https://github.com/ether/ep_helmet
Adds Security headers to Etherpad Express responses, including CSP(content security policy) and X-Frame-Origin
https://github.com/ether/ep_helmet
Last synced: 9 months ago
JSON representation
Adds Security headers to Etherpad Express responses, including CSP(content security policy) and X-Frame-Origin
- Host: GitHub
- URL: https://github.com/ether/ep_helmet
- Owner: ether
- License: other
- Created: 2020-04-26T15:46:23.000Z (almost 6 years ago)
- Default Branch: main
- Last Pushed: 2024-03-16T21:45:58.000Z (almost 2 years ago)
- Last Synced: 2025-03-22T17:48:19.679Z (11 months ago)
- Language: JavaScript
- Homepage:
- Size: 241 KB
- Stars: 3
- Watchers: 3
- Forks: 4
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
Awesome Lists containing this project
README
 
Etherpad plugin to bring in helmet. Helmet provides security for express. See the Helmet docs for it's capabilities. Helmet also brings iFrame embed capabilities into Etherpad.
# Usage
Basic usage is simple, just install the plugin.
# Advanced usage.
Just use the same settings Helmet exposes for CSP.
## CSP
```
"ep_helmet":{
"csp":{
"directives": {
"objectSrc": ["'none'"],
"upgradeInsecureRequests": true,
"workerSrc": false
}
}
}
```
The above CSP will need to be polished over time
https://ponyfoo.com/articles/content-security-policy-in-express-apps is a good write up that needs to be referred to and supported
## Frameguard
Frameguard can be used to set X-Frame-Options which is useful if you embed Etherpad in an iFrame.
```
"ep_helmet":{
"frameguard":{
"action": "allow-from",
"domain": "https://DOMAINIFRAMEWILLBEHOSTEDIN.com"
}
}
```
# Todo
- [ ] Provide a good CSP example for Etherpad
- [ ] Provide improves security for Etherpad (using nonce example etc for inline)
# License
Apache 2