Improving security with HTTP headers and helmet
Helmet is a collection of middleware that implements various security headers for Express; for more information on helmet visit https://npmjs.org/package/helmet.
Helmet supports the following:
csp (Content Security Policy)
HSTS (HTTP Strict Transport Security)
xframe (X-FRAME-OPTIONS)
iexss (X-XSS-PROTECTION for IE8+)
contentTypeOptions (X-Content-Type-Options nosniff)
cacheControl (Cache-Control no-store, no-cache)
Let's extend our security ./lib/security/index.js module, and add helmet security for the previous issues:
var express = require('express')
, helmet = require('helmet');
function Security(app) {
if (process.env['NODE_ENV'] === "TEST" ||
process.env['NODE_ENV'] === "COVERAGE") return;
app.use(helmet.xframe());
app.use(helmet.hsts());
app.use(helmet.iexss());
app.use(helmet.contentTypeOptions());
app.use(helmet.cacheControl());
app.use(express.csrf());
};
module.exports = Security;
