Code Monkey home page Code Monkey logo

hood's Introduction

hood

Build Status NPM version

Cover your head.

Security headers middleware for connect or express.

Further readings on middlewares can be found here

hood

Usage

var hood = require('hood');
app.use(hood());

This will setup sane defaults for most apps. You can also pass options to configure each middleware.

app.use(hood({
  csp: "default-src 'unsafe-inline'",
  hsts: false // pass false to disable a middlware
}));

Each middleware is also available individually.

csp

app.use(hood.csp());
app.use(hood.csp({
  policy: {
    'default-src': ['self', 'unsafe-inline']
  }
}));
app.use(hood.csp("default-src 'self';"));

// to use Report-Only
app.use(hood.csp({
  policy: somePolicy,
  reportOnly: true
}))
app.use(hood.csp(policyStr, true));

hsts

Only applies header if request is secure. Checks req.connection.encrypted and req.connection.proxySecure.

app.use(hood.hsts());
app.use(hood.hsts({
  maxAge: 1000, // seconds
  includeSubdomains: true // default false
}));
app.use(hood.hsts(1000, true));

xframe

app.use(hood.xframe()) // DENY
app.use(hood.xframe({
  sameOrigin: true
}));
app.use(hood.xframe({
  allow: 'http://example.domain'
}));
app.use(hood.xframe('SAMEORIGIN'));
app.use(hood.xframe('ALLOW-FROM http://example.domain'));

nosniff

app.use(hood.nosniff());

header

A convenience method when you need to add arbitrary headers to all requests.

app.use(hood.header('x-foo', 'bar'));
app.use(hood.header({
  'x-foo': 'bar',
  'x-baz': 'quux'
}));

hood's People

Contributors

seanmonstar avatar emostar avatar

Stargazers

Moses avatar Masahiro Saito avatar Debdut Biswas avatar Scott Dowding avatar Michael Ball avatar Glenn 'devalias' Grant avatar Jay Zeschin avatar Ji.K avatar Zen Li avatar Nikolay Kolev avatar Ryan Boucher avatar Ignacio Lago avatar Patrick Deroubaix avatar Gavin Suntop avatar avatar Matt Tortolani avatar Hengki Sihombing avatar Ragunath Jawahar avatar Carter Tsai avatar Gergely Nemeth avatar Mirco Zeiss avatar

Watchers

avatar James Cloos avatar Carter Tsai avatar Yared Getachew avatar avatar

Forkers

gergelyke emostar doodlemoonch bitoneinc

hood's Issues

Add support for Report-Only header

The counterpart to the CSP header is the CSP-Report-Only header. Instead of enforcing CSP, it'll print out the violations to the console and send a violation report if configured to do so.

I image it would be an additional option to the csp() configuration:

app.use(hood.csp({
  policy: {
    'default-src': ['self', 'unsafe-inline']
  },
  reportOnly: {
    'default-src': ['self']
  }
}));

I don't know how this would work best with the string parameter. Having two parameters would work, like hood.csp(policy, reportOnly) but that's kinda ugly.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.