express-securityheaders
v1.0.18
Published
Add security related headers to an express application.
Downloads
28
Maintainers
Readme
express-securityheaders
Add security related headers to an express application.
Description
express-securityheaders add's a default set of security headers to secure your express applications.
The following are set by default:
Content-Security-Policy: default-src 'self'
Permissions-Policy: ""
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Clear-Site-Data: "*"
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
The X-Powered-By header is removed.
Test your application headers using https://securityheaders.com
Install
- Install with npm
npm install express-securityheaders --save
Examples
- Basic usage with default headers
const express = require("express");
const SecurityHeaders = require('express-securityheaders');
var app = express();
app.use(SecurityHeaders());
- Override a default header
const express = require("express");
const SecurityHeaders = require('express-securityheaders');
var app = express();
app.use(SecurityHeaders({
"Content-Security-Policy": "default-src 'self' cdn.jsdelivr.net"
}));
- Override multiple default headers
const express = require("express");
const SecurityHeaders = require('express-securityheaders');
var app = express();
app.use(SecurityHeaders({
"Content-Security-Policy": "default-src 'self' cdn.jsdelivr.net",
"X-Frame-Options": "SAMEORIGIN",
"referrer-policy": "strict-origin-when-cross-origin"
}));
- Add new header
const express = require("express");
const SecurityHeaders = require('express-securityheaders');
var app = express();
app.use(SecurityHeaders({
"my-header": "my-header content"
}));
- Remove a header
const express = require("express");
const SecurityHeaders = require('express-securityheaders');
var app = express();
app.use(SecurityHeaders({
"Content-Security-Policy": false
}));