The latest articles on Forem by sampod76 (@sampodnath). https://forem.com/sampodnath https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1995768%2F71680dd6-1eb6-44bf-b77f-402e62635543.jpeg https://forem.com/sampodnath en sampod76 Tue, 10 Sep 2024 10:44:38 +0000 https://forem.com/sampodnath/boost-your-nodejs-security-with-helmetjs-27gn https://forem.com/sampodnath/boost-your-nodejs-security-with-helmetjs-27gn <p>Building secure web applications is more important than ever. If you're using Node.js and Express, Helmet.js is your go-to middleware to add an extra layer of security by configuring various HTTP headers.</p> <ol> <li>Content Security Policy (CSP): Fine-tune your scriptSrc and styleSrc to limit what external resources can be loaded, reducing XSS attacks.</li> <li>Cross-Origin Policies: Secure cross-origin resource and embedder policies to prevent unauthorized resource sharing.</li> <li>HSTS Preloading: Enforce HTTPS to all visitors by preloading HTTP Strict Transport Security.</li> <li>Frameguard: Prevent clickjacking attacks by controlling who can embed your site in iframes.</li> <li>XSS and MIME Protection: Add X-XSS-Protection and X-Content-Type-Options headers to guard against XSS attacks and MIME sniffing. 💡 Pro Tip: Always audit your security headers regularly and stay up-to-date with emerging threats to ensure comprehensive protection. `import helmet from 'helmet';</li> </ol> <p>const app: Application = express();</p> <p>app.use(<br> helmet({<br> contentSecurityPolicy: {<br> directives: {<br> defaultSrc: ["'self'"],<br> scriptSrc: ["'self'", "'unsafe-inline'"],<br> // scriptSrc: ["'self'", "'unsafe-inline'", "example.com"],<br> styleSrc: ["'self'", "'unsafe-inline'"],<br> imgSrc: ["'self'", 'data:'],<br> connectSrc: ["'self'"],<br> fontSrc: ["'self'"],<br> objectSrc: ["'none'"],<br> mediaSrc: ["'self'"],<br> frameSrc: ["'self'"],<br> upgradeInsecureRequests: [],<br> },<br> },<br> crossOriginEmbedderPolicy: true,<br> crossOriginOpenerPolicy: { policy: 'same-origin' },<br> crossOriginResourcePolicy: { policy: 'same-origin' },<br> dnsPrefetchControl: { allow: false },<br> // expectCt: {<br> // enforce: true,<br> // maxAge: 86400, // 1 day in seconds<br> // },<br> frameguard: { action: 'deny' },<br> hsts: {<br> maxAge: 63072000, // 2 years in seconds<br> includeSubDomains: true,<br> preload: true,<br> },<br> hidePoweredBy: true,<br> ieNoOpen: true,<br> noSniff: true,<br> permittedCrossDomainPolicies: { permittedPolicies: 'none' },<br> referrerPolicy: { policy: 'strict-origin-when-cross-origin' },<br> xssFilter: true,<br> }),<br> );</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkl9u09kvkqnrf4jnl8cr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkl9u09kvkqnrf4jnl8cr.png" alt="Image description" width="" height=""></a>`</p> node security express