koa-helmet is a wrapper for helmet to work with koa.
This branch supports Koa 0.x and 1.x. For Koa 2 support (using Promises instead of Generators), please use the master branch.
- koa-helmet 1.x (koa-1 branch) supports koa 0.x and koa 1.x
- koa-helmet 2.x (master branch) supports koa 2.x
yarn add koa-helmet
or via npm:
npm install koa-helmet --save
Usage is the same as helmet.
Helmet offers 11 security middleware functions:
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hpkp for HTTP Public Key Pinning | |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noCache to disable client-side caching | |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
In order to work well with the helmet HSTS module, koa-helmet will augment
this.req to include a secure boolean to determine if the request
is over HTTPS.
const koa = require('koa')
const helmet = require('koa-helmet')
const app = koa()
app.use(helmet())
app.use(function * () {
this.body = 'Hello World'
})
app.listen(4000)