helmetjs / helmet Goto Github PK
View Code? Open in Web Editor NEWHelp secure Express apps with various HTTP headers
Home Page: https://helmetjs.github.io/
License: MIT License
Help secure Express apps with various HTTP headers
Home Page: https://helmetjs.github.io/
License: MIT License
What if you could set your CSP like this:
app.use(helmet.csp({
defaultSrc: [ /* ... */ ],
reportUri: [ /* ... */ ]
}))
Would this be a welcome feature?
I get this message with Chrome:
The 'X-WebKit-CSP' headers are deprecated; please consider using the canonical 'Content-Security-Policy' header instead.
I get 403's now of course. Any ideas or is this just not possible?
Got this error after update from 0.0.7 to 0.0.8:
/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
action = action.toUpperCase();
^
TypeError: Cannot call method 'toUpperCase' of undefined
Reverting back to 0.0.7 resolved the issue.
More complete log:
Air-2:eom jaxon$ node ./server.js
/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
action = action.toUpperCase();
^
TypeError: Cannot call method 'toUpperCase' of undefined
at Object.module.exports (/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12:21)
at Function.<anonymous> (/Users/jaxon/github/eom/settings.js:102:20)
at Function.app.configure (/Users/jaxon/github/eom/node_modules/express/lib/application.js:395:61)
at bootApplication (/Users/jaxon/github/eom/settings.js:31:7)
at Object.exports.boot (/Users/jaxon/github/eom/settings.js:10:3)
at Object.<anonymous> (/Users/jaxon/github/eom/server.js:65:23)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
Hi I'm having some problem with Chrome's CSP reporting. Here's the problem.
The request is failing. However for Firefox the reporting is good and I receive a 200. Wondering if the headers for chrome are not correct?
I have these policies:
var policy = {
defaultPolicy: {
'default-src': [
"'self'",
"data:",
"'unsafe-inline'",
"'unsafe-eval'"
],
'img-src': [
"'self'",
"data:",
"www.google-analytics.com"
],
'script-src': [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
"www.google-analytics.com"
]
}
};
helmet.csp.policy(policy);
app.use(helmet.csp());
but still, Firefox complains with:
Content Security Policy: The page's settings blocked the loading of a resource: An attempt to call JavaScript from a string (by calling a function like eval) has been blocked
call to eval() or related function blocked by CSP
Huh? I am allowing unsafe-evals here. Can anyone explain?
Wondering what people's thoughts are on checking the user agent in some of the IE-specific options to avoid "header clutter"?
Downsides I see are:
Upsides is just keeping the headers minimal, which probably only mildly OCD people care about but…well…here I am…
There used to a bug in the XSS filters in Internet Explorer which actually enabled XSS attacks instead of preventing it. Making sites which would normally be safe vulnerable for attacks.
So helmet could actually make sites more vulnerable instead of protecting them. The simplest solution would be disabling the filter for IE8 as this fix was most certainly landed in IE9 > as I doubt it can be detected by UA sniffing. If you feel it's not worth to fix this.. Please consider adding a note to the README file so developers know that they potentially expose them selfs to XSS attacks.
Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002
Connect 3.0.x has no attribute .secure, e.g. req.secure
is undefined. Thus
if (req.secure || req.headers['x-forwarded-proto'] == 'https') {
in hsts.js
evaluates always false and no HSTS header is ever added.
Looking through RFC6797, I am unsure if we could simply drop this test altogether, as browsers appear to ignore HSTS when there is no secure connection?
I think it has vulnerabilities...
This should throw an error:
helmet.csp({
reportOnly: true,
'report-uri': null
});
STEPS TO REPRODUCE:
reportOnly
, setAllHeaders
, or safari5
config optionsRESULTS:
Stack: TypeError: Object false has no method 'indexOf'
at /my_project/node_modules/helmet/lib/middleware/csp.js:125:50
at Array.forEach (native)
at csp (/my_project/node_modules/helmet/lib/middleware/csp.js:108:42)
....
Problem is that this line:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L108
iterates over the config options then sets special headers if different things are present for older firefox.
If you include any of the boolean config options -- reportOnly
, setAllHeaders
, or safari5
-- then https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L125 tries an indexOf against the boolean, which of course fails.
Probably disabled or does nothing by default, but you could open up some CORS stuff.
I am endeavouring to put together a comprehensive CRUD prototype which you can find at https://github.com/jlchereau/Phonegap.Express.
I am not a security expert but I have been recommended to add Helmet to the stack.
How would you recommend configuring Helmet for a RESTful JSON API (sessionless) secured by oAuth bearer tokens?
Something like this might be cool:
app.use(helmet.csp.sslOnly());
app.use(helmet.csp.socialMedia());
I'd love some way to add these to policies, rather than overwrite them. Ideas?
that does not make a difference to caching behaviour, neither before nor after
app.use(helmet.defaults());
i would like to include the defaults but i want caching to be enabled, removing the helmet.defaults() caching behaviour is like expected, maybe im implementing wrong? but i could not find a better explanation in the documentation.
Hi there
In Firebug I see this:
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
Why?
Should just be a matter of calling res.setHeader
instead of res.header
.
Steps:
Use the CSP middleware like this: app.use(helmet.csp({}));
Open the page with IE10 and check headers
Expected:
No content security policy headers
This line of code is at fault -- why is it there?: https://github.com/evilpacket/helmet/blob/a1d7d10bfd43e55db008d44c08259b8d9f459ed3/lib/middleware/csp.js#L91
Sandbox in IE has the unfortunate side-affect of disabling forms.
Thanks for noticing, @fkammer!
Hello,
I added helmet to my connect-based app and having an issue with it:
TypeError: Object #<ServerResponse> has no method 'header'
at Object.handle (/.../helmet/lib/middleware/csp.js:26:17)
at next (/.../node_modules/connect/lib/proto.js:193:15)
My configuration:
var app = connect()
.use( connect.static( pr.pathTo(global.codePath, 'dist/www') ) )
.use( connect.query() )
.use( connect.cookieParser() )
.use( connect.session( { ... } ) )
.use( connect.urlencoded() )
.use( connect.json() )
.use( connect.csrf() )
.use( helmet.csp() );
Any help is much appreciated.
When sending the Strict-Transport-Security
header, helmet sets the max-age directive to maxAge=15768000
. According to the spec it should be max-age=15768000
: http://tools.ietf.org/html/rfc6797#section-6.1.1
Look into implementing x-content-type-options
http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx
I saw your talk, just curious why it isn't in this project.
Per #66, we should add some more resources for CSP.
Let's say I did something like this:
app.use(helmet.xframe('same-origin'));
That's a mistake -- it should be 'sameorigin'
. At the moment, that mistake will be as if I typed DENY
.
Should an error be thrown in that case? I think so, but it's debatable.
I know error checking isn't a JavaScript idiom, but I think this could be very helpful.
See helmetjs/csp.
The express-enforces-ssl module does a 301 redirect for HTTP connections to HTTPS connections. Maybe we should incorporate it or mention it in the README.
Because I'm using chrome, this browser want to get the favicon.ico by a second GET. And this GET header containing X-Powered-By: Express.
The problem is in these two lines:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L129
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L137
At both of those lines, policy[key]
points to options[key]
by reference. This modifies options
for all future requests, and is not the desired behavior.
In my app, I have the following policy:
helmet.csp.policy
defaultPolicy:
"img-src" : ['*']
"style-src" : ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]
"script-src" : ["'self'", "cdnjs.cloudflare.com", "login.persona.org", "ajax.googleapis.com", "www.google-analytics.com"]
This works well for all OS/browser combinations I'm testing, except for mobile Safari on the iPad which refuses to load the script from https://login.persona.org/include.js
The persona script is the only one delivered through https protocol. Maybe this has something to do with this ?
Hello,
I installed the helmet library with the following command
npm instlal helmet
However, I seemed to get the previous version of helmet (version 0.1.3), and it didn't work for me. The latest one might be 0.2.0, so I guess npm package is still old.
Could you update/publish the latest to npm?
I installed latest in the following, and it works fine.
npm instlal git://github.com/evilpacket/helmet.git
Kind Regards,
I'd love this:
app.use(helmet.rateLimit({
rate: 500, // 500 requests allowed every...
window: 50000, // ...50 seconds
whitelist: ["127.0.0.1"]
});
Could be included by default.
I have my font-src configured as follows:
HTML:
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,300,400,500,700">
Helmet:
fontSrc: [
"'self'",
'fonts.googleapis.com',
'themes.googleusercontent.com'
]
but I am getting this error in the console:
Refused to load the font 'https://fonts.gstatic.com/s/opensans/v9/DXI1ORHCpsQm3Vp6mXoaTRampu5_7CjHW5spxoeN3Vs.woff2' because it violates the following Content Security Policy directive: "font-src 'self' fonts.googleapis.com themes.googleusercontent.com".
Can someone tell me what I am doing wrong? Thanks
Any reason why helmets.defaults
isn't middleware?
npmjs.org has v0.1.2 which is quite outdated, and does not work in Connect.js without patches. Also, the CSP headers etc. have been updated, for ex. Chrome browsers now get actionable headers (not X-...).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.