How to use the helmet.hidePoweredBy function in helmet
To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Preetam007 / hyperledger_composer_file_storage / index.js View on Github 
* because you don’t want to make it easy for an attacker to figure what you are
* running The X-Powered-By header can be extremely useful to an attacker for
* building a site’s risk profile
*/
app.disable('x-powered-by');
app.use(compression());
app.use(bodyParser.json({ limit: '50mb' }));
app.use(bodyParser.urlencoded({ limit: '50mb', extended: true }));
app.use(cookieParser());
app.use(helmet());
// using a single line of code will attach 7 protecting middleware to Express
// appapp.use(helmet());
// additional configurations can be applied on demand, this one mislead the
// caller to think we’re using PHP 🙂
app.use(helmet.hidePoweredBy({
setTo: 'PHP 4.2.0'
})); // other middleware are not activated by default and requires explicit
// configuration .
// app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
// app.use(flash());
app.use('*', (req, res, next) => {
console.log(`URL: ${req.baseUrl}`);
next();
});
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'PUT, GET, POST, DELETE, OPTIONS');
res.header(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept');*
*/
'use strict';
console.log('Starting app...');
const request = require('request'), Promise = require("bluebird"); //request for pulling JSON from api. Bluebird for Promises.
const express = require('express'),
app = express(),
helmet = require('helmet'),
http = require('http').Server(app),
io = require('socket.io')(http); // For websocket server functionality
app.use(helmet.hidePoweredBy({setTo: 'PHP/5.4.0'}));
const port = process.env.PORT || 3000;
app.use(express.static(__dirname + '/docs'));
http.listen(port, function () {
console.log('listening on', port);
});
require('./settings.js')(); //Includes settings file.
// let db = require('./db.js'); //Includes db.js
let coinNames = [];
io.on('connection', function (socket) {if (process.env.HSTS_DISABLED != 'true') {
// Use HSTS
app.use(helmet.hsts());
}
if (process.env.DISABLE_XFO_HEADERS_DENY != 'true') {
// No xframes allowed
app.use(helmet.xframe('deny'));
}
if (process.env.IEXSS_PROTECTION_DISABLED != 'true') {
// Use XSS protection
app.use(helmet.iexss());
}
// Hide that we're using Express
app.use(helmet.hidePoweredBy());
app.use(express.compress());
app.use(express.bodyParser());
app.use(middleware.session());
app.use(middleware.csrf({ whitelist: [ '/persona/login', '/persona/logout', '/persona/verify', '/api/user'] }));
app.use(middleware.sass(staticDir, staticRoot));
app.use(middleware.addCsrfToken);
app.use(middleware.debug);
app.use(staticRoot, express.static(staticDir));
persona.express(app, { audience: config('PERSONA_AUDIENCE'),
redirects: { notLoggedIn: '/', notLoggedOut: '/directory' },
selectors: { login: '.js-login', logout: '.js-logout' },
middleware: middleware.clearSession });
var secureRouteHandlers = [persona.ensureLoggedIn(), middleware.verifyPermission(config('ACCESS_LIST', []), 'sorry.html')];function initHelmetHeaders(app) {
// Use helmet to secure Express headers
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.frameguard());
app.use(helmet.ieNoOpen());
app.use(crossdomain());
app.use(helmet.hidePoweredBy());
}// Disabling this. Will probably need to dynamically
// set this based on the referrer URL and match if it's *.atlassian.net or *.jira.com
// app.use(helmet.frameguard({ action: 'deny' }))
// MIME-Handling: Force Save in IE
app.use(helmet.ieNoOpen())
// Disable cachingç
app.use(helmet.noCache())
// Disable mimetype sniffing
app.use(helmet.noSniff())
// Basic XSS Protection
app.use(helmet.xssFilter())
// Remove the X-Powered-By
// This particular combination of methods works
frontendApp.disable('x-powered-by')
app.use(helmet.hidePoweredBy())
}const express = require('express')
const helmet = require('helmet')
const helmetCsp = require('helmet-csp')
const webpack = require('webpack')
const bodyParser = require('body-parser')
const config = require('../config')
const app = express()
// Projection
app.use(helmet.xssFilter())
app.use(helmet.frameguard())
app.use(helmet.hidePoweredBy())
// Defaults
app.use(bodyParser.urlencoded({
extended: false
}))
app.use(bodyParser.json())
// public folder
app.use('/public', express.static('static'))
// API
const router = require('../routes')
app.use('/api', router)
app.use(require('connect-history-api-fallback')({export default (DI, app, config) => {
app.use(helmet.csp({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:"],
reportUri: `${config.cspReportUrl}`,
},
}));
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
// Force convert parameters to strings
app.use((req, res, next) => {
req.body = _.mapValues(req.body, v => String(v));
req.query = _.mapValues(req.query, v => String(v));
next();
});
app.use(expressValidator());
// Expose CSRF token to view
app.use(csrf());
app.use((req, res, next) => {
if (req.csrfToken) {
res.locals.csrfToken = req.csrfToken();
} else {cookie: { secure: httpsEnabled },
resave: false,
saveUninitialized: true
};
// Set compression before any routes
app.use(compression({ threshold: 512 }));
app.use(cookieParser());
app.io.session(session);
auth.setup(app, session, core);
// Security protections
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.hsts({
maxAge: 31536000,
includeSubdomains: true,
force: httpsEnabled,
preload: true
}));
app.use(helmet.contentSecurityPolicy({
defaultSrc: ['\'none\''],
connectSrc: ['*'],
scriptSrc: ['\'self\'', '\'unsafe-eval\''],
styleSrc: ['\'self\'', 'fonts.googleapis.com', '\'unsafe-inline\''],
fontSrc: ['\'self\'', 'fonts.gstatic.com'],
mediaSrc: ['\'self\''],publishRunning.splice(publishRunning.indexOf(seq), 1);
if(error)
{
console.log(error.toString());
emitError(res, 500, error.toString());
return;
}
emitSuccess(res, 'The project was successfully published.')
}}(seq));
}
var app = express()
.use(express.logger(':remote-addr :method :url :status :res[content-length] - :response-time ms'))
.use(helmet.hidePoweredBy())
.use(helmet.xframe('sameorigin'))
.use(helmet.xssFilter())
.use(helmet.ienoopen())
.use(helmet.nosniff())
.use(helmet.crossdomain())
.use(function(req, res, next)
{
req.url = req.url.replace(/^\/build\/data\//, '/data/');
next();
})
.use(function(req, res, next)
{
if(req.url.indexOf('?_') > -1)
req.url = req.url.substring(0, req.url.indexOf('?_'));
next();},
reportOnly: false,
setAllHeaders: false,
disableAndroid: false,
browserSniff: true
}))
/****
* xssFilter header FWIW
* https://github.com/helmetjs/helmet#xss-filter-xssfilter
*/
expressApp.use(helmet.xssFilter())
/****
* Frameguard stops the page being put in a or helmet
help secure Express/Connect apps with various HTTP headers
Package Health Score
92 / 100Popular helmet functions
- helmet
- helmet.contentSecurityPolicy
- helmet.contentTypeOptions
- helmet.csp
- helmet.dnsPrefetchControl
- helmet.featurePolicy
- helmet.frameguard
- helmet.hidePoweredBy
- helmet.hpkp
- helmet.hsts
- helmet.ieNoOpen
- helmet.ienoopen
- helmet.iexss
- helmet.noCache
- helmet.noSniff
- helmet.nosniff
- helmet.permittedCrossDomainPolicies
- helmet.referrerPolicy
- helmet.xframe
- helmet.xssFilter