You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: en/advanced/best-practice-security.md
+18-8Lines changed: 18 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -80,18 +80,28 @@ app.use((req, res) => {
80
80
81
81
[Helmet][helmet] can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
82
82
83
-
Helmet is a collection of several smaller middleware functions that set security-related HTTP response headers. Some examples include:
84
-
85
-
*`helmet.contentSecurityPolicy` which sets the `Content-Security-Policy` header. This helps prevent cross-site scripting attacks among many other things.
86
-
*`helmet.hsts` which sets the `Strict-Transport-Security` header. This helps enforce secure (HTTPS) connections to the server.
87
-
*`helmet.frameguard` which sets the `X-Frame-Options` header. This provides [clickjacking](https://www.owasp.org/index.php/Clickjacking) protection.
88
-
89
-
Helmet includes several other middleware functions which you can read about [at its documentation website][helmet].
83
+
Helmet is a middleware function that sets security-related HTTP response headers. Helmet sets the following headers by default:
84
+
85
+
-`Content-Security-Policy`: A powerful allow-list of what can happen on your page which mitigates many attacks
86
+
-`Cross-Origin-Opener-Policy`: Helps process-isolate your page
87
+
-`Cross-Origin-Resource-Policy`: Blocks others from loading your resources cross-origin
88
+
-`Origin-Agent-Cluster`: Changes process isolation to be origin-based
89
+
-`Referrer-Policy`: Controls the [`Referer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header
90
+
-`Strict-Transport-Security`: Tells browsers to prefer HTTPS
-`X-DNS-Prefetch-Control`: Controls DNS prefetching
93
+
-`X-Download-Options`: Forces downloads to be saved (Internet Explorer only)
94
+
-`X-Frame-Options`: Legacy header that mitigates [Clickjacking](https://en.wikipedia.org/wiki/Clickjacking) attacks
95
+
-`X-Permitted-Cross-Domain-Policies`: Controls cross-domain behavior for Adobe products, like Acrobat
96
+
-`X-Powered-By`: Info about the web server. Removed because it could be used in simple attacks
97
+
-`X-XSS-Protection`: Legacy header that tries to mitigate [XSS attacks](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting), but makes things worse, so Helmet disables it
98
+
99
+
Each header can be configured or disabled. To read more about it please go to [its documentation website][helmet].
0 commit comments