1. Advisor
  2. helmet
  3. functions
  4. helmet.hpkp
View all helmet analysis

How to use the helmet.hpkp function in helmet

To help you get started, we’ve selected a few helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github mcibique / express-security / server / middlewares / security.js View on Github external
app.use(helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: [ "'self'", (req, res) => `'nonce-${res.locals.nonce}'` ],
      styleSrc: [ "'self'", (req, res) => `'nonce-${res.locals.nonce}'` ],
      baseUri: ["'self'"],
      connectSrc: [ "'self'", 'wss:' ],
      frameAncestors: ["'none'"],
      reportUri: config.csp.reportUri
    },
    setAllHeaders: false,
    reportOnly: false,
    browserSniff: false
  })); /* eslint-enable */
  // Public-Key-Pins: https://github.com/helmetjs/hpkp
  app.use(helmet.hpkp({
    maxAge: ms(config.hpkp.maxAge) / 1000,
    sha256s: config.hpkp.sha256s,
    includeSubdomains: true,
    reportUri: config.hpkp.reportUri,
    reportOnly: false
  }));
  // X-DNS-Prefetch-Control: https://github.com/helmetjs/dns-prefetch-control
  app.use(helmet.dnsPrefetchControl({ allow: false }));
  // https://github.com/helmetjs/referrer-policy
  app.use(helmet.referrerPolicy({ policy: 'origin' }));
  // https://helmetjs.github.io/docs/expect-ct/
  app.use(helmet.expectCt({
    enforce: true,
    maxAge: ms(config.expectCT.maxAge) / 1000,
    reportUri: config.expectCT.reportUri
  }));
github strues / boldr / packages / backend / src / middleware / initSecurity.js View on Github external
// Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  app.use(helmet.ieNoOpen());
  // Strict-Transport-Security: https://github.com/helmetjs/hsts
  app.use(
    helmet.hsts({
      maxAge: ms(hstsMA) / 1000,
      includeSubdomains: true,
      preload: true,
    }),
  );
  // Public-Key-Pins: https://github.com/helmetjs/hpkp
  app.use(
    helmet.hpkp({
      maxAge: ms(hstsMA) / 1000,
      sha256s: [
        'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
        'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
      ],
      includeSubdomains: true,
      reportUri: 'https://report-uri.io/report/expresssecuritytest',
      reportOnly: false,
    }),
  );
  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  app.use(helmet.noSniff());
}
github strues / boldr / packages / server / src / middleware / initSecurity.js View on Github external
// Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  app.use(helmet.ieNoOpen());
  // Strict-Transport-Security: https://github.com/helmetjs/hsts
  app.use(
    helmet.hsts({
      maxAge: ms(hstsMA) / 1000,
      includeSubdomains: true,
      preload: true,
    }),
  );
  // Public-Key-Pins: https://github.com/helmetjs/hpkp
  app.use(
    helmet.hpkp({
      maxAge: ms(hstsMA) / 1000,
      sha256s: [
        'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
        'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
      ],
      includeSubdomains: true,
      reportUri: 'https://report-uri.io/report/expresssecuritytest',
      reportOnly: false,
    }),
  );
  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  app.use(helmet.noSniff());
}
github mozilla / fxa-content-server / server / lib / hpkp.js View on Github external
module.exports = function (config) {
  const hpkpMiddleware = helmet.hpkp({
    includeSubdomains: config.get('hpkp.includeSubDomains'),
    maxAge: config.get('hpkp.maxAge'), // param is now seconds since Helmet 3
    reportOnly: config.get('hpkp.reportOnly'),
    reportUri: config.get('hpkp.reportUri'),
    sha256s: config.get('hpkp.sha256s')
  });

  return function (req, res, next) {
    if (! config.get('hpkp.enabled')) {
      return next();
    }

    hpkpMiddleware(req, res, next);
  };
};
github mike-engel / bkmrkd / server.js View on Github external
imgSrc: ["'none'"],
  connectSrc: ["'self'", 'ws:'],
  fontSrc: ["'none'"],
  objectSrc: ["'none'"],
  mediaSrc: ["'none'"],
  frameSrc: ["'none'"]
}))
app.use(helmet.xssFilter())
app.use(helmet.frameguard('deny'))
app.use(helmet.hsts({
  maxAge: 31500000000,
  includeSubdomains: true
}))
app.use(helmet.ieNoOpen())
app.use(helmet.noSniff())
app.use(helmet.hpkp({
  maxAge: 7776000000,
  sha256s: config[env].publicKeyPins
}))

app.route(/^\/(colophon)?$/)
  .get((req, res) => {
    const pageNumber = +req.query.page || 1

    countBookmarks((bookmarkCount) => {
      bkmrkd.table('bookmarks').orderBy({
        index: rethink.desc('createdOn')
      }).skip(25 * (pageNumber - 1)).limit(25).run(connection, (err, cursor) => {
        if (err) {
          return res.render('500', {
            message: 'There\'s been an error getting the initial list of bookmarks.'
          })

helmet

help secure Express/Connect apps with various HTTP headers

GitHub
MIT
Latest version published 1 month ago

Package Health Score

92 / 100
Full package analysis

Popular helmet functions

Similar packages