hood

Cover your head.

Security headers middleware for connect or express.

Further readings on middlewares can be found here

hood

Usage

var hood = require('hood');
app.use(hood());

This will setup sane defaults for most apps. You can also pass options to configure each middleware.

app.use(hood({
  csp: "default-src 'unsafe-inline'",
  hsts: false // pass false to disable a middlware
}));

Each middleware is also available individually.

csp

app.use(hood.csp());
app.use(hood.csp({
  policy: {
    'default-src': ['self', 'unsafe-inline']
  }
}));
app.use(hood.csp("default-src 'self';"));
 
// to use Report-Only
app.use(hood.csp({
  policy: somePolicy,
  reportOnly: true
}))
app.use(hood.csp(policyStr, true));

hsts

Only applies header if request is secure. Checks req.connection.encrypted and req.connection.proxySecure.

app.use(hood.hsts());
app.use(hood.hsts({
  maxAge: 1000, // seconds
  includeSubdomains: true // default false
}));
app.use(hood.hsts(1000, true));

xframe

app.use(hood.xframe()) // DENY
app.use(hood.xframe({
  sameOrigin: true
}));
app.use(hood.xframe({
  allow: 'http://example.domain'
}));
app.use(hood.xframe('SAMEORIGIN'));
app.use(hood.xframe('ALLOW-FROM http://example.domain'));

nosniff

app.use(hood.nosniff());

header

A convenience method when you need to add arbitrary headers to all requests.

app.use(hood.header('x-foo', 'bar'));
app.use(hood.header({
  'x-foo': 'bar',
  'x-baz': 'quux'
}));

hood

hood

Usage

csp

hsts

xframe

nosniff

header

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

Weekly Downloads

Version

License

Last publish

Collaborators

hood

hood

Usage

csp

hsts

xframe

nosniff

header

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

DownloadsWeekly Downloads

Version

License

Last publish

Collaborators

Weekly Downloads