Improving security with HTTP headers and helmet

Helmet is a collection of middleware that implements various security headers for Express; for more information on helmet visit https://npmjs.org/package/helmet.

Helmet supports the following:

csp (Content Security Policy)
HSTS (HTTP Strict Transport Security)
xframe (X-FRAME-OPTIONS)
iexss (X-XSS-PROTECTION for IE8+)
contentTypeOptions (X-Content-Type-Options nosniff)
cacheControl (Cache-Control no-store, no-cache)

Let's extend our security ./lib/security/index.js module, and add helmet security for the previous issues:

var express = require('express')
, helmet = require('helmet');

function Security(app) {
  if (process.env['NODE_ENV'] === "TEST"  ||
    process.env['NODE_ENV'] === "COVERAGE") return;

 app.use(helmet.xframe()); ...

Get Advanced Express Web Application Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Advanced Express Web Application Development by Andrew Keig

Improving security with HTTP headers and helmet

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly