hood

    0.2.1 • Public • Published

    hood

    Build Status NPM version

    Cover your head.

    Security headers middleware for connect or express.

    Further readings on middlewares can be found here

    hood

    Usage

    var hood = require('hood');
    app.use(hood());

    This will setup sane defaults for most apps. You can also pass options to configure each middleware.

    app.use(hood({
      csp: "default-src 'unsafe-inline'",
      hsts: false // pass false to disable a middlware
    }));

    Each middleware is also available individually.

    csp

    app.use(hood.csp());
    app.use(hood.csp({
      policy: {
        'default-src': ['self', 'unsafe-inline']
      }
    }));
    app.use(hood.csp("default-src 'self';"));
     
    // to use Report-Only
    app.use(hood.csp({
      policy: somePolicy,
      reportOnly: true
    }))
    app.use(hood.csp(policyStr, true));

    hsts

    Only applies header if request is secure. Checks req.connection.encrypted and req.connection.proxySecure.

    app.use(hood.hsts());
    app.use(hood.hsts({
      maxAge: 1000, // seconds
      includeSubdomains: true // default false
    }));
    app.use(hood.hsts(1000, true));

    xframe

    app.use(hood.xframe()) // DENY
    app.use(hood.xframe({
      sameOrigin: true
    }));
    app.use(hood.xframe({
      allow: 'http://example.domain'
    }));
    app.use(hood.xframe('SAMEORIGIN'));
    app.use(hood.xframe('ALLOW-FROM http://example.domain'));

    nosniff

    app.use(hood.nosniff());

    header

    A convenience method when you need to add arbitrary headers to all requests.

    app.use(hood.header('x-foo', 'bar'));
    app.use(hood.header({
      'x-foo': 'bar',
      'x-baz': 'quux'
    }));

    Keywords

    none

    Install

    npm i hood

    DownloadsWeekly Downloads

    10

    Version

    0.2.1

    License

    none

    Last publish

    Collaborators

    • seanmonstar