https://github.com/thinkjs/think-helmet

Important security headers for ThinkJS 3
https://github.com/thinkjs/think-helmet

helmet thinkjs

Last synced: 12 days ago
JSON representation

Important security headers for ThinkJS 3

• Host: GitHub
• URL: https://github.com/thinkjs/think-helmet
• Owner: thinkjs
• License: mit
• Created: 2017-10-21T03:28:31.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2019-04-17T09:08:07.000Z (about 6 years ago)
• Last Synced: 2025-03-16T18:56:51.903Z (about 1 month ago)
• Topics: helmet, thinkjs
• Language: JavaScript
• Size: 6.84 KB
• Stars: 0
• Watchers: 12
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# think-helmet

[![npm](https://img.shields.io/npm/v/think-helmet.svg?style=flat-square)]()

[![Travis](https://img.shields.io/travis/thinkjs/think-helmet.svg?style=flat-square)]()

[![Coveralls](https://img.shields.io/coveralls/thinkjs/think-helmet/master.svg?style=flat-square)]()

[![David](https://img.shields.io/david/thinkjs/think-helmet.svg?style=flat-square)]()

think-helmet is a wrapper for [helmet](https://github.com/helmetjs/helmet) to work with ThinkJS 3.x. It provides important security headers to make your app more secure by default.

## Installation

```

npm install think-helmet --save

```

## Usage

```js

// src/config/middleware.js

module.exports = [{

  handle: require('think-helmet'),

  options: {

  }

}]

```

Helmet offers 11 security headers:

| Module | Default? |

|---|---|

| [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy |  |

| [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |

| [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |

| [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |

| [hpkp](https://helmetjs.github.io/docs/hpkp/) for HTTP Public Key Pinning |  |

| [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security | ✓ |

| [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+ | ✓ |

| [noCache](https://helmetjs.github.io/docs/nocache/) to disable client-side caching |  |

| [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type | ✓ |

| [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header |  |

| [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections | ✓ |

You can see more in [the documentation](https://helmetjs.github.io/docs/).

Note:

-----

In order to work well with the helmet HSTS module, think-helmet will augment

`this.request` to include a `secure` boolean to determine if the request

is over HTTPS.

## Examples

```js

// src/config/middleware.js

module.exports = [{

  handle: require('think-helmet'),

  options: {

    contentSecurityPolicy: { // set content security policy directives

      directives: {

        defaultSrc: ["'self'"],

        styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com']

      }

    },

    dnsPrefetchControl: false // disable dns prefetch control

  }

}]

```