helmet

This extension is based on express.js' helmet.

import cheetah from 'https://deno.land/x/cheetah/mod.ts'
import { helmet } from 'https://deno.land/x/cheetah/ext/helmet.ts'

const app = new cheetah()
  .use(helmet())

Configuration

  • contentSecurityPolicy

    Set the Content-Security-Policy header with a strict security policy.

    // default behavior: (enabled)
helmet({
  contentSecurityPolicy: true
})

  • crossOriginEmbedderPolicy

    Set the Cross-Origin-Embedder-Policy header.

    helmet({
  crossOriginEmbedderPolicy: null // not set by default
})

  • crossOriginOpenerPolicy

    Set the Cross-Origin-Opener-Policy header.

    helmet({
  contentSecurityPolicy: 'same-origin' // set to 'same-origin' by default
})

  • crossOriginResourcePolicy

    Set the Cross-Origin-Resource-Policy header.

    helmet({
  crossOriginResourcePolicy: 'same-origin' // set to 'same-origin' by default
})

  • dnsPrefetching

    Enable DNS Prefetching at the expense of your users' privacy.

    helmet({
  dnsPrefetching: false // disabled by default
})

  • noFraming

    Set the X-Frame-Options header to mitigate Clickjacking.

    helmet({
  noFraming: 'sameorigin' // set to 'sameorigin' by default
})

  • hsts

    Set the Strict-Transport-Security header, which indicates to browsers to prefer a secure HTTPS connection.

    helmet({
  contentSecurityPolicy: { // set with these options by default
    maxAge: 31536000, // a year
    includeSubDomains: true
  }
})

  • noSniffing

    Set the X-Content-Type-Options header to nosniff. This mitigates Content Sniffing, which can cause security vulnerabilities.

    helmet({
  noSniffing: true // enabled by default
})

  • originAgentCluster

    Set the Origin-Agent-Cluster header, which provides a mechanism to allow web applications to isolate their origins.

    helmet({
  originAgentCluster: true // enabled by default
})

  • crossDomainPolicy

    Set the X-Permitted-Cross-Domain-Policies header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content.

    helmet({
  crossDomainPolicy: 'none' // set to 'none' by default
})

  • referrerPolicy

    Set the Referrer-Policy header to control what information is set in the Referer header.

    helmet({
  referrerPolicy: 'no-referrer' // set to 'no-referrer' by default
})