Node.js middleware for implementing secure HTTP headers to fortify web application security.
Report Bug
·
Request Feature
A middleware tailored for Node.js applications to set secure HTTP headers, mitigating various web vulnerabilities by enforcing headers for XSS protection, content security policy, strict transport security, MIME type sniffing prevention, and more. Initially created to serve the @lottojs/lotto package but nothing excludes it to be also used by the community.
Complete API documentation is available at lottojs.tech.
npm i @lottojs/secure-headersThe package provides middleware named secureHeaders. This middleware should be applied within your server handlers to set the necessary secure HTTP headers. These headers help in preventing various web vulnerabilities.
import { createServer } from 'node:http';
import { secureHeaders } from '@lottojs/secure-headers';
createServer(
async (req: IncomingMessage, res: ServerResponse) => {
...
const secureHeaders = {
...
xContentTypeOptions: 'nosniff',
xXssProtection: '1; mode=block',
contentSecurityPolicy: "default-src 'self'",
strictTransportSecurity:
'max-age=31536000; includeSubDomains; preload',
xFrameOptions: 'DENY',
cacheControl: 'no-store, no-cache, must-revalidate, private',
...
}
secureHeaders(secureHeaders)(res, next())
...
},
)All forms of contributions are more than welcome! You can contribute in the following ways:
- Create an Issue
- Create a Pull Request
- Create third-party middlewares
- Share with your friends
- Make your application with
Lotto.
For more details, see Contribution Guide.
Distributed under the MIT License. See LICENSE for more information.