### Content-Security-Policy Default Policy Example Source: https://github.com/helmetjs/helmet/blob/main/README.md Displays the default Content-Security-Policy header. This header helps mitigate attacks like cross-site scripting. ```http Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests ``` -------------------------------- ### Quick Start: Basic Helmet Integration Source: https://github.com/helmetjs/helmet/blob/main/README.md Integrate Helmet into your Express app with a single line of middleware to set 13 default security headers. ```javascript import helmet from "helmet"; const app = express(); app.use(helmet()); ``` -------------------------------- ### Remove X-Powered-By Header with 'hide-powered-by' Package Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-powered-by/README.md Use this middleware to remove the 'X-Powered-By' header. This can help prevent attackers from exploiting known vulnerabilities in specific frameworks like Express. Ensure the 'hide-powered-by' package is installed. ```javascript const hidePoweredBy = require("hide-powered-by"); app.use(hidePoweredBy()); ``` -------------------------------- ### Configure X-DNS-Prefetch-Control to On Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-dns-prefetch-control/README.md Enable DNS prefetching by setting the `X-DNS-Prefetch-Control` header to `on` using this middleware. The `allow` option should be set to `true`. ```javascript // Set X-DNS-Prefetch-Control: on app.use(dnsPrefetchControl({ allow: true })); ``` -------------------------------- ### Enable X-Download-Options Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet demonstrates enabling the X-Download-Options header with default settings. It can also be used as standalone middleware. ```js // Sets "X-Download-Options: noopen" app.use(helmet()); ``` -------------------------------- ### Enable X-DNS-Prefetch-Control Header with Helmet.js (Off) Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet demonstrates enabling the X-DNS-Prefetch-Control header with the 'off' directive. It can also be used as standalone middleware. ```js // Sets "X-DNS-Prefetch-Control: off" app.use(helmet()); ``` -------------------------------- ### Configure CSP Directives Source: https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/README.md Demonstrates overriding default directives by passing a configuration object to the middleware. ```javascript const contentSecurityPolicy = require("helmet-csp"); // Sets all of the defaults, but overrides `script-src` // and disables the default `style-src`. app.use( contentSecurityPolicy({ directives: { "script-src": ["'self'", "example.com"], "style-src": null, }, }), ); ``` -------------------------------- ### Configure X-DNS-Prefetch-Control Allow Directive with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to configure the 'allow' directive for the X-DNS-Prefetch-Control header. It defaults to false. ```js // Sets "X-DNS-Prefetch-Control: off" app.use( helmet({ xDnsPrefetchControl: { allow: false }, }), ); // Sets "X-DNS-Prefetch-Control: on" app.use( helmet({ xDnsPrefetchControl: { allow: true }, }), ); ``` -------------------------------- ### Use X-Frame-Options as Standalone Middleware Source: https://github.com/helmetjs/helmet/blob/main/README.md Demonstrates how to use the X-Frame-Options middleware independently. This is an alternative to configuring it as part of the main Helmet middleware. ```js app.use(helmet.xFrameOptions()); ``` -------------------------------- ### Configure X-Permitted-Cross-Domain-Policies Header Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-permitted-cross-domain-policies/README.md Use this middleware to set the X-Permitted-Cross-Domain-Policies header. The default policy is 'none'. You can specify other policies like 'master-only', 'by-content-type', or 'all'. ```javascript const crossdomain = require("helmet-crossdomain"); // Sets X-Permitted-Cross-Domain-Policies: none app.use(crossdomain()); // You can use any of the following values: app.use(crossdomain({ permittedPolicies: "none" })); app.use(crossdomain({ permittedPolicies: "master-only" })); app.use(crossdomain({ permittedPolicies: "by-content-type" })); app.use(crossdomain({ permittedPolicies: "all" })); ``` -------------------------------- ### X-Download-Options Middleware Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-download-options/README.md Configures the X-Download-Options header to prevent IE from opening downloaded files in the site's context. ```APIDOC ## X-Download-Options Middleware ### Description This middleware sets the `X-Download-Options` header to `noopen` to prevent Internet Explorer users from executing downloads in your site's context. This protects against untrusted HTML files being opened in the context of your site. ### Usage ```javascript const ienoopen = require("ienoopen"); app.use(ienoopen()); ``` ``` -------------------------------- ### Use X-Permitted-Cross-Domain-Policies as Standalone Middleware Source: https://github.com/helmetjs/helmet/blob/main/README.md Shows how to use the X-Permitted-Cross-Domain-Policies middleware independently. This allows for granular control over this specific header. ```js app.use(helmet.xPermittedCrossDomainPolicies()); ``` -------------------------------- ### Configure X-Frame-Options Middleware Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-frame-options/README.md Use this middleware to prevent your site from being framed. It can be configured to deny all framing or only allow framing from the same origin. The default action is 'sameorigin'. ```javascript const frameguard = require("frameguard"); // Don't allow me to be in ANY frames: app.use(frameguard({ action: "deny" })); // Only let me be framed by people of the same origin: app.use(frameguard({ action: "sameorigin" })); app.use(frameguard()); // defaults to sameorigin ``` -------------------------------- ### Enable X-Content-Type-Options Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet demonstrates enabling the X-Content-Type-Options header with default settings. It can also be used as standalone middleware. ```js // Sets "X-Content-Type-Options: nosniff" app.use(helmet()); ``` -------------------------------- ### Set X-Download-Options Header Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-download-options/README.md Use this middleware to set the 'X-Download-Options: noopen' header. This is primarily for older Internet Explorer versions to prevent security issues when serving untrusted HTML content. ```javascript const ienoopen = require("ienoopen"); app.use(ienoopen()); ``` -------------------------------- ### Set Referrer-Policy with Multiple Policies Source: https://github.com/helmetjs/helmet/blob/main/middlewares/referrer-policy/README.md Configure the Referrer-Policy header with an array of policies, such as 'no-referrer' and 'unsafe-url'. The browser will use the first policy it supports. ```javascript const referrerPolicy = require("referrer-policy"); app.use( referrerPolicy({ policy: ["no-referrer", "unsafe-url"], }), ); // Referrer-Policy: no-referrer,unsafe-url ``` -------------------------------- ### Configure X-DNS-Prefetch-Control to Off Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-dns-prefetch-control/README.md Use this middleware to disable DNS prefetching by setting the `X-DNS-Prefetch-Control` header to `off`. Ensure the `dns-prefetch-control` module is required. ```javascript const dnsPrefetchControl = require("dns-prefetch-control"); // Set X-DNS-Prefetch-Control: off app.use(dnsPrefetchControl()); ``` ```javascript // Set X-DNS-Prefetch-Control: off app.use(dnsPrefetchControl({ allow: false })); ``` -------------------------------- ### Configure CSP with Overrides and Disabling Defaults Source: https://github.com/helmetjs/helmet/blob/main/README.md Sets all default CSP directives but overrides 'script-src' and disables 'style-src'. ```javascript // Sets all of the defaults, but overrides `script-src` // and disables the default `style-src`. app.use( helmet({ contentSecurityPolicy: { directives: { "script-src": ["'self'", "example.com"], "style-src": null, }, }, }), ); ``` -------------------------------- ### Enable Report-Only Mode Source: https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/README.md Sets the Content-Security-Policy-Report-Only header instead of the standard CSP header. ```javascript app.use( contentSecurityPolicy({ directives: { /* ... */ }, reportOnly: true, }), ); ``` -------------------------------- ### Set X-Permitted-Cross-Domain-Policies to none Source: https://github.com/helmetjs/helmet/blob/main/README.md Configures the X-Permitted-Cross-Domain-Policies header to 'none', which is the default and recommended setting. This header controls cross-domain content loading for certain clients like Adobe products. ```js app.use( helmet({ xPermittedCrossDomainPolicies: { permittedPolicies: "none", }, }), ); ``` -------------------------------- ### Implement CSP Nonce Source: https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/README.md Uses a middleware to generate a random nonce and inject it into the CSP directive dynamically. ```js app.use((req, res, next) => { res.locals.cspNonce = crypto.randomBytes(32).toString("hex"); next(); }); app.use( contentSecurityPolicy({ directives: { scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], }, }), ); ``` -------------------------------- ### Configure Cross-Origin-Opener-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Set the Cross-Origin-Opener-Policy header to process-isolate your page. Supports 'same-origin' and 'same-origin-allow-popups' policies. ```javascript // Sets "Cross-Origin-Opener-Policy: same-origin" app.use(helmet()); ``` ```javascript // Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups" app.use( helmet({ crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" }, }), ); ``` ```javascript app.use( helmet({ crossOriginOpenerPolicy: false, }), ); ``` -------------------------------- ### Configure Content-Security-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Configure the Content-Security-Policy header by passing an object with specific directives, such as script-src. ```javascript // Configure the Content-Security-Policy header. app.use( helmet({ contentSecurityPolicy: { directives: { "script-src": ["'self'", "example.com"], }, }, }), ); ``` -------------------------------- ### Set Cross-Origin-Resource-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/middlewares/cross-origin-resource-policy/README.md Use this middleware to set the 'Cross-Origin-Resource-Policy' header. Choose 'same-origin' to allow resources to be loaded only by the same origin, or 'same-site' to allow resources to be loaded by same-site origins. ```javascript const crossOriginResourcePolicy = require("cross-origin-resource-policy"); // Sets "Cross-Origin-Resource-Policy: same-origin" app.use(crossOriginResourcePolicy({ policy: "same-origin" })); // Sets "Cross-Origin-Resource-Policy: same-site" app.use(crossOriginResourcePolicy({ policy: "same-site" })); ``` -------------------------------- ### X-Permitted-Cross-Domain-Policies Middleware Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-permitted-cross-domain-policies/README.md Configures the X-Permitted-Cross-Domain-Policies header to define cross-domain content loading policies for Adobe products. ```APIDOC ## X-Permitted-Cross-Domain-Policies Middleware ### Description The `X-Permitted-Cross-Domain-Policies` header tells web clients (like Adobe Flash or Adobe Acrobat) your domain's policy for loading cross-domain content. ### Parameters #### Request Body - **permittedPolicies** (string) - Optional - The policy value. Supported values: "none", "master-only", "by-content-type", "all". Defaults to "none". ### Request Example ```javascript const crossdomain = require("helmet-crossdomain"); app.use(crossdomain({ permittedPolicies: "none" })); ``` ``` -------------------------------- ### Set X-Frame-Options to SAMEORIGIN Source: https://github.com/helmetjs/helmet/blob/main/README.md Applies the X-Frame-Options header with the SAMEORIGIN directive to mitigate clickjacking attacks. This is the default behavior when Helmet is used without specific configuration for this header. ```js app.use(helmet()); ``` -------------------------------- ### Use X-XSS-Protection as Standalone Middleware Source: https://github.com/helmetjs/helmet/blob/main/README.md Shows how to use the X-XSS-Protection middleware independently. This middleware is responsible for managing the X-XSS-Protection header. ```js app.use(helmet.xXssProtection()); ``` -------------------------------- ### CSP with Custom Directives and No Defaults Source: https://github.com/helmetjs/helmet/blob/main/README.md Configures CSP with custom directives, disabling the default policy and setting specific headers like default-src and script-src. ```javascript // Sets "Content-Security-Policy: default-src 'self'; // script-src 'self' example.com;object-src 'none'; // upgrade-insecure-requests" app.use( helmet({ contentSecurityPolicy: { useDefaults: false, directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "example.com"], objectSrc: ["'none'"], upgradeInsecureRequests: [], }, }, }), ); ``` -------------------------------- ### CSP with Dynamic Nonce for Script Source Source: https://github.com/helmetjs/helmet/blob/main/README.md Configures the script-src directive to use a dynamically generated nonce for enhanced security. ```javascript // Sets the `script-src` directive to // "'self' 'nonce-e33cc..."' // (or similar) app.use((req, res, next) => { res.locals.cspNonce = crypto.randomBytes(32).toString("hex"); next(); }); app.use( helmet({ contentSecurityPolicy: { directives: { scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], }, }, }), ); ``` -------------------------------- ### Enable HSTS Preload Directive Source: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/README.md This configuration enables the `preload` directive in the HSTS header, in addition to setting a max-age of at least one year and enabling `includeSubDomains`. This allows browsers to preload your site's HSTS policy. ```javascript app.use( strictTransportSecurity({ maxAge: 31536000, // Must be at least 1 year to be approved includeSubDomains: true, // Must be enabled to be approved preload: true, }), ); ``` -------------------------------- ### Configure Strict-Transport-Security with Preload Directive Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to enable the preload directive for the Strict-Transport-Security header, indicating intent to add the HSTS policy to browsers. ```js // Sets "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload" app.use( helmet({ strictTransportSecurity: { maxAge: 63072000, preload: true, }, }), ); ``` -------------------------------- ### Set Referrer-Policy to 'unsafe-url' Source: https://github.com/helmetjs/helmet/blob/main/middlewares/referrer-policy/README.md This configuration sets the Referrer-Policy header to 'unsafe-url', which sends the full URL as the referrer in all cases. Use with caution due to potential privacy implications. ```javascript const referrerPolicy = require("referrer-policy"); app.use(referrerPolicy({ policy: "unsafe-url" })); // Referrer-Policy: unsafe-url ``` -------------------------------- ### Configure Referrer-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Set the Referrer-Policy header to control information sent in the Referer request header. Supports string or array policies. ```javascript // Sets "Referrer-Policy: no-referrer" app.use(helmet()); ``` ```javascript // Sets "Referrer-Policy: no-referrer" app.use( helmet({ referrerPolicy: { policy: "no-referrer", }, }), ); ``` ```javascript // Sets "Referrer-Policy: origin,unsafe-url" app.use( helmet({ referrerPolicy: { policy: ["origin", "unsafe-url"], }, }), ); ``` -------------------------------- ### Set X-Permitted-Cross-Domain-Policies to by-content-type Source: https://github.com/helmetjs/helmet/blob/main/README.md Sets the X-Permitted-Cross-Domain-Policies header to 'by-content-type'. This allows Adobe products to load cross-domain content based on its MIME type. ```js app.use( helmet({ xPermittedCrossDomainPolicies: { permittedPolicies: "by-content-type", }, }), ); ``` -------------------------------- ### Implement Legacy X-XSS-Protection Behavior Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-xss-protection/README.md If you need to maintain legacy X-XSS-Protection behavior, you can create a custom middleware. Note that this approach is generally considered insecure. ```javascript // NOTE: This is probably insecure! app.use((req, res, next) => { res.setHeader("X-XSS-Protection", "1; mode=block"); next(); }); ``` -------------------------------- ### Enable Strict-Transport-Security Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet demonstrates enabling the Strict-Transport-Security header with default settings. It can also be used as standalone middleware. ```js // Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains" app.use(helmet()); ``` -------------------------------- ### Conditionally Disable Upgrade Insecure Requests Source: https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/README.md Shows how to disable the upgrade-insecure-requests directive specifically for development environments. ```js const isDevelopment = app.get("env") === "development"; app.use( contentSecurityPolicy({ directives: { // Disable upgrade-insecure-requests in development. "upgrade-insecure-requests": isDevelopment ? null : [], }, }), ); ``` -------------------------------- ### Use X-Powered-By as Standalone Middleware Source: https://github.com/helmetjs/helmet/blob/main/README.md Illustrates using the X-Powered-By middleware separately. This middleware's primary function is to remove the 'X-Powered-By' header. ```js app.use(helmet.xPoweredBy()); ``` -------------------------------- ### Configure Cross-Origin-Resource-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Control which origins can load your resources using the Cross-Origin-Resource-Policy header. Supports 'same-origin' and 'same-site' policies. ```javascript // Sets "Cross-Origin-Resource-Policy: same-origin" app.use(helmet()); ``` ```javascript // Sets "Cross-Origin-Resource-Policy: same-site" app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } })); ``` ```javascript app.use( helmet({ crossOriginResourcePolicy: false, }), ); ``` -------------------------------- ### Set X-Frame-Options to SAMEORIGIN (explicit) Source: https://github.com/helmetjs/helmet/blob/main/README.md Explicitly sets the X-Frame-Options header to SAMEORIGIN, allowing the page to be displayed only within the same origin. This is useful when you need to control framing behavior. ```js app.use( helmet({ xFrameOptions: { action: "sameorigin" }, }), ); ``` -------------------------------- ### Set X-Frame-Options to DENY Source: https://github.com/helmetjs/helmet/blob/main/README.md Configures the X-Frame-Options header to DENY, preventing the page from being displayed in a frame, iframe, or similar element. This provides stronger protection against clickjacking. ```js app.use( helmet({ xFrameOptions: { action: "deny" }, }), ); ``` -------------------------------- ### Disable X-Powered-By Header in Express and Helmet Source: https://github.com/helmetjs/helmet/blob/main/README.md Demonstrates how to disable the 'X-Powered-By' header, which is often set by frameworks like Express. This is done both at the Express level and within Helmet configuration for comprehensive removal. ```js // Not required, but recommended for Express users: app.disable("x-powered-by"); // Ask Helmet to ignore the X-Powered-By header. app.use( helmet({ xPoweredBy: false, }), ); ``` -------------------------------- ### Set Referrer-Policy to 'same-origin' Source: https://github.com/helmetjs/helmet/blob/main/middlewares/referrer-policy/README.md Use this snippet to set the Referrer-Policy header to 'same-origin'. This policy restricts the Referer header to only be sent when navigating to the same origin. ```javascript const referrerPolicy = require("referrer-policy"); app.use(referrerPolicy({ policy: "same-origin" })); // Referrer-Policy: same-origin ``` -------------------------------- ### Disable X-DNS-Prefetch-Control Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to disable the X-DNS-Prefetch-Control header, allowing the browser to use its default value. ```js app.use( helmet({ xDnsPrefetchControl: false, }), ); ``` -------------------------------- ### Configure Referrer Policy with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to disable the Referrer-Policy header using Helmet.js. It can also be used as standalone middleware. ```js app.use( helmet({ referrerPolicy: false, }), ); ``` -------------------------------- ### Enable Cross-Origin-Embedder-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Configure Helmet.js to set the Cross-Origin-Embedder-Policy header. This header controls which resources can be loaded cross-origin. ```javascript // Helmet does not set Cross-Origin-Embedder-Policy // by default. app.use(helmet()); ``` ```javascript // Sets "Cross-Origin-Embedder-Policy: require-corp" app.use(helmet({ crossOriginEmbedderPolicy: true })); ``` ```javascript // Sets "Cross-Origin-Embedder-Policy: credentialless" app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } })); ``` -------------------------------- ### Set X-Content-Type-Options Header Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-content-type-options/README.md Use this middleware to set the X-Content-Type-Options header to 'nosniff'. This prevents browsers like Chrome, Opera, IE, and Firefox from sniffing MIME types, which can help prevent certain security vulnerabilities. ```javascript const dontSniffMimetype = require("dont-sniff-mimetype"); app.use(dontSniffMimetype()); ``` -------------------------------- ### Set Default Referrer-Policy Source: https://github.com/helmetjs/helmet/blob/main/middlewares/referrer-policy/README.md When no policy is explicitly provided, this middleware defaults to 'no-referrer', which omits the Referer header entirely. This is the most privacy-preserving option. ```javascript const referrerPolicy = require("referrer-policy"); app.use(referrerPolicy()); // Referrer-Policy: no-referrer ``` -------------------------------- ### Disable X-XSS-Protection Header Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-xss-protection/README.md Use this middleware to set the 'X-XSS-Protection' header to '0'. This is the recommended way to handle XSS protection with Helmet.js. ```javascript const xXssProtection = require("x-xss-protection"); // Set "X-XSS-Protection: 0" app.use(xXssProtection()); ``` -------------------------------- ### Disable Specific Headers Source: https://github.com/helmetjs/helmet/blob/main/README.md Customize Helmet by disabling specific security headers, such as Content-Security-Policy and X-Download-Options. ```javascript // Disable the Content-Security-Policy and X-Download-Options headers app.use( helmet({ contentSecurityPolicy: false, xDownloadOptions: false, }), ); ``` -------------------------------- ### Configure Strict-Transport-Security without Include SubDomains Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet demonstrates disabling the includeSubDomains directive for the Strict-Transport-Security header. ```js // Sets "Strict-Transport-Security: max-age=123456" app.use( helmet({ strictTransportSecurity: { maxAge: 123456, includeSubDomains: false, }, }), ); ``` -------------------------------- ### Disable X-Download-Options Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to disable the X-Download-Options header. This header is specific to Internet Explorer 8. ```js app.use( helmet({ xDownloadOptions: false, }), ); ``` -------------------------------- ### Disable X-Frame-Options Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Disables the X-Frame-Options header entirely by passing false to the Helmet configuration. This should be used with caution as it removes clickjacking protection. ```js app.use( helmet({ xFrameOptions: false, }), ); ``` -------------------------------- ### Configure Strict-Transport-Security Max Age with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to configure the max-age directive for the Strict-Transport-Security header. The value is rounded down if not an integer. ```js // Sets "Strict-Transport-Security: max-age=123456; includeSubDomains" app.use( helmet({ strictTransportSecurity: { maxAge: 123456, }, }), ); ``` -------------------------------- ### Disable X-Permitted-Cross-Domain-Policies Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Disables the X-Permitted-Cross-Domain-Policies header by passing false to the Helmet configuration. This removes the header and its associated cross-domain policy controls. ```js app.use( helmet({ xPermittedCrossDomainPolicies: false, }), ); ``` -------------------------------- ### Disable Default CSP Policies Source: https://github.com/helmetjs/helmet/blob/main/middlewares/content-security-policy/README.md Disables the default policy set by the middleware to allow for a fully custom directive configuration. ```javascript app.use( contentSecurityPolicy({ useDefaults: false, directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "example.com"], objectSrc: ["'none'"], upgradeInsecureRequests: [], }, }), ); ``` -------------------------------- ### Disable Strict-Transport-Security Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to completely disable the Strict-Transport-Security header. This is often useful for local development. ```js app.use( helmet({ strictTransportSecurity: false, }), ); ``` -------------------------------- ### Disable Origin-Agent-Cluster Header Source: https://github.com/helmetjs/helmet/blob/main/README.md This configuration disables the Origin-Agent-Cluster header, which isolates origins from other processes. ```javascript // Sets "Origin-Agent-Cluster: ?1" app.use(helmet()); ``` ```javascript app.use( helmet({ originAgentCluster: false, }), ); ``` -------------------------------- ### Disable X-Content-Type-Options Header with Helmet.js Source: https://github.com/helmetjs/helmet/blob/main/README.md This snippet shows how to disable the X-Content-Type-Options header. This header mitigates MIME type sniffing. ```js app.use( helmet({ xContentTypeOptions: false, }), ); ``` -------------------------------- ### Disable Content-Security-Policy Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Use this configuration to disable the Content-Security-Policy header when using Helmet.js. ```javascript app.use( helmet({ contentSecurityPolicy: false, }), ); ``` -------------------------------- ### Set HSTS Header for 365 Days Source: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/README.md This snippet sets the Strict-Transport-Security header with a max-age of 31536000 seconds (365 days), enabling HTTPS enforcement for browsers. The `includeSubDomains` directive is enabled by default. ```javascript const strictTransportSecurity = require("hsts"); // Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains" app.use( strictTransportSecurity({ maxAge: 31536000, // 365 days in seconds }), ); ``` -------------------------------- ### Disable includeSubDomains Directive Source: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/README.md Configure the HSTS middleware to disable the `includeSubDomains` directive. This prevents HTTPS enforcement on subdomains of your site. ```javascript app.use( strictTransportSecurity({ maxAge: 31536000, includeSubDomains: false, }), ); ``` -------------------------------- ### Disable X-Powered-By Header in Express Source: https://github.com/helmetjs/helmet/blob/main/middlewares/x-powered-by/README.md If you are using Express, you can disable the 'x-powered-by' header directly using the app.disable() method. This is a built-in alternative to using an external middleware. ```javascript app.disable("x-powered-by"); ``` -------------------------------- ### Disable X-XSS-Protection Header Source: https://github.com/helmetjs/helmet/blob/main/README.md Disables the browser's built-in cross-site scripting (XSS) filter by setting the X-XSS-Protection header to '0'. This is the default behavior of Helmet, but can be explicitly disabled. ```js // This is not recommended. app.use( helmet({ xXssProtection: false, }), ); ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.