		@@ -0,1 +1,19 @@
		0.5.0 / 2014-??-??
		==================

		- new: most middlewares have some aliases now

		- update: `xframe` now called `frameguard` (though `xframe` still works)
		- update: `frameguard` chooses sameorigin by default
		- update: `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
		- update: `nocache` removed from default middleware stack
		- update: middleware split out into their own modules
		- update: documentation
		- update: supported Node version to at least 0.10.0
		- update: Connect version

		- fix: readme link was broken

		- remove: deprecation warnings

		0.4.2 / 2014-10-16
		@@ -2,0 +20,0 @@ ==================

package.json

		@@ -8,3 +8,3 @@ {
		"description": "Security middleware collection for Express/Connect",
		"version": "0.4.2",
		"version": "0.5.0",
		"keywords": [
		@@ -28,22 +28,24 @@ "security",
		"engines": {
		"node": ">= 0.6.6"
		"node": ">= 0.10.0"
		},
		"dependencies": {
		"camelize": "1.0.x",
		"connect": "3.0.x",
		"helmet-crossdomain": "^0.1.0",
		"platform": "1.2.x",
		"underscore": "1.6.x"
		"connect": "3.3.1",
		"dont-sniff-mimetype": "0.1.0",
		"frameguard": "0.2.0",
		"helmet-crossdomain": "0.1.0",
		"helmet-csp": "0.1.0",
		"hide-powered-by": "0.1.0",
		"hsts": "0.1.0",
		"ienoopen": "0.1.0",
		"nocache": "0.1.0",
		"x-xss-protection": "0.1.0"
		},
		"devDependencies": {
		"jshint": "2.5.x",
		"mocha": "1.20.x",
		"sinon": "1.10.x",
		"supertest": "0.13.x"
		"mocha": "^2.0.1",
		"sinon": "^1.11.1"
		},
		"scripts": {
		"test": "mocha",
		"hint": "jshint ."
		"test": "mocha"
		},
		"main": "lib/index"
		"main": "index"
		}

README.md

		@@ -9,33 +9,23 @@ Helmet

		Helmet includes the following middleware:
		Quick start
		-----------

		- `crossdomain` (crossdomain.xml)
		- `csp` (Content Security Policy)
		- `hidePoweredBy` (remove X-Powered-By)
		- `hsts` (HTTP Strict Transport Security)
		- `ienoopen` (X-Download-Options for IE8+)
		- `nocache` (Cache-Control)
		- `nosniff` (X-Content-Type-Options)
		- `xframe` (X-Frame-Options)
		- `xssFilter` (X-XSS-Protection for IE8+ and Chrome)
		First, run `npm install helmet --save` for your app. Then, in an Express app:

		Helmet also includes a default configuration of the above middleware that can be dropped into your applications.
		```js
		var express = require('express');
		var helmet = require('helmet');

		Basic usage
		-----------
		var app = express();

		First, install it:
		app.use(helmet());

		```sh
		npm install helmet --save
		// ...
		```

		To use a particular middleware application-wide, just `use` it:
		You can also use them individually:

		```javascript
		var helmet = require('helmet');
		var app = express(); // or connect

		app.use(helmet.xframe('deny'));
		app.use(helmet.contentTypeOptions());
		```js
		app.use(helmet.noCache());
		app.use(helmet.frameguard());
		```
		@@ -45,14 +35,18 @@

		If you just want to use the default-level policies, all you need to do is:
		How it works
		------------

		```javascript
		app.use(helmet());
		```
		Helmet is really just a collection of 9 smaller middleware functions:

		Don't want all the defaults?
		- [crossdomain](https://github.com/helmetjs/crossdomain) for serving `crossdomain.xml`
		- [contentSecurityPolicy](https://github.com/helmetjs/csp) for setting Content Security Policy
		- [hidePoweredBy](https://github.com/helmetjs/hide-powered-by) to remove the X-Powered-By header
		- [hsts](https://github.com/helmetjs/hsts) for HTTP Strict Transport Security
		- [ieNoOpen](https://github.com/helmetjs/ienoopen) sets X-Download-Options for IE8+
		- [noCache](https://github.com/helmetjs/nocache) to disable client-side caching
		- [noSniff](https://github.com/helmetjs/dont-sniff-mimetype) to keep clients from sniffing the MIME type
		- [frameguard](https://github.com/helmetjs/frameguard) to prevent clickjacking
		- [xssFilter](https://github.com/helmetjs/x-xss-protection) adds some small XSS protections

		```javascript
		app.use(helmet({ xframe: false, hsts: false }));
		app.use(helmet.xframe('sameorigin'));
		```
		Running `app.use(helmet())` will include 7 of the 9, leaving out `contentSecurityPolicy` and `noCache`. You can also use each module individually, as documented below.

		@@ -70,3 +64,3 @@ Usage guide

		### Content Security Policy: csp
		### Content Security Policy: contentSecurityPolicy

		@@ -80,3 +74,3 @@ Trying to prevent: Injecting anything unintended into our page. That could cause XSS vulnerabilities, unintended tracking, malicious frames, and more.
		```javascript
		app.use(helmet.csp({
		app.use(helmet.contentSecurityPolicy({
		defaultSrc: ["'self'", 'default.com'],
		@@ -103,3 +97,3 @@ scriptSrc: ['scripts.com'],

		Note: If you're using the `reportUri` feature and you're using [csurf](https://github.com/expressjs/csurf), you might have errors. [Check this out](https://github.com/evilpacket/helmet/edit/master/README.md) for a workaround.
		Note: If you're using the `reportUri` feature and you're using [csurf](https://github.com/expressjs/csurf), you might have errors. [Check this out](https://github.com/expressjs/csurf/issues/20) for a workaround.

		@@ -127,3 +121,3 @@ Limitations: CSP is often difficult to tune properly, as it's a whitelist and not a blacklist. It isn't supported on old browsers but is [pretty well-supported](http://caniuse.com/#feat=contentsecuritypolicy) on non-IE browsers nowadays.

		### Frame options: xframe
		### Frame options: frameguard

		@@ -137,11 +131,11 @@ Trying to prevent: Your page being put in a `<frame>` or `<iframe>` without your consent. This helps to prevent things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking).
		```javascript
		// These are equivalent:
		app.use(helmet.xframe());
		app.use(helmet.xframe('deny'));

		// Only let me be framed by people of the same origin:
		app.use(helmet.xframe('sameorigin'));
		app.use(helmet.frameguard('sameorigin'));
		app.use(helmet.frameguard()); // Same-origin by default.

		// Don't allow anyone to put me in a frame.
		app.use(helmet.frameguard('deny'));

		// Allow from a specific host:
		app.use(helmet.xframe('allow-from', 'http://example.com'));
		app.use(helmet.frameguard('allow-from', 'http://example.com'));
		```
		@@ -186,3 +180,3 @@
		```javascript
		// Set the header based on conditions
		// Set the header based on silly conditions
		app.use(helmet.hsts({
		@@ -230,3 +224,3 @@ maxAge: 1234000,

		### IE, restrict untrusted HTML: ienoopen
		### IE, restrict untrusted HTML: ieNoOpen

		@@ -238,3 +232,3 @@ Trying to prevent: Some web applications will serve untrusted HTML for download. By default, some versions of IE will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see [this MSDN blog post](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx).
		```javascript
		app.use(helmet.ienoopen());
		app.use(helmet.ieNoOpen());
		```
		@@ -244,10 +238,10 @@

		### Don't infer the MIME type: nosniff
		### Don't infer the MIME type: noSniff

		Trying to prevent: Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with `<script src="file.txt"></script>`. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are [some other vulnerabilities](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/), too.

		How to use Helmet to mitigate this: Use Helmet's `nosniff` middleware to keep Chrome, Opera, and IE from doing this sniffing ([and Firefox soon](https://bugzilla.mozilla.org/show_bug.cgi?id=471020)). The following example sets the `X-Content-Type-Options` header to its only option, `nosniff`:
		How to use Helmet to mitigate this: Use Helmet's `noSniff` middleware to keep Chrome, Opera, and IE from doing this sniffing ([and Firefox soon](https://bugzilla.mozilla.org/show_bug.cgi?id=471020)). The following example sets the `X-Content-Type-Options` header to its only option, `nosniff`:

		```javascript
		app.use(helmet.nosniff());
		app.use(helmet.noSniff());
		```
		@@ -259,3 +253,3 @@

		### Turn off caching: nocache
		### Turn off caching: noCache

		@@ -267,3 +261,3 @@ Trying to prevent: Users caching your old, buggy resources. It's possible that you've got bugs in an old HTML or JavaScript file, and with a cache, some users will be stuck with those old versions.
		```javascript
		app.use(helmet.nocache());
		app.use(helmet.noCache());
		```
		@@ -276,6 +270,6 @@
		```javascript
		app.use(helmet.nocache({ noEtag: true }));
		app.use(helmet.noCache({ noEtag: true }));
		```

		Limitations: Caching has some real benefits, and you lose them here. Browsers won't cache resources with this enabled, although some performance is retained if you keep ETag support. It's also possible that you'll introduce new bugs and you'll wish people had old resources cached, but that's less likely.
		Limitations: Caching has some real benefits, and you lose them here (which is why it's disabled in the default configuration). Browsers won't cache resources with this enabled, although some performance is retained if you keep ETag support. It's also possible that you'll introduce new bugs and you'll wish people had old resources cached, but that's less likely.

		@@ -282,0 +276,0 @@ ### A restrictive crossdomain.xml: crossdomain

.editorconfig

.jshintignore

.jshintrc

lib/index.js

lib/middleware/crossdomain.js

lib/middleware/csp.js

lib/middleware/hidePoweredBy.js

lib/middleware/hsts.js

lib/middleware/ienoopen.js

lib/middleware/nocache.js

lib/middleware/nosniff.js

lib/middleware/xframe.js

lib/middleware/xssFilter.js

test/crossdomain.js

test/csp.js

test/defaults.js

test/deprecated.js

test/hidePoweredBy.js

test/hsts.js

test/ienoopen.js

test/nocache.js

test/nosniff.js

test/xframe.js

test/xssFilter.js

helmet - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes