Comments (5)
In short, Helmet doesn't hurt, but not all of it is helpful.
Let's say you're building an API that serves JSON and nothing but JSON. No HTML at all. Many of Helmet's middleware won't help you in that case: csp
, xframe
, iexss
, ienoopen
, are contentTypeOptions
are pretty much useless, because they prevent against attacks that would show up if I were browsing your site directly.
Some of the others might be useful, though:
hsts
might keep clients using HTTPS instead of HTTP, which is more secure.cacheControl
is probably useful when building an API anyway; it prevents people from caching old garbage, although your clients probably won't do much of that to begin with.crossdomain
would serve a restrictive crossdomain.xml, which effectively prevents Flash (and others) from loading content from your API. This might be helpful for security, although not huge either.hidePoweredBy
is probably the most useful, because it'd prevent a hacker from exploiting bugs in Express.
If you're concerned about bandwidth/CPU cost of these extra HTTP headers, then skip Helmet. But it probably doesn't hurt!
from helmet.
The headers helmet helps implement are certainly recommended for any web
application. Some of the headers may not be applicable for api
endpoints, depending on what you are building.
jlchereau wrote:
I am endeavouring to put together a comprehensive CRUD prototype which
you can find at https://github.com/jlchereau/Phonegap.Express.I am not a security expert but I have been recommended to add helmet
to the stack.—
Reply to this email directly or view it on GitHub
#43.
from helmet.
Many Thanks.
from helmet.
Alright if I close this and move the discussion to #19?
from helmet.
Sure.
from helmet.
Related Issues (20)
- How could I enable access to my site from any iframe including from a local html file? HOT 8
- Cannot find module 'helmet' or its corresponding type declarations HOT 8
- Export typings for individual middleware options HOT 6
- Wiki code sample mistake HOT 1
- Error while building on local and digital ocean space HOT 3
- `Unexpected token` when importing `*.d.cts` or `*.d.mts` files from helmet HOT 1
- SSL error with Safari but not Chrome HOT 8
- RFE: Static pre-computed headers HOT 6
- Helmet not handling thrown errors HOT 2
- Error: Cross-Origin-Embedder-Policy does not support the "cross-origin" policy HOT 9
- Cannot extract type for ContentSecurityPolicyOptions HOT 3
- Jest: Cannot find module 'helmet' or its corresponding type declarations HOT 3
- Consider limiting helmet to document requests or add a note HOT 4
- Deployment on Vercel using .mjs HOT 13
- X-Powered-By is not being removed from the haeder in default mode HOT 2
- Getting Error Type 'typeof import("/home/quophyie/projects/helmet-issue/node_modules/helmet/index")' has no call signatures when running tests with jest, ts-jest when using ESM / ECMAScript Modules HOT 12
- helmet + sanitizeFilter HOT 1
- Require Node 18+ HOT 5
- Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`? HOT 1
- Typescript required versions HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmet.