koa-helmet is a wrapper for helmet to work with koa. It provides important security headers to make your app more secure by default.
yarn add koa-helmet
or via npm:
npm install koa-helmet --save
Usage is the same as helmet
Helmet offers 14 security middleware functions:
Module | Default? |
---|---|
contentSecurityPolicy for setting Content Security Policy | |
permittedCrossDomainPolicies for handling Adobe products' crossdomain requests | |
dnsPrefetchControl controls browser DNS prefetching | ✓ |
expectCt for handling Certificate Transparency | |
featurePolicy to limit your site's features | |
frameguard to prevent clickjacking | ✓ |
hidePoweredBy to remove the X-Powered-By header | ✓ |
hpkp for HTTP Public Key Pinning | |
hsts for HTTP Strict Transport Security | ✓ |
ieNoOpen sets X-Download-Options for IE8+ | ✓ |
noCache to disable client-side caching | |
noSniff to keep clients from sniffing the MIME type | ✓ |
referrerPolicy to hide the Referer header | |
xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
In order to work well with the helmet HSTS module, koa-helmet will augment
this.request
to include a secure
boolean to determine if the request
is over HTTPS.
"use strict";
const Koa = require("koa");
const helmet = require("koa-helmet");
const app = new Koa();
app.use(helmet());
app.use((ctx) => {
ctx.body = "Hello World"
});
app.listen(4000);
To run the tests, simply run
yarn test
- koa-helmet >=2.x (master branch) supports koa 2.x
- koa-helmet 1.x (koa-1 branch) supports koa 0.x and koa 1.x