@davaux/helmet
v0.9.0
Published
Security headers middleware for Davaux
Readme
@davaux/helmet
Security headers middleware for Davaux. Sets CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and X-DNS-Prefetch-Control with sensible defaults.
Installation
npm install @davaux/helmetSetup
// davaux.config.ts
import { defineConfig } from 'davaux/config'
import { helmet } from '@davaux/helmet'
export default defineConfig({
middleware: [helmet()],
})All headers are enabled by default. Pass false to disable any of them:
helmet({
hsts: false, // disable in development
xFrameOptions: 'DENY',
contentSecurityPolicy: {
directives: {
'script-src': ["'self'", 'https://cdn.example.com'],
},
},
})Options
| Option | Type | Default | Description |
|---|---|---|---|
| contentSecurityPolicy | false \| CspOptions | Enabled with defaults | Content-Security-Policy header |
| hsts | false \| HstsOptions | Enabled, 180 days | Strict-Transport-Security header |
| xFrameOptions | false \| 'DENY' \| 'SAMEORIGIN' | 'SAMEORIGIN' | X-Frame-Options header |
| xContentTypeOptions | false | Enabled (nosniff) | X-Content-Type-Options header |
| referrerPolicy | false \| string | 'strict-origin-when-cross-origin' | Referrer-Policy header |
| permissionsPolicy | false \| Record<string, string[]> | Camera/mic/geo/payment blocked | Permissions-Policy header |
| dnsPrefetchControl | false | Enabled (off) | X-DNS-Prefetch-Control header |
Defaults
Calling helmet() with no arguments sets these headers:
Content-Security-Policy (directives merged with any overrides you provide):
default-src 'self'
script-src 'self'
style-src 'self' 'unsafe-inline'
img-src 'self' data:
font-src 'self'
connect-src 'self'
object-src 'none'
base-uri 'self'
form-action 'self'Strict-Transport-Security: max-age=15552000; includeSubDomains (180 days)
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
Notes
- All header values are pre-computed at middleware creation time — zero per-request overhead
- When passing
contentSecurityPolicy.directives, your directives are merged with the defaults above — you only need to specify the ones you want to change or add
