=====Helmet (Защита заголовков в запросах, отдает левые заголовки)=====
npm install helmet
helmet помогает защитить ваши приложения Express, устанавливая различные заголовки HTTP
[[https://badge.fury.io/js/helmet|{{https://camo.githubusercontent.com/6c25e172959765545eb8fd310e4c65007fc913b551ca6fcff4d0ad84b3a74d2b/68747470733a2f2f62616467652e667572792e696f2f6a732f68656c6d65742e737667|npm version}}]] [[https://david-dm.org/helmetjs/helmet|{{https://camo.githubusercontent.com/7ab19b285def6c03995b54d1daeb1903512d52fb61d6ad7258ac35d804b2820a/68747470733a2f2f64617669642d646d2e6f72672f68656c6d65746a732f68656c6d65742e737667|npm dependency status}}]] [[https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield|{{https://camo.githubusercontent.com/ca0f62740ff445933e67bfd9ba9f2e419be6549003bfa3b7e2735d7160c74ac6/68747470733a2f2f6170702e666f7373612e696f2f6170692f70726f6a656374732f67697425324268747470732533412532462532466769746875622e636f6d25324668656c6d65746a7325324668656c6d65742e7376673f747970653d736869656c64|FOSSA Status}}]]
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
===== Quick start =====
First, run ''npm install helmet --save'' for your app. Then, in an Express app:
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
// ...
===== How it works =====
Helmet is [[https://github.com/senchalabs/connect|Connect]]-style middleware, which is compatible with frameworks like [[https://expressjs.com/|Express]]. (If you need support for other frameworks or languages, [[https://helmetjs.github.io/see-also/|see this list]].)
The top-level ''helmet'' function is a wrapper around 15 smaller middlewares, 11 of which are enabled by default.
In other words, these two things are equivalent:
// This...
app.use(helmet());
// ...is equivalent to this:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
To set custom options for one of the middleware, add options like this:
// This sets custom options for the `referrerPolicy` middleware.
app.use(
helmet({
referrerPolicy: { policy: "no-referrer" },
})
);
You can also disable a middleware:
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false,
})
);
===== Reference =====
''helmet(options)''
Helmet is the top-level middleware for this module, including all 15 others.
11 of 15 middlewares are included by default. ''crossOriginEmbedderPolicy'', ''crossOriginOpenerPolicy'', ''crossOriginResourcePolicy'', and ''originAgentCluster'' are not included by default. They must be explicitly enabled. They will be turned on by default in the next major version of Helmet.
// Includes all 11 middlewares
app.use(helmet());
If you want to disable one, pass options to ''helmet''. For example, to disable ''frameguard'':
// Includes 10 middlewares, skipping `helmet.frameguard`
app.use(
helmet({
frameguard: false,
})
);
Most of the middlewares have options, which are documented in more detail below. For example, to pass ''{ action: "deny" }'' to ''frameguard'':
// Includes all 11 middlewares, setting an option for `helmet.frameguard`
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
Each middleware's name is listed below.
''helmet.contentSecurityPolicy(options)''
''helmet.contentSecurityPolicy'' sets the ''Content-Security-Policy'' header which helps mitigate cross-site scripting attacks, among other things. See [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP|MDN's introductory article on Content Security Policy]].
This middleware performs very little validation. You should rely on CSP checkers like [[https://csp-evaluator.withgoogle.com/|CSP Evaluator]] instead.
''options.directives'' is an object. Each key is a directive name in camel case (such as ''defaultSrc'') or kebab case (such as ''default-src''). Each value is an iterable (usually an array) of strings or functions for that directive. If a function appears in the iterable, it will be called with the request and response. The ''default-src'' can be explicitly disabled by setting its value to ''helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc''.
''options.reportOnly'' is a boolean, defaulting to ''false''. If ''true'', [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only|the ]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only|Content-Security-Policy-Report-Only]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only| header]] will be set instead.
If no directives are supplied, the following policy is set (whitespace added for readability):
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
You can use this default with the ''options.useDefaults'' option. ''options.useDefaults'' is ''false'' by default, but will be ''true'' in the next major version of Helmet.
You can also get the default directives object with ''helmet.contentSecurityPolicy.getDefaultDirectives()''.
Examples:
// Sets all of the defaults, but overrides `script-src` and disables the default `style-src`
app.use(
helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
})
);
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
helmet.contentSecurityPolicy({
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
})
);
// Sets the "Content-Security-Policy-Report-Only" header instead
app.use(
helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
/* ... */
},
reportOnly: true,
})
);
// Sets the `script-src` directive to "'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'" (or similar)
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
next();
});
app.use(
helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
})
);
// Sets "Content-Security-Policy: script-src 'self'"
app.use(
helmet.contentSecurityPolicy({
useDefaults: false,
directives: {
"default-src": helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
"script-src": ["'self'"],
},
})
);
// Sets the `frame-ancestors` directive to "'none'"
// See also: `helmet.frameguard`
app.use(
helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
frameAncestors: ["'none'"],
},
})
);
You can install this module separately as ''helmet-csp''.
''helmet.crossOriginEmbedderPolicy()''
''helmet.crossOriginEmbedderPolicy'' sets the ''Cross-Origin-Embedder-Policy'' header to ''require-corp''. See [[https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy|MDN's article on this header]] for more.
This middleware is not included when calling ''helmet()'' by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet.
Example usage with Helmet:
// Uses the default Helmet options and adds the `crossOriginEmbedderPolicy` middleware.
// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet({ crossOriginEmbedderPolicy: true }));
Standalone example:
// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet.crossOriginEmbedderPolicy());
You can't install this module separately.
''helmet.crossOriginOpenerPolicy()''
''helmet.crossOriginOpenerPolicy'' sets the ''Cross-Origin-Opener-Policy'' header. For more, see [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy|MDN's article on this header]].
This middleware is not included when calling ''helmet()'' by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet.
Example usage with Helmet:
// Uses the default Helmet options and adds the `crossOriginOpenerPolicy` middleware.
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet({ crossOriginOpenerPolicy: true }));
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(
helmet({ crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" } })
);
Standalone example:
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet.crossOriginOpenerPolicy());
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(helmet.crossOriginOpenerPolicy({ policy: "same-origin-allow-popups" }));
// Sets "unsafe-none-Opener-Policy: unsafe-none"
app.use(helmet.crossOriginOpenerPolicy({ policy: "unsafe-none" }));
You can't install this module separately.
''helmet.crossOriginResourcePolicy()''
''helmet.crossOriginResourcePolicy'' sets the ''Cross-Origin-Resource-Policy'' header. For more, see [[https://resourcepolicy.fyi/|"Consider deploying Cross-Origin Resource Policy]] and [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy|MDN's article on this header]].
This middleware is not included when calling ''helmet()'' by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet.
Example usage with Helmet:
// Uses the default Helmet options and adds the `crossOriginResourcePolicy` middleware.
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet({ crossOriginResourcePolicy: true }));
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } }));
Standalone example:
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet.crossOriginResourcePolicy());
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet.crossOriginResourcePolicy({ policy: "same-site" }));
// Sets "Cross-Origin-Resource-Policy: cross-origin"
app.use(helmet.crossOriginResourcePolicy({ policy: "cross-origin" }));
You can install this module separately as ''cross-origin-resource-policy''.
''helmet.expectCt(options)''
''helmet.expectCt'' sets the ''Expect-CT'' header which helps mitigate misissued SSL certificates. See [[https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency|MDN's article on Certificate Transparency]] and the ''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT|Expect-CT]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT| header]] for more.
''options.maxAge'' is the number of seconds to expect Certificate Transparency. It defaults to ''0''.
''options.enforce'' is a boolean. If ''true'', the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to ''false''.
''options.reportUri'' is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
Examples:
// Sets "Expect-CT: max-age=86400"
app.use(
helmet.expectCt({
maxAge: 86400,
})
);
// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report",
})
);
You can install this module separately as ''expect-ct''.
''helmet.referrerPolicy(options)''
''helmet.referrerPolicy'' sets the ''Referrer-Policy'' header which controls what information is set in [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer|the ]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer|Referer]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer| header]]. See [[https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns|"Referer header: privacy and security concerns"]] and [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy|the header's documentation]] on MDN for more.
''options.policy'' is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy|a fallback policy]]. It defaults to ''no-referrer''.
Examples:
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet.referrerPolicy({
policy: "no-referrer",
})
);
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet.referrerPolicy({
policy: ["origin", "unsafe-url"],
})
);
You can install this module separately as ''referrer-policy''.
''helmet.hsts(options)''
''helmet.hsts'' sets the ''Strict-Transport-Security'' header which tells browsers to prefer HTTPS over insecure HTTP. See [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|the documentation on MDN]] for more.
''options.maxAge'' is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to ''15552000'', which is 180 days.
''options.includeSubDomains'' is a boolean which dictates whether to include the ''includeSubDomains'' directive, which makes this policy extend to subdomains. It defaults to ''true''.
''options.preload'' is a boolean. If true, it adds the ''preload'' directive, expressing intent to add your HSTS policy to browsers. See [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security|the "Preloading Strict Transport Security" section on MDN]] for more. It defaults to ''false''.
Examples:
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet.hsts({
maxAge: 123456,
})
);
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet.hsts({
maxAge: 123456,
includeSubDomains: false,
})
);
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet.hsts({
maxAge: 63072000,
preload: true,
})
);
You can install this module separately as ''hsts''.
''helmet.noSniff()''
''helmet.noSniff'' sets the ''X-Content-Type-Options'' header to ''nosniff''. This mitigates [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing|MIME type sniffing]] which can cause security vulnerabilities. See [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options|documentation for this header on MDN]] for more.
This middleware takes no options.
Example:
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet.noSniff());
You can install this module separately as ''dont-sniff-mimetype''.
''helmet.originAgentCluster()''
''helmet.originAgentCluster'' sets the ''Origin-Agent-Cluster'' header, which provides a mechanism to allow web applications to isolate their origins. Read more about it [[https://whatpr.org/html/6214/origin.html#origin-keyed-agent-clusters|in the spec]].
This middleware is not included when calling ''helmet()'' by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet.
Example usage with Helmet:
// Uses the default Helmet options and adds the `originAgentCluster` middleware.
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet({ originAgentCluster: true }));
Standalone example:
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet.originAgentCluster());
You can't install this module separately.
''helmet.dnsPrefetchControl(options)''
''helmet.dnsPrefetchControl'' sets the ''X-DNS-Prefetch-Control'' header to help control DNS prefetching, which can improve user privacy at the expense of performance. See [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control|documentation on MDN]] for more.
''options.allow'' is a boolean dictating whether to enable DNS prefetching. It defaults to ''false''.
Examples:
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet.dnsPrefetchControl({
allow: false,
})
);
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet.dnsPrefetchControl({
allow: true,
})
);
You can install this module separately as ''dns-prefetch-control''.
''helmet.ieNoOpen()''
''helmet.ieNoOpen'' sets the ''X-Download-Options'' header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [[https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection|this old post on MSDN]].
This middleware takes no options.
Examples:
// Sets "X-Download-Options: noopen"
app.use(helmet.ieNoOpen());
You can install this module separately as ''ienoopen''.
''helmet.frameguard(options)''
''helmet.frameguard'' sets the ''X-Frame-Options'' header to help you mitigate [[https://en.wikipedia.org/wiki/Clickjacking|clickjacking attacks]]. This header is superseded by [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors|the ]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors|frame-ancestors]]''[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors| Content Security Policy directive]] but is still useful on old browsers. For more, see ''helmet.contentSecurityPolicy'', as well as [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options|the documentation on MDN]].
''options.action'' is a string that specifies which directive to use—either ''DENY'' or ''SAMEORIGIN''. (A legacy directive, ''ALLOW-FROM'', is not supported by this middleware. [[https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive|Read more here.]]) It defaults to ''SAMEORIGIN''.
Examples:
// Sets "X-Frame-Options: DENY"
app.use(
helmet.frameguard({
action: "deny",
})
);
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin",
})
);
You can install this module separately as ''frameguard''.
''helmet.permittedCrossDomainPolicies(options)''
''helmet.permittedCrossDomainPolicies'' sets the ''X-Permitted-Cross-Domain-Policies'' header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [[https://owasp.org/www-project-secure-headers/|the description on OWASP]] for more.
''options.permittedPolicies'' is a string that must be ''"none"'', ''"master-only"'', ''"by-content-type"'', or ''"all"''. It defaults to ''"none"''.
Examples:
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "none",
})
);
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "by-content-type",
})
);
You can install this module separately as ''helmet-crossdomain''.
''helmet.hidePoweredBy()''
''helmet.hidePoweredBy'' removes the ''X-Powered-By'' header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see [[https://github.com/expressjs/express/pull/2813#issuecomment-159270428|this discussion]]) and is mostly removed to save bandwidth.
This middleware takes no options.
If you're using Express, this middleware will work, but you should use ''app.disable("x-powered-by")'' instead.
Examples:
// Removes the X-Powered-By header if it was set.
app.use(helmet.hidePoweredBy());
You can install this module separately as ''hide-powered-by''.
''helmet.xssFilter()''
''helmet.xssFilter'' disables browsers' buggy cross-site scripting filter by setting the ''X-XSS-Protection'' header to ''0''. See [[https://github.com/helmetjs/helmet/issues/230|discussion about disabling the header here]] and [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection|documentation on MDN]].
This middleware takes no options.
Examples:
// Sets "X-XSS-Protection: 0"
app.use(helmet.xssFilter());
You can install this module separately as ''x-xss-protection''.