris Chitas
Posted on May 23, 2021
Hello there guys!
As the days going through and summer is near a lot of you, have done with projects,couple of 'em created in node/express.js environment and probably you think this is
the time to force some extra functionalities ,with some external
libraries-packages. :D :D
Today, i will focus in one dependency, is called Helmet.js exist also an open repo
on gitghub,check here helmet-repo which helping us provide some
additions in our express server,those parameters are focused on the security of your app.
You can use npm or yarn i will head with npm so simple we can install it npm install helmet --save
and save it globally.
So if you already have an express server running,you can just
simple require the helmet, see bellow :
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
// ...
What is helmet?
Helmet is a function used as middleware and is wrapping 11 smaller middleware's,sets HTTP Headers,origin validations and some other stuff to avoid multiple attacks on your website-webapp.
So the above app.use(helmet());
is equivalent to this
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
All setting headers to your content, to your loading balances and predifined actions to verify the actions of the clients verifying like this who is who,is a sugar to your application not the core of your security build.
Let's see two examples
1.
helmet({
referrerPolicy: { policy: "no-referrer" },
})
);
//Set custom options for referrer policy
2.
// Sets "X-XSS-Protection: 0"
// Disables browsers buggy cross-site scripting filter by setting //the X-XSS-Protection header to 0
app.use(helmet.xssFilter());
// Sets "X-Content-Type-Options: nosniff"
//Sets the X-Content-Type-Options header to nosniff. This mitigates //MIME type sniffing which can cause security vulnerabilities
app.use(helmet.noSniff());
That's all we have for today for more information check the documentation on github link.
Have a nice workday guys, in case for further explanation do not hesitate to contact me or find me in github or linkedin.
GitHub : https://github.com/feco2019
Linkedin : https://www.linkedin.com/in/dimitris-chitas-930285191/
Posted on May 23, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.