helmetjs / helmet Goto Github PK

I think it has vulnerabilities...

npmjs.org has v0.1.2 which is quite outdated, and does not work in Connect.js without patches. Also, the CSP headers etc. have been updated, for ex. Chrome browsers now get actionable headers (not X-...).

Connect 3.0.x has no attribute .secure, e.g. req.secure is undefined. Thus
if (req.secure || req.headers['x-forwarded-proto'] == 'https') { in hsts.js evaluates always false and no HSTS header is ever added.

Looking through RFC6797, I am unsure if we could simply drop this test altogether, as browsers appear to ignore HSTS when there is no secure connection?

that does not make a difference to caching behaviour, neither before nor after
app.use(helmet.defaults());
i would like to include the defaults but i want caching to be enabled, removing the helmet.defaults() caching behaviour is like expected, maybe im implementing wrong? but i could not find a better explanation in the documentation.

In my app, I have the following policy:

helmet.csp.policy
defaultPolicy:
"img-src" : ['*']
"style-src" : ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]
"script-src" : ["'self'", "cdnjs.cloudflare.com", "login.persona.org", "ajax.googleapis.com", "www.google-analytics.com"]

This works well for all OS/browser combinations I'm testing, except for mobile Safari on the iPad which refuses to load the script from https://login.persona.org/include.js

The persona script is the only one delivered through https protocol. Maybe this has something to do with this ?

I have these policies:

    var policy = {
        defaultPolicy: {
            'default-src': [
                "'self'",
                "data:",
                "'unsafe-inline'",
                "'unsafe-eval'"
            ],
            'img-src': [
                "'self'",
                "data:",
                "www.google-analytics.com"
            ],
            'script-src': [
                "'self'",
                "'unsafe-inline'",
                "'unsafe-eval'",
                "www.google-analytics.com"
            ]
        }
    };

    helmet.csp.policy(policy);

    app.use(helmet.csp());

but still, Firefox complains with:

Content Security Policy: The page's settings blocked the loading of a resource: An attempt to call JavaScript from a string (by calling a function like eval) has been blocked

call to eval() or related function blocked by CSP

Huh? I am allowing unsafe-evals here. Can anyone explain?

The problem is in these two lines:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L129
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L137

At both of those lines, policy[key] points to options[key] by reference. This modifies options for all future requests, and is not the desired behavior.

I get this message with Chrome:

The 'X-WebKit-CSP' headers are deprecated; please consider using the canonical 'Content-Security-Policy' header instead.

Hi there

In Firebug I see this:

The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.

Why?

Probably disabled or does nothing by default, but you could open up some CORS stuff.

I'd love this:

app.use(helmet.rateLimit({
  rate: 500,     // 500 requests allowed every...
  window: 50000, // ...50 seconds
  whitelist: ["127.0.0.1"]
});

Could be included by default.

Any reason why helmets.defaults isn't middleware?

I am endeavouring to put together a comprehensive CRUD prototype which you can find at https://github.com/jlchereau/Phonegap.Express.

I am not a security expert but I have been recommended to add Helmet to the stack.

How would you recommend configuring Helmet for a RESTful JSON API (sessionless) secured by oAuth bearer tokens?

Got this error after update from 0.0.7 to 0.0.8:

/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
    action = action.toUpperCase();
                    ^
TypeError: Cannot call method 'toUpperCase' of undefined

Reverting back to 0.0.7 resolved the issue.

More complete log:

Air-2:eom jaxon$ node ./server.js

/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
    action = action.toUpperCase();
                    ^
TypeError: Cannot call method 'toUpperCase' of undefined
    at Object.module.exports (/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12:21)
    at Function.<anonymous> (/Users/jaxon/github/eom/settings.js:102:20)
    at Function.app.configure (/Users/jaxon/github/eom/node_modules/express/lib/application.js:395:61)
    at bootApplication (/Users/jaxon/github/eom/settings.js:31:7)
    at Object.exports.boot (/Users/jaxon/github/eom/settings.js:10:3)
    at Object.<anonymous> (/Users/jaxon/github/eom/server.js:65:23)
    at Module._compile (module.js:449:26)
    at Object.Module._extensions..js (module.js:467:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)

Look into implementing x-content-type-options

http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx

Should just be a matter of calling res.setHeader instead of res.header.

There used to a bug in the XSS filters in Internet Explorer which actually enabled XSS attacks instead of preventing it. Making sites which would normally be safe vulnerable for attacks.

So helmet could actually make sites more vulnerable instead of protecting them. The simplest solution would be disabling the filter for IE8 as this fix was most certainly landed in IE9 > as I doubt it can be detected by UA sniffing. If you feel it's not worth to fix this.. Please consider adding a note to the README file so developers know that they potentially expose them selfs to XSS attacks.

Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002

See helmetjs/csp.

Wondering what people's thoughts are on checking the user agent in some of the IE-specific options to avoid "header clutter"?

Downsides I see are:

• misses users who've misconfigured their UA string
• we miss out until we update should other browsers gain support (e.g. the discussion on #26 seems to indicate this happens)

Upsides is just keeping the headers minimal, which probably only mildly OCD people care about but…well…here I am…

Let's say I did something like this:

app.use(helmet.xframe('same-origin'));

That's a mistake -- it should be 'sameorigin'. At the moment, that mistake will be as if I typed DENY.

Should an error be thrown in that case? I think so, but it's debatable.

I know error checking isn't a JavaScript idiom, but I think this could be very helpful.

I saw your talk, just curious why it isn't in this project.

When sending the Strict-Transport-Security header, helmet sets the max-age directive to maxAge=15768000. According to the spec it should be max-age=15768000: http://tools.ietf.org/html/rfc6797#section-6.1.1

This should throw an error:

helmet.csp({
  reportOnly: true,
  'report-uri': null
});

Hi I'm having some problem with Chrome's CSP reporting. Here's the problem.

http://stackoverflow.com/questions/24067612/chrome-content-security-policy-reporting-csp-reporting-is-not-reporting

The request is failing. However for Firefox the reporting is good and I receive a 200. Wondering if the headers for chrome are not correct?

Hello,

I added helmet to my connect-based app and having an issue with it:

TypeError: Object #<ServerResponse> has no method 'header'
    at Object.handle (/.../helmet/lib/middleware/csp.js:26:17)
    at next (/.../node_modules/connect/lib/proto.js:193:15)

My configuration:

    var app = connect()
    .use( connect.static( pr.pathTo(global.codePath, 'dist/www') ) )
    .use( connect.query() )
    .use( connect.cookieParser() )
    .use( connect.session( { ... } ) )
    .use( connect.urlencoded() )
    .use( connect.json() )
    .use( connect.csrf() )
    .use( helmet.csp() );

Any help is much appreciated.

Steps:
Use the CSP middleware like this: app.use(helmet.csp({}));
Open the page with IE10 and check headers

Expected:
No content security policy headers

Actual:

This line of code is at fault -- why is it there?: https://github.com/evilpacket/helmet/blob/a1d7d10bfd43e55db008d44c08259b8d9f459ed3/lib/middleware/csp.js#L91

Sandbox in IE has the unfortunate side-affect of disabling forms.

https://securityheaders.com/cross-domain-meta-policy.php

Hello,

I installed the helmet library with the following command

npm instlal helmet

However, I seemed to get the previous version of helmet (version 0.1.3), and it didn't work for me. The latest one might be 0.2.0, so I guess npm package is still old.

Could you update/publish the latest to npm?

I installed latest in the following, and it works fine.

npm instlal git://github.com/evilpacket/helmet.git

Kind Regards,

Thanks for noticing, @fkammer!

Per #66, we should add some more resources for CSP.

What if you could set your CSP like this:

app.use(helmet.csp({
  defaultSrc: [ /* ... */ ],
  reportUri: [ /* ... */ ]
}))

Would this be a welcome feature?

STEPS TO REPRODUCE:

• Use CSP middleware with any of the optional reportOnly, setAllHeaders, or safari5 config options
• Hit the page on older Firefox, specifically version < 23

RESULTS:

• Get a TypeError:

Stack:  TypeError: Object false has no method 'indexOf'
    at /my_project/node_modules/helmet/lib/middleware/csp.js:125:50
    at Array.forEach (native)
    at csp (/my_project/node_modules/helmet/lib/middleware/csp.js:108:42)
    ....

Problem is that this line:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L108

iterates over the config options then sets special headers if different things are present for older firefox.

If you include any of the boolean config options -- reportOnly, setAllHeaders, or safari5 -- then https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L125 tries an indexOf against the boolean, which of course fails.

Something like this might be cool:

app.use(helmet.csp.sslOnly());
app.use(helmet.csp.socialMedia());

I'd love some way to add these to policies, rather than overwrite them. Ideas?

I get 403's now of course. Any ideas or is this just not possible?

I have my font-src configured as follows:

HTML:

<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,300,400,500,700">

Helmet:

    fontSrc: [
        "'self'",
        'fonts.googleapis.com',
        'themes.googleusercontent.com'
    ]

but I am getting this error in the console:

Refused to load the font 'https://fonts.gstatic.com/s/opensans/v9/DXI1ORHCpsQm3Vp6mXoaTRampu5_7CjHW5spxoeN3Vs.woff2' because it violates the following Content Security Policy directive: "font-src 'self' fonts.googleapis.com themes.googleusercontent.com".

Can someone tell me what I am doing wrong? Thanks

The express-enforces-ssl module does a 301 redirect for HTTP connections to HTTPS connections. Maybe we should incorporate it or mention it in the README.

Because I'm using chrome, this browser want to get the favicon.ico by a second GET. And this GET header containing X-Powered-By: Express.