function helmet(options) {
options = options || {}
var chain = connect()
middlewares.forEach(function (middlewareName) {
var middleware = helmet[middlewareName]
var option = options[middlewareName]
var isDefault = config.defaultMiddleware.indexOf(middlewareName) !== -1
if (option === false) { return }
if (option != null) {
if (option === true) {
chain.use(middleware({}))
} else {
chain.use(middleware(option))
}
} else if (isDefault) {
chain.use(middleware({}))
}
})
return chain
}n/a
function csp(options) {
checkOptions(options)
var originalDirectives = camelize(options.directives || {})
var directivesAreDynamic = containsFunction(originalDirectives)
var shouldBrowserSniff = options.browserSniff !== false
var reportOnlyIsFunction = isFunction(options.reportOnly)
if (shouldBrowserSniff) {
return function csp (req, res, next) {
var userAgent = req.headers['user-agent']
var browser
if (userAgent) {
browser = platform.parse(userAgent)
} else {
browser = {}
}
var headerKeys
if (options.setAllHeaders || !userAgent) {
headerKeys = config.allHeaders
} else {
headerKeys = getHeaderKeysForBrowser(browser, options)
}
if (headerKeys.length === 0) {
next()
return
}
var directives = transformDirectivesForBrowser(browser, originalDirectives)
if (directivesAreDynamic) {
directives = parseDynamicDirectives(directives, [req, res])
}
var policyString = cspBuilder({ directives: directives })
headerKeys.forEach(function (headerKey) {
if ((reportOnlyIsFunction && options.reportOnly(req, res)) ||
(!reportOnlyIsFunction && options.reportOnly)) {
headerKey += '-Report-Only'
}
res.setHeader(headerKey, policyString)
})
next()
}
} else {
var headerKeys
if (options.setAllHeaders) {
headerKeys = config.allHeaders
} else {
headerKeys = ['Content-Security-Policy']
}
return function csp (req, res, next) {
var directives = parseDynamicDirectives(originalDirectives, [req, res])
var policyString = cspBuilder({ directives: directives })
if ((reportOnlyIsFunction && options.reportOnly(req, res)) ||
(!reportOnlyIsFunction && options.reportOnly)) {
headerKeys.forEach(function (headerKey) {
res.setHeader(headerKey + '-Report-Only', policyString)
})
} else {
headerKeys.forEach(function (headerKey) {
res.setHeader(headerKey, policyString)
})
}
next()
}
}
}n/a
function dnsPrefetchControl(options) {
if (options && options.allow) {
return function dnsPrefetchControl (req, res, next) {
res.setHeader('X-DNS-Prefetch-Control', 'on')
next()
}
} else {
return function dnsPrefetchControl (req, res, next) {
res.setHeader('X-DNS-Prefetch-Control', 'off')
next()
}
}
}n/a
function frameguard(options) {
options = options || {}
var domain = options.domain
var action = options.action
var directive
if (action === undefined) {
directive = 'SAMEORIGIN'
} else if (isString(action)) {
directive = action.toUpperCase()
}
if (directive === 'ALLOWFROM') {
directive = 'ALLOW-FROM'
} else if (directive === 'SAME-ORIGIN') {
directive = 'SAMEORIGIN'
}
if (['DENY', 'ALLOW-FROM', 'SAMEORIGIN'].indexOf(directive) === -1) {
throw new Error('action must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN".')
}
if (directive === 'ALLOW-FROM') {
if (!isString(domain)) {
throw new Error('ALLOW-FROM action requires a domain parameter.')
}
if (!domain.length) {
throw new Error('domain parameter must not be empty.')
}
directive = 'ALLOW-FROM ' + domain
}
return function frameguard (req, res, next) {
res.setHeader('X-Frame-Options', directive)
next()
}
}...
It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
```js
app.use(helmet.noCache())
app.use(helmet.frameguard())
```
You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults
.
```js
app.use(helmet({
frameguard: false
...function hidePoweredBy(options) {
var setTo = (options || {}).setTo
if (setTo) {
return function hidePoweredBy (req, res, next) {
res.setHeader('X-Powered-By', setTo)
next()
}
} else {
return function hidePoweredBy (req, res, next) {
res.removeHeader('X-Powered-By')
next()
}
}
}n/a
function hpkp(passedOptions) {
var options = parseOptions(passedOptions)
var headerKey = getHeaderKey(options)
var headerValue = getHeaderValue(options)
return function hpkp (req, res, next) {
var setHeader = true
var setIf = options.setIf
if (setIf) {
setHeader = setIf(req, res)
}
if (setHeader) {
res.setHeader(headerKey, headerValue)
}
next()
}
}n/a
function hsts(options) {
options = options || {}
var maxAge = options.maxAge != null ? options.maxAge : defaultMaxAge
var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false)
var force = options.force
var setIf = options.setIf
if (options.hasOwnProperty('maxage')) {
throw new Error('maxage is not a supported property. Did you mean to pass "maxAge" instead of "maxage"?')
}
if (arguments.length > 1) {
throw new Error('HSTS passed the wrong number of arguments.')
}
if (!util.isNumber(maxAge)) {
throw new TypeError('HSTS must be passed a numeric maxAge parameter.')
}
if (maxAge < 0) {
throw new RangeError('HSTS maxAge must be nonnegative.')
}
if (options.hasOwnProperty('setIf')) {
if (!util.isFunction(setIf)) {
throw new TypeError('setIf must be a function.')
}
if (options.hasOwnProperty('force')) {
throw new Error('setIf and force cannot both be specified.')
}
}
if (options.hasOwnProperty('includeSubDomains') && options.hasOwnProperty('includeSubdomains')) {
throw new Error('includeSubDomains and includeSubdomains cannot both be specified.')
}
var header = 'max-age=' + Math.round(maxAge)
if (includeSubDomains) {
header += '; includeSubDomains'
}
if (options.preload) {
header += '; preload'
}
return function hsts (req, res, next) {
var setHeader
if (setIf) {
setHeader = setIf(req, res)
} else {
setHeader = force || req.secure
}
if (setHeader) {
res.setHeader('Strict-Transport-Security', header)
}
next()
}
}n/a
function ienoopen() {
return function ienoopen (req, res, next) {
res.setHeader('X-Download-Options', 'noopen')
next()
}
}n/a
function nocache() {
return function nocache (req, res, next) {
res.setHeader('Surrogate-Control', 'no-store')
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate')
res.setHeader('Pragma', 'no-cache')
res.setHeader('Expires', '0')
next()
}
}...
```
It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
```js
app.use(helmet.noCache())
app.use(helmet.frameguard())
```
You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults
.
```js
app.use(helmet({
...function nosniff() {
return function nosniff (req, res, next) {
res.setHeader('X-Content-Type-Options', 'nosniff')
next()
}
}n/a
function referrerPolicy(options) {
options = options || {}
var policy
if ('policy' in options) {
policy = options.policy
} else {
policy = DEFAULT_POLICY
}
if (ALLOWED_POLICIES.indexOf(policy) === -1) {
throw new Error('"' + policy + '" is not a valid policy. Allowed policies: ' + ALLOWED_POLICIES_ERROR_LIST + '.')
}
return function referrerPolicy (req, res, next) {
res.setHeader('Referrer-Policy', policy)
next()
}
}n/a
function xXssProtection(options) {
if (options && options.setOnOldIE) {
return function xXssProtection (req, res, next) {
res.setHeader('X-XSS-Protection', '1; mode=block')
next()
}
} else {
return function xXssProtection (req, res, next) {
var matches = /msie\s*(\d+)/i.exec(req.headers['user-agent'])
var value
if (!matches || (parseFloat(matches[1]) >= 9)) {
value = '1; mode=block'
} else {
value = '0'
}
res.setHeader('X-XSS-Protection', value)
next()
}
}
}n/a