Cover your head.
Security headers middleware for connect or express.
Further readings on middlewares can be found here
var hood = require('hood');
app.use(hood());
This will setup sane defaults for most apps. You can also pass options to configure each middleware.
app.use(hood({
csp: "default-src 'unsafe-inline'",
hsts: false // pass false to disable a middlware
}));
Each middleware is also available individually.
app.use(hood.csp());
app.use(hood.csp({
policy: {
'default-src': ['self', 'unsafe-inline']
}
}));
app.use(hood.csp("default-src 'self';"));
// to use Report-Only
app.use(hood.csp({
policy: somePolicy,
reportOnly: true
}))
app.use(hood.csp(policyStr, true));
Only applies header if request is secure. Checks req.connection.encrypted
and req.connection.proxySecure
.
app.use(hood.hsts());
app.use(hood.hsts({
maxAge: 1000, // seconds
includeSubdomains: true // default false
}));
app.use(hood.hsts(1000, true));
app.use(hood.xframe()) // DENY
app.use(hood.xframe({
sameOrigin: true
}));
app.use(hood.xframe({
allow: 'http://example.domain'
}));
app.use(hood.xframe('SAMEORIGIN'));
app.use(hood.xframe('ALLOW-FROM http://example.domain'));
app.use(hood.nosniff());
A convenience method when you need to add arbitrary headers to all requests.
app.use(hood.header('x-foo', 'bar'));
app.use(hood.header({
'x-foo': 'bar',
'x-baz': 'quux'
}));