Every line of 'express headers' code snippets is scanned for vulnerabilities by our powerful machine learning engine that combs millions of open source libraries, ensuring your JavaScript code is secure.
6 function secureHeaders (app, frontendApp) { 7 // Content Security Policy 8 app.use(helmet.contentSecurityPolicy({ 9 directives: { 10 defaultSrc: ["'none'"], 11 // Allow <script> tags hosted by ourselves and from atlassian when inserted into an iframe 12 scriptSrc: ["'self'", process.env.APP_URL, 'https://*.atlassian.net', 'https://*.jira.com'], 13 // Allow XMLHttpRequest/fetch requests 14 connectSrc: ["'self'", process.env.APP_URL], 15 // Allow <style> tags hosted by ourselves as well as style="" attributes 16 styleSrc: ["'self'", "'unsafe-inline'"], 17 // Allow self-hosted images, data: images, organization images and the error image 18 imgSrc: ["'self'", 'data:', 'https://*.githubusercontent.com', 'https://octodex.github.com'] 19 } 20 })) 21 // Enable HSTS with the value we use for education.github.com 22 app.use(helmet.hsts({ 23 maxAge: 15552000 24 })) 25 // X-Frame / Clickjacking protection 26 // Disabling this. Will probably need to dynamically 27 // set this based on the referrer URL and match if it's *.atlassian.net or *.jira.com 28 // app.use(helmet.frameguard({ action: 'deny' })) 29 // MIME-Handling: Force Save in IE 30 app.use(helmet.ieNoOpen()) 31 // Disable cachingç 32 app.use(helmet.noCache()) 33 // Disable mimetype sniffing 34 app.use(helmet.noSniff()) 35 // Basic XSS Protection 36 app.use(helmet.xssFilter()) 37 38 // Remove the X-Powered-By 39 // This particular combination of methods works 40 frontendApp.disable('x-powered-by') 41 app.use(helmet.hidePoweredBy()) 42 }
Secure your code as it's written. Use Snyk Code to scan source code in minutes – no build needed – and fix issues immediately. Enable Snyk Code
38 public getHeader(field: string): string | undefined { 39 return this.req.header(field); 40 }
88 addCustomHeaders(customHeaders?: ICustomHeader[]) { 89 if (customHeaders) { 90 this.addUse(null, (req, res, next) => { 91 customHeaders.forEach((customHeader) => { 92 let value: string | undefined = customHeader.value.toString(); 93 if (customHeader.isEnv && value && process.env[value]) { 94 value = process.env[value]; 95 } 96 res.header(customHeader.key, value); 97 }); 98 next(); 99 }); 100 } 101 }