In today's digital landscape, security is paramount. HyperCloud's built-in Helmet protection is designed to provide robust security measures, safeguarding your applications from a myriad of common web vulnerabilities. By integrating Helmet, HyperCloud ensures that your applications are shielded against threats such as cross-site scripting (XSS), clickjacking, and other malicious attacks. This advanced protection layer helps developers focus on building features and functionality, knowing that their applications are fortified with industry-leading security practices. With Helmet, HyperCloud takes a proactive approach to web security, offering peace of mind and enabling you to deliver secure, reliable applications to your users.
To enable Helmet protection:
server.helmet(); // This applies all the default configurationsHere's a list of all the headers covers by the Helmet.
Content-Security-Policy
Use a custom policy:
server.helmet({
contentSecurityPolicy: {
useDefault: false,
directives: {
// Your directives here
}
}
})Disable the policy
server.helmet({
contentSecurityPolicy: false
})Default policy:
"default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"Cross-Origin-Embedder-Policy
Specify the policy:
server.helmet({
crossOriginEmbedderPolicy: { policy: '<your policy>' }
})Disable the policy
server.helmet({
crossOriginEmbedderPolicy: false
})Default policy:
'require-corp'Cross-Origin-Opener-Policy
Specify the policy:
server.helmet({
crossOriginOpenerPolicy: { policy: '<your policy>' }
})Disable the policy
server.helmet({
crossOriginOpenerPolicy: false
})Default policy:
'same-origin'Cross-Origin-Resource-Policy
Specify the policy:
server.helmet({
crossOriginResourcePolicy: { policy: '<your policy>' }
})Disable the policy
server.helmet({
crossOriginResourcePolicy: false
})Default policy:
'same-origin'Origin-Agent-Cluster
Specify the policy:
server.helmet({
originAgentCluster: '<your policy>'
})Disable the policy
server.helmet({
originAgentCluster: false
})Default policy:
'?1'Referrer-Policy
Specify the policy:
server.helmet({
referrerPolicy: { policy: '<your policy>' }
})Disable the policy
server.helmet({
referrerPolicy: false
})Default policy:
'no-referrer'Strict-Transport-Security
Specify the policy:
server.helmet({
strictTransportSecurity: {
/** Max age value in seconds */
maxAge: 31536000,
/** Whether to include subdomains */
includeSubDomains: true,
/** Whether to preload HSTS */
preload: true
}
})Disable the policy
server.helmet({
strictTransportSecurity: false
})Default policy:
'max-age=31536000; includeSubDomains; preload'X-Content-Type-Options
Specify the policy:
server.helmet({
xContentTypeOptions: 'nosniff'
})Disable the policy
server.helmet({
xContentTypeOptions: false
})Default policy:
'nosniff'X-DNS-Prefetch-Control
Specify the policy:
server.helmet({
xDnsPrefetchControl: { enabled: true }
})Disable the policy
server.helmet({
xDnsPrefetchControl: false
})Default policy:
'off'X-Download-Options
Specify the policy:
server.helmet({
xDownloadOptions: true
})Disable the policy
server.helmet({
xDownloadOptions: false
})Default policy:
'noopen'X-Frame-Options
Specify the policy:
server.helmet({
xFrameOptions: { action: 'DENY' }
})Disable the policy
server.helmet({
xFrameOptions: false
})Default policy:
'DENY'X-Permitted-Cross-Domain-Policies
Specify the policy:
server.helmet({
xPermittedCrossDomainPolicies: {
permittedPolicies: 'none'
}
})Disable the policy
server.helmet({
xPermittedCrossDomainPolicies: false
})Default policy:
'none'X-Powered-By
Specify the policy:
server.helmet({
xPoweredBy: true // To remove the header
})Default policy:
'true'X-XSS-Protection
Specify the policy:
server.helmet({
xXssProtection: true
})Default policy:
'0'