helmetjs / helmet Goto Github PK
View Code? Open in Web Editor NEWHelp secure Express apps with various HTTP headers
Home Page: https://helmetjs.github.io/
License: MIT License
Help secure Express apps with various HTTP headers
Home Page: https://helmetjs.github.io/
License: MIT License
I think it has vulnerabilities...
npmjs.org has v0.1.2 which is quite outdated, and does not work in Connect.js without patches. Also, the CSP headers etc. have been updated, for ex. Chrome browsers now get actionable headers (not X-...).
Connect 3.0.x has no attribute .secure, e.g. req.secure
is undefined. Thus
if (req.secure || req.headers['x-forwarded-proto'] == 'https') {
in hsts.js
evaluates always false and no HSTS header is ever added.
Looking through RFC6797, I am unsure if we could simply drop this test altogether, as browsers appear to ignore HSTS when there is no secure connection?
that does not make a difference to caching behaviour, neither before nor after
app.use(helmet.defaults());
i would like to include the defaults but i want caching to be enabled, removing the helmet.defaults() caching behaviour is like expected, maybe im implementing wrong? but i could not find a better explanation in the documentation.
In my app, I have the following policy:
helmet.csp.policy
defaultPolicy:
"img-src" : ['*']
"style-src" : ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]
"script-src" : ["'self'", "cdnjs.cloudflare.com", "login.persona.org", "ajax.googleapis.com", "www.google-analytics.com"]
This works well for all OS/browser combinations I'm testing, except for mobile Safari on the iPad which refuses to load the script from https://login.persona.org/include.js
The persona script is the only one delivered through https protocol. Maybe this has something to do with this ?
I have these policies:
var policy = {
defaultPolicy: {
'default-src': [
"'self'",
"data:",
"'unsafe-inline'",
"'unsafe-eval'"
],
'img-src': [
"'self'",
"data:",
"www.google-analytics.com"
],
'script-src': [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
"www.google-analytics.com"
]
}
};
helmet.csp.policy(policy);
app.use(helmet.csp());
but still, Firefox complains with:
Content Security Policy: The page's settings blocked the loading of a resource: An attempt to call JavaScript from a string (by calling a function like eval) has been blocked
call to eval() or related function blocked by CSP
Huh? I am allowing unsafe-evals here. Can anyone explain?
The problem is in these two lines:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L129
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L137
At both of those lines, policy[key]
points to options[key]
by reference. This modifies options
for all future requests, and is not the desired behavior.
I get this message with Chrome:
The 'X-WebKit-CSP' headers are deprecated; please consider using the canonical 'Content-Security-Policy' header instead.
Hi there
In Firebug I see this:
The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead.
Why?
Probably disabled or does nothing by default, but you could open up some CORS stuff.
I'd love this:
app.use(helmet.rateLimit({
rate: 500, // 500 requests allowed every...
window: 50000, // ...50 seconds
whitelist: ["127.0.0.1"]
});
Could be included by default.
Any reason why helmets.defaults
isn't middleware?
I am endeavouring to put together a comprehensive CRUD prototype which you can find at https://github.com/jlchereau/Phonegap.Express.
I am not a security expert but I have been recommended to add Helmet to the stack.
How would you recommend configuring Helmet for a RESTful JSON API (sessionless) secured by oAuth bearer tokens?
Got this error after update from 0.0.7 to 0.0.8:
/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
action = action.toUpperCase();
^
TypeError: Cannot call method 'toUpperCase' of undefined
Reverting back to 0.0.7 resolved the issue.
More complete log:
Air-2:eom jaxon$ node ./server.js
/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12
action = action.toUpperCase();
^
TypeError: Cannot call method 'toUpperCase' of undefined
at Object.module.exports (/Users/jaxon/github/eom/node_modules/helmet/lib/middleware/xframe.js:12:21)
at Function.<anonymous> (/Users/jaxon/github/eom/settings.js:102:20)
at Function.app.configure (/Users/jaxon/github/eom/node_modules/express/lib/application.js:395:61)
at bootApplication (/Users/jaxon/github/eom/settings.js:31:7)
at Object.exports.boot (/Users/jaxon/github/eom/settings.js:10:3)
at Object.<anonymous> (/Users/jaxon/github/eom/server.js:65:23)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
Look into implementing x-content-type-options
http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet-explorer.aspx
Should just be a matter of calling res.setHeader
instead of res.header
.
There used to a bug in the XSS filters in Internet Explorer which actually enabled XSS attacks instead of preventing it. Making sites which would normally be safe vulnerable for attacks.
So helmet could actually make sites more vulnerable instead of protecting them. The simplest solution would be disabling the filter for IE8 as this fix was most certainly landed in IE9 > as I doubt it can be detected by UA sniffing. If you feel it's not worth to fix this.. Please consider adding a note to the README file so developers know that they potentially expose them selfs to XSS attacks.
Related reading:
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://technet.microsoft.com/en-us/security/bulletin/MS10-002
See helmetjs/csp.
Wondering what people's thoughts are on checking the user agent in some of the IE-specific options to avoid "header clutter"?
Downsides I see are:
Upsides is just keeping the headers minimal, which probably only mildly OCD people care about but…well…here I am…
Let's say I did something like this:
app.use(helmet.xframe('same-origin'));
That's a mistake -- it should be 'sameorigin'
. At the moment, that mistake will be as if I typed DENY
.
Should an error be thrown in that case? I think so, but it's debatable.
I know error checking isn't a JavaScript idiom, but I think this could be very helpful.
I saw your talk, just curious why it isn't in this project.
When sending the Strict-Transport-Security
header, helmet sets the max-age directive to maxAge=15768000
. According to the spec it should be max-age=15768000
: http://tools.ietf.org/html/rfc6797#section-6.1.1
This should throw an error:
helmet.csp({
reportOnly: true,
'report-uri': null
});
Hi I'm having some problem with Chrome's CSP reporting. Here's the problem.
The request is failing. However for Firefox the reporting is good and I receive a 200. Wondering if the headers for chrome are not correct?
Hello,
I added helmet to my connect-based app and having an issue with it:
TypeError: Object #<ServerResponse> has no method 'header'
at Object.handle (/.../helmet/lib/middleware/csp.js:26:17)
at next (/.../node_modules/connect/lib/proto.js:193:15)
My configuration:
var app = connect()
.use( connect.static( pr.pathTo(global.codePath, 'dist/www') ) )
.use( connect.query() )
.use( connect.cookieParser() )
.use( connect.session( { ... } ) )
.use( connect.urlencoded() )
.use( connect.json() )
.use( connect.csrf() )
.use( helmet.csp() );
Any help is much appreciated.
Steps:
Use the CSP middleware like this: app.use(helmet.csp({}));
Open the page with IE10 and check headers
Expected:
No content security policy headers
This line of code is at fault -- why is it there?: https://github.com/evilpacket/helmet/blob/a1d7d10bfd43e55db008d44c08259b8d9f459ed3/lib/middleware/csp.js#L91
Sandbox in IE has the unfortunate side-affect of disabling forms.
Hello,
I installed the helmet library with the following command
npm instlal helmet
However, I seemed to get the previous version of helmet (version 0.1.3), and it didn't work for me. The latest one might be 0.2.0, so I guess npm package is still old.
Could you update/publish the latest to npm?
I installed latest in the following, and it works fine.
npm instlal git://github.com/evilpacket/helmet.git
Kind Regards,
Thanks for noticing, @fkammer!
Per #66, we should add some more resources for CSP.
What if you could set your CSP like this:
app.use(helmet.csp({
defaultSrc: [ /* ... */ ],
reportUri: [ /* ... */ ]
}))
Would this be a welcome feature?
STEPS TO REPRODUCE:
reportOnly
, setAllHeaders
, or safari5
config optionsRESULTS:
Stack: TypeError: Object false has no method 'indexOf'
at /my_project/node_modules/helmet/lib/middleware/csp.js:125:50
at Array.forEach (native)
at csp (/my_project/node_modules/helmet/lib/middleware/csp.js:108:42)
....
Problem is that this line:
https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L108
iterates over the config options then sets special headers if different things are present for older firefox.
If you include any of the boolean config options -- reportOnly
, setAllHeaders
, or safari5
-- then https://github.com/evilpacket/helmet/blob/master/lib/middleware/csp.js#L125 tries an indexOf against the boolean, which of course fails.
Something like this might be cool:
app.use(helmet.csp.sslOnly());
app.use(helmet.csp.socialMedia());
I'd love some way to add these to policies, rather than overwrite them. Ideas?
I get 403's now of course. Any ideas or is this just not possible?
I have my font-src configured as follows:
HTML:
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,300,400,500,700">
Helmet:
fontSrc: [
"'self'",
'fonts.googleapis.com',
'themes.googleusercontent.com'
]
but I am getting this error in the console:
Refused to load the font 'https://fonts.gstatic.com/s/opensans/v9/DXI1ORHCpsQm3Vp6mXoaTRampu5_7CjHW5spxoeN3Vs.woff2' because it violates the following Content Security Policy directive: "font-src 'self' fonts.googleapis.com themes.googleusercontent.com".
Can someone tell me what I am doing wrong? Thanks
The express-enforces-ssl module does a 301 redirect for HTTP connections to HTTPS connections. Maybe we should incorporate it or mention it in the README.
Because I'm using chrome, this browser want to get the favicon.ico by a second GET. And this GET header containing X-Powered-By: Express.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.