Skip to content
This repository has been archived by the owner on Dec 5, 2023. It is now read-only.

Latest commit

 

History

History
447 lines (348 loc) · 7.1 KB

README.md

File metadata and controls

447 lines (348 loc) · 7.1 KB

Helmet Middleware for Hono

Bring helmet to Hono.

Quick Demo with Deno

import { serve } from "https://deno.land/std@0.167.0/http/server.ts";
import { Hono } from "npm:hono@2.7.7";
import { honoHelmet } from "https://github.com/Catminusminus/hono-helmet/raw/main/src/index.ts";

const app = new Hono();

app.use(honoHelmet());
app.get("/", (c) => c.text("Hello Hono!"));

serve(app.fetch);

Requirements

Sorry, but not published yet

npm i @catminusminus/hono-helmet

or

yarn add @catminusminus/hono-helmet

Usage

index.js:

import { Hono } from "hono";
import { honoHelmet } from "@catminusminus/hono-helmet";
import { serve } from "@hono/node-server";

const app = new Hono();

app.use(honoHelmet());
app.get("/", (c) => c.text("Hello Hono!"));

serve(app);

The default header fields are as follows:

Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

To set custom options:

app.use(
  honoHelmet({
    permittedCrossDomainPolicies: {
      permittedPolicies: "all",
    },
  }),
);

To disable header fields:

app.use(
  honoHelmet({
    contentSecurityPolicy: false,
  }),
);

Reference

honoHelmet(options)
// Use the default header fields
app.use(honoHelmet());

// Disable one or more header fields
app.use(
  honoHelmet({
    contentSecurityPolicy: false,
  }),
);

// Use the default header fields but X-Permitted-Cross-Domain-Policies: all
app.use(
  honoHelmet({
    permittedCrossDomainPolicies: {
      permittedPolicies: "all",
    },
  }),
);
honoHelmet({contentSecurityPolicy: options})

The default directives are as follows:

"default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
// Use the defaults but "default-src 'none'
app.use(
  honoHelmet({
    contentSecurityPolicy: {
      defaultSrc: ["'none'"],
    },
  }),
);

// Use the defaults but "default-src 'self' 'nonce-<nonce>'
app.use(
  honoHelmet({
    contentSecurityPolicy: {
      defaultSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
    },
  }),
);

// Use the defaults but disable "default-src"
app.use(
  honoHelmet({
    contentSecurityPolicy: {
      defaultSrc: false,
    },
  }),
);

// Disable the defaults and "default-src 'none'
app.use(
  honoHelmet({
    contentSecurityPolicy: {
      useDefaults: false,
      defaultSrc: ["'none'"],
    },
  }),
);
honoHelmet({crossOriginEmbedderPolicy: options})

Default:

Cross-Origin-Embedder-Policy: require-corp
// Cross-Origin-Embedder-Policy: credentialless
app.use(
  honoHelmet({
    crossOriginEmbedderPolicy: {
      policy: "credentialless",
    },
  }),
);
honoHelmet({crossOriginOpenerPolicy: options})

Default:

Cross-Origin-Opener-Policy: same-origin
// Cross-Origin-Opener-Policy: same-origin-allow-popups
app.use(
  honoHelmet({
    crossOriginOpenerPolicy: {
      policy: "same-origin-allow-popups",
    },
  }),
);
honoHelmet({referrerPolicy: options})

Default:

Referrer-Policy: no-referrer
// Referrer-Policy: no-referrer-when-downgrade
app.use(
  honoHelmet({
    referrerPolicy: {
      policy: "no-referrer-when-downgrade",
    },
  }),
);

// Referrer-Policy: origin,no-referrer-when-downgrade
app.use(
  honoHelmet({
    referrerPolicy: {
      policy: ["origin", "no-referrer-when-downgrade"],
    },
  }),
);
honoHelmet({hsts: options})

Default:

Strict-Transport-Security: max-age=15552000; includeSubDomains
// Strict-Transport-Security: max-age=123456; includeSubDomains
app.use(
  honoHelmet({
    hsts: {
      maxAge: 123456,
    },
  }),
);

// Strict-Transport-Security: max-age=123456
app.use(
  honoHelmet({
    hsts: {
      maxAge: 123456,
      includeSubDomains: false,
    },
  }),
);

// Strict-Transport-Security: max-age=123456; includeSubDomains; preload
app.use(
  honoHelmet({
    hsts: {
      maxAge: 123456,
      preload: true,
    },
  }),
);
honoHelmet({nosniff: options})

Default:

X-Content-Type-Options: nosniff
// Disable X-Content-Type-Options: nosniff
app.use(
  honoHelmet({
    nosniff: false,
  }),
);
honoHelmet({originAgentCluster: options})

Default:

Origin-Agent-Cluster: ?1
// Origin-Agent-Cluster: ?0
app.use(
  honoHelmet({
    originAgentCluster: "?0",
  }),
);
honoHelmet({dnsPrefetchControl: options})

Default:

X-DNS-Prefetch-Control: off
// X-DNS-Prefetch-Control: on
app.use(
  honoHelmet({
    dnsPrefetchControl: {
      allow: true,
    },
  }),
);
honoHelmet({ieNoOpen: options})

Default:

X-Download-Options: noopen
// Disable X-Download-Options: noopen
app.use(
  honoHelmet({
    ieNoOpen: false,
  }),
);
honoHelmet({frameguard: options})

Default:

X-Frame-Options: SAMEORIGIN
// X-Frame-Options: DENY
app.use(
  honoHelmet({
    frameguard: {
      action: "deny",
    },
  }),
);
honoHelmet({permittedCrossDomainPolicies: options})

Default:

X-Permitted-Cross-Domain-Policies: none
// X-Permitted-Cross-Domain-Policies: by-content-type
app.use(
  honoHelmet({
    permittedCrossDomainPolicies: {
      permittedPolicies: "by-content-type",
    },
  }),
);
honoHelmet({hidePoweredBy: options})

Default: remove X-Powered-By field

// Do not remove X-Powered-By field
app.use(
  honoHelmet({
    hidePoweredBy: false,
  }),
);
honoHelmet({xssFilter: options})

Default:

X-XSS-Protection: 0
// Disable X-XSS-Protection: 0
app.use(
  honoHelmet({
    xssFilter: false,
  }),
);