Helmet helps secure Express apps by setting HTTP response headers.Helmet通过设置HTTP响应标头来帮助保护Express应用程序的安全。
Get started开始
Here’s a sample Express app that uses Helmet:以下是使用Helmet的Express应用程序示例:
import express from "express";
import helmet from "helmet";
const app = express();
// Use Helmet!
app.use(helmet());
app.get("/", (req, res) => {
res.send("Hello world!");
});
app.listen(8000);
You can also 如果您愿意,也可以用require("helmet") if you prefer.require("helmet")。
By default, Helmet sets the following headers:默认情况下,Helmet设置以下标头:
Content-Security-Policy: A powerful allow-list of what can happen on your page which mitigates many attacks:一个强大的允许列表,列出了您的页面上可能发生的事情,可以减轻许多攻击Cross-Origin-Opener-Policy: Helps process-isolate your page:帮助处理隔离页面Cross-Origin-Resource-Policy: Blocks others from loading your resources cross-origin:阻止其他人跨来源加载您的资源Origin-Agent-Cluster: Changes process isolation to be origin-based:将流程隔离更改为基于来源Referrer-Policy: Controls the:控制RefererheaderReferer标头Strict-Transport-Security: Tells browsers to prefer HTTPS:告诉浏览器更喜欢HTTPSX-Content-Type-Options: Avoids MIME sniffing:避免MIME探查X-DNS-Prefetch-Control: Controls DNS prefetching:控制DNS预取X-Download-Options: Forces downloads to be saved (Internet Explorer only):强制保存下载(仅限Internet Explorer)X-Frame-Options: Legacy header that mitigates clickjacking attacks:减轻点击劫持攻击的旧式标头X-Permitted-Cross-Domain-Policies: Controls cross-domain behavior for Adobe products, like Acrobat:控制Adobe产品(如Acrobat)的跨域行为X-Powered-By: Info about the web server. Removed because it could be used in simple attacks:有关web服务器的信息。删除,因为它可以用于简单的攻击X-XSS-Protection: Legacy header that tries to mitigate XSS attacks, but makes things worse, so Helmet disables it:试图减轻XSS攻击的遗留标头,但使情况变得更糟,因此Helmet禁用了它
Each header can be configured. For example, here’s how you configure the 每个标头都可以进行配置。例如,以下是如何配置Content-Security-Policy header:Content-Security-Policy标头:
// This sets custom options for the Content-Security-Policy header.这将设置内容安全策略标头的自定义选项。
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
},
},
})
);
Headers can also be disabled. 标头也可以被禁用。For example, here’s how you disable the 例如,以下是如何禁用Content-Security-Policy and X-Download-Options headers:Content-Security-Policy和X-Download-Options标头:
// This disables the Content-Security-Policy and X-Download-Options headers.这将禁用内容安全策略和X-Download-Options标头。
app.use(
helmet({
contentSecurityPolicy: false,
xDownloadOptions: false,
})
);
Reference参考
Content-Security-Policy
Default:默认值:
Content-Security-Policy: default-src 'self';base-uri 'self';
font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';
img-src 'self' data:;object-src 'none';
script-src 'self';script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsThe Content-Security-Policy header mitigates a large number of attacks, such as cross-site scripting. Content-Security-Policy标头可以缓解大量攻击,例如跨站点脚本。See MDN’s introductory article on Content Security Policy.请参阅MDN关于内容安全策略的介绍性文章。
This header is powerful but likely requires some configuration.此标头功能强大,但可能需要一些配置。
To configure this header, pass an object with a nested 若要配置此标头,请传递一个带有嵌套directives object. directives对象的对象。Each key is a directive name in camel case (such as 每个键都是一个指令名称,大小写为camel(如defaultSrc) or kebab case (such as default-src). defaultSrc)或kebab(如default-src)。Each value is an array (or other iterable) of strings or functions for that directive. 每个值都是该指令的字符串或函数的数组(或其他可迭代的)。If a function appears in the array, it will be called with the request and response objects.如果一个函数出现在数组中,它将与请求和响应对象一起被调用。
// Sets all of the defaults, but overrides `script-src` and disables the default `style-src`.设置所有默认值,但覆盖`script-src`并禁用默认值`style-src`。
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
},
})
);
// Sets the `script-src` directive to
// "'self' 'nonce-e33...'" (or similar)
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
next();
});
app.use(
helmet({
contentSecurityPolicy: {
directives: {
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
},
})
);
These directives are merged into a default policy, which you can disable by setting 这些指令被合并到一个默认策略中,您可以通过将useDefaults to false.useDefaults设置为false来禁用该策略。
// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
helmet({
contentSecurityPolicy: {
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
},
})
);
You can get the default directives object with 您可以使用helmet.contentSecurityPolicy.getDefaultDirectives(). helmet.contentSecurityPolicy.getDefaultDirectives()获取默认指令对象。Here is the default policy (whitespace added for readability):以下是默认策略(为可读性添加空白):
default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
The default-src directive can be explicitly disabled by setting its value to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc, but this is not recommended.
You can set the Content-Security-Policy-Report-Only instead.
// Sets the Content-Security-Policy-Report-Only header
app.use(
helmet({
contentSecurityPolicy: {
directives: {
/* ... */
},
reportOnly: true,
},
})
);
Helmet performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.
To disable the Content-Security-Policy header:
app.use(
helmet({
contentSecurityPolicy: false,
})
);
You can use this as standalone middleware with app.use(helmet.contentSecurityPolicy()).
Cross-Origin-Embedder-Policy
This header is not set by default.
The Cross-Origin-Embedder-Policy header helps control what resources can be loaded cross-origin. See MDN’s article on this header for more.
// Helmet does not set Cross-Origin-Embedder-Policy
// by default.
app.use(helmet());
// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet({ crossOriginEmbedderPolicy: true }));
// Sets "Cross-Origin-Embedder-Policy: credentialless"
app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } }));
You can use this as standalone middleware with app.use(helmet.crossOriginEmbedderPolicy()).
Cross-Origin-Opener-Policy
Default:
Cross-Origin-Opener-Policy: same-origin
The Cross-Origin-Opener-Policy header helps process-isolate your page. For more, see MDN’s article on this header.
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet());
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(
helmet({
crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" },
})
);
To disable the Cross-Origin-Opener-Policy header:
app.use(
helmet({
crossOriginOpenerPolicy: false,
})
);
You can use this as standalone middleware with app.use(helmet.crossOriginOpenerPolicy()).
Cross-Origin-Resource-Policy
Default:
Cross-Origin-Resource-Policy: same-origin
The Cross-Origin-Resource-Policy header blocks others from loading your resources cross-origin in some cases. For more, see “Consider deploying Cross-Origin Resource Policy and MDN’s article on this header.
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet());
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } }));
To disable the 要禁用Cross-Origin-Resource-Policy header:Cross-Origin-Resource-Policy标头,请执行以下操作:
app.use(
helmet({
crossOriginResourcePolicy: false,
})
);
You can use this as standalone middleware with app.use(helmet.crossOriginResourcePolicy()).
Origin-Agent-Cluster
Default:
Origin-Agent-Cluster: ?1
The Origin-Agent-Cluster header provides a mechanism to allow web applications to isolate their origins from other processes. Origin-Agent-Cluster标头提供了一种机制,允许web应用程序将其起源与其他进程隔离。Read more about it in the spec.
This header takes no options and is set by default.
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet());
To disable the 要禁用Origin-Agent-Cluster header:Origin-Agent-Cluster标头,请执行以下操作:
app.use(
helmet({
originAgentCluster: false,
})
);
You can use this as standalone middleware with 您可以将其用作独立中间件,方法是app.use(helmet.originAgentCluster()).app.use(helmet.originAgentCluster())。
Referrer-Policy
Default:
Referrer-Policy: no-referrer
The Referrer-Policy header which controls what information is set in the Referer request header. See “Referer header: privacy and security concerns” and the header’s documentation on MDN for more.
// Sets "Referrer-Policy: no-referrer"
app.use(helmet());
policy is a string or array of strings representing the policy. 是表示策略的字符串或字符串数组。If passed as an array, it will be joined with commas, which is useful when setting a fallback policy. It defaults to no-referrer.
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet({
referrerPolicy: {
policy: "no-referrer",
},
})
);
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet({
referrerPolicy: {
policy: ["origin", "unsafe-url"],
},
})
);
To disable the Referrer-Policy header:
app.use(
helmet({
referrerPolicy: false,
})
);
You can use this as standalone middleware with app.use(helmet.referrerPolicy()).
Strict-Transport-Security
Default:
Strict-Transport-Security: max-age=15552000; includeSubDomains
The Strict-Transport-Security header tells browsers to prefer HTTPS instead of insecure HTTP. See the documentation on MDN for more.
// Sets "Strict-Transport-Security: max-age=15552000; includeSubDomains"
app.use(helmet());
maxAge is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 15552000, which is 180 days.
includeSubDomains is a boolean which dictates whether to include the includeSubDomains directive, which makes this policy extend to subdomains. It defaults to true.
preload is a boolean. If true, it adds the preload directive, expressing intent to add your HSTS policy to browsers. See the “Preloading Strict Transport Security” section on MDN for more. It defaults to false.
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 123456,
},
})
);
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 123456,
includeSubDomains: false,
},
})
);
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 63072000,
preload: true,
},
})
);
To disable the Strict-Transport-Security header:
app.use(
helmet({
strictTransportSecurity: false,
})
);
You can use this as standalone middleware with app.use(helmet.strictTransportSecurity()).
X-Content-Type-Options
Default:
X-Content-Type-Options: nosniff
The X-Content-Type-Options mitigates MIME type sniffing which can cause security issues. See documentation for this header on MDN for more.
This header takes no options and is set by default.
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet());
To disable the X-Content-Type-Options header:
app.use(
helmet({
xContentTypeOptions: false,
})
);
You can use this as standalone middleware with app.use(helmet.xContentTypeOptions()).
X-DNS-Prefetch-Control
Default:
X-DNS-Prefetch-Control: off
The X-DNS-Prefetch-Control header helps control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.
// Sets "X-DNS-Prefetch-Control: off"
app.use(helmet());
allow is a boolean dictating whether to enable DNS prefetching. 是一个布尔值,指示是否启用DNS预取。It defaults to false.
Examples:
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet({
xDnsPrefetchControl: { allow: false },
})
);
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet({
xDnsPrefetchControl: { allow: true },
})
);
To disable the X-DNS-Prefetch-Control header and use the browser’s default value:
app.use(
helmet({
xDnsPrefetchControl: false,
})
);
You can use this as standalone middleware with app.use(helmet.xDnsPrefetchControl()).
X-Download-Options
Default:
X-Download-Options: noopen
The X-Download-Options header is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site’s context. For more, see this old post on MSDN.
This header takes no options and is set by default.
// Sets "X-Download-Options: noopen"
app.use(helmet());
To disable the X-Download-Options header:
app.use(
helmet({
xDownloadOptions: false,
})
);
You can use this as standalone middleware with app.use(helmet.xDownloadOptions()).
X-Frame-Options
Default:
X-Frame-Options: SAMEORIGIN
The legacy X-Frame-Options header to help you mitigate clickjacking attacks. This header is superseded by the frame-ancestors Content Security Policy directive but is still useful on old browsers or if no CSP is used. For more, see the documentation on MDN.
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(helmet());
action is a string that specifies which directive to use—either DENY or SAMEORIGIN. (A legacy directive, ALLOW-FROM, is not supported by Helmet. Read more here.) It defaults to SAMEORIGIN.
Examples:
// Sets "X-Frame-Options: DENY"
app.use(
helmet({
xFrameOptions: { action: "deny" },
})
);
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet({
xFrameOptions: { action: "sameorigin" },
})
);
To disable the X-Frame-Options header:
app.use(
helmet({
xFrameOptions: false,
})
);
You can use this as standalone middleware with app.use(helmet.xFrameOptions()).
X-Permitted-Cross-Domain-Policies
Default:
X-Permitted-Cross-Domain-Policies: none
The X-Permitted-Cross-Domain-Policies header tells some clients (mostly Adobe products) your domain’s policy for loading cross-domain content. See the description on OWASP for more.
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(helmet());
permittedPolicies is a string that must be "none", "master-only", "by-content-type", or "all". It defaults to "none".
Examples:
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet({
xPermittedCrossDomainPolicies: {
permittedPolicies: "none",
},
})
);
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet({
xPermittedCrossDomainPolicies: {
permittedPolicies: "by-content-type",
},
})
);
To disable the X-Permitted-Cross-Domain-Policies header:
app.use(
helmet({
xPermittedCrossDomainPolicies: false,
})
);
You can use this as standalone middleware with 您可以将其用作独立中间件,方法是app.use(helmet.xPermittedCrossDomainPolicies()).app.use(helmet.xPermittedCrossDomainPolicies())。
X-Powered-By
Default: the X-Powered-By header, if present, is removed.
Helmet removes the X-Powered-By header, which is set by default in Express and some other frameworks. Removing the header offers very limited security benefits (see this discussion) and is mostly removed to save bandwidth, but may thwart simplistic attackers.
Note: Express has a built-in way to disable the X-Powered-By header, which you may wish to use instead.
The removal of this header takes no options. The header is removed by default.
To disable this behavior:
// Not required, but recommended for Express users:
app.disable("x-powered-by");
// Ask Helmet to ignore the X-Powered-By header.
app.use(
helmet({
xPoweredBy: false,
})
);
You can use this as standalone middleware with app.use(helmet.xPoweredBy()).
X-XSS-Protection
Default:
X-XSS-Protection: 0
Helmet disables browsers’ buggy cross-site scripting filter by setting the legacy X-XSS-Protection header to 0. See discussion about disabling the header here and documentation on MDN.
This header takes no options and is set by default.
To disable the X-XSS-Protection header:
// This is not recommended.
app.use(
helmet({
xXssProtection: false,
})
);
You can use this as standalone middleware with app.use(helmet.xXssProtection()).