Discussion: How would you recommend configuring Helmet for a RESTful JSON API (sessionless) secured by oAuth bearer tokens? about helmet HOT 5 CLOSED

In short, Helmet doesn't hurt, but not all of it is helpful.

Let's say you're building an API that serves JSON and nothing but JSON. No HTML at all. Many of Helmet's middleware won't help you in that case: csp, xframe, iexss, ienoopen, are contentTypeOptions are pretty much useless, because they prevent against attacks that would show up if I were browsing your site directly.

Some of the others might be useful, though:

1. hsts might keep clients using HTTPS instead of HTTP, which is more secure.
2. cacheControl is probably useful when building an API anyway; it prevents people from caching old garbage, although your clients probably won't do much of that to begin with.
3. crossdomain would serve a restrictive crossdomain.xml, which effectively prevents Flash (and others) from loading content from your API. This might be helpful for security, although not huge either.
4. hidePoweredBy is probably the most useful, because it'd prevent a hacker from exploiting bugs in Express.

If you're concerned about bandwidth/CPU cost of these extra HTTP headers, then skip Helmet. But it probably doesn't hurt!

from helmet.

The headers helmet helps implement are certainly recommended for any web
application. Some of the headers may not be applicable for api
endpoints, depending on what you are building.

jlchereau wrote:

I am endeavouring to put together a comprehensive CRUD prototype which
you can find at https://github.com/jlchereau/Phonegap.Express.

I am not a security expert but I have been recommended to add helmet
to the stack.

—
Reply to this email directly or view it on GitHub
#43.

from helmet.

Many Thanks.

from helmet.

Alright if I close this and move the discussion to #19?

from helmet.

Sure.

from helmet.