Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
helmet - npm Package Compare versions
Comparing version 5.0.0 to 5.0.1
| # Changelog | ||
| ### 5.0.0 - ??? | ||
| ### 5.0.1 - 2022-01-03 | ||
| ### Changed | ||
| - Fixed some documentation | ||
| ### Removed | ||
| - Removed some unused internal code | ||
| ### 5.0.0 - 2022-01-02 | ||
| ### Added | ||
@@ -16,2 +26,3 @@ | ||
| - **Breaking:** `helmet.crossOriginResourcePolicy` is enabled by default | ||
| - **Breaking:** `helmet.originAgentCluster` is enabled by default | ||
@@ -18,0 +29,0 @@ ### Removed |
@@ -322,13 +322,11 @@ const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc") | ||
| function getArgs(option, middlewareConfig = {}) { | ||
| const { enabledByDefault = true } = middlewareConfig | ||
| switch (option) { | ||
| case undefined: | ||
| return enabledByDefault ? [] : null | ||
| case true: | ||
| return [] | ||
| case false: | ||
| return null | ||
| case true: | ||
| return [] | ||
| default: | ||
| if (middlewareConfig.takesOptions === false) { | ||
| console.warn(`${middlewareConfig.name} does not take options. ${enabledByDefault ? "Remove the property" : "Set the property to `true`"} to silence this warning.`) | ||
| console.warn(`${middlewareConfig.name} does not take options. Remove the property to silence this warning.`) | ||
| return [] | ||
@@ -335,0 +333,0 @@ } else { |
@@ -9,3 +9,3 @@ { | ||
| "description": "help secure Express/Connect apps with various HTTP headers", | ||
| "version": "5.0.0", | ||
| "version": "5.0.1", | ||
| "keywords": [ | ||
@@ -12,0 +12,0 @@ "express", |
@@ -35,14 +35,24 @@ # Helmet | ||
| Helmet is [Connect](https://github.com/senchalabs/connect)-style middleware, which is compatible with frameworks like [Express](https://expressjs.com/). (If you need support for other frameworks or languages, [see this list](https://helmetjs.github.io/see-also/).) | ||
| Helmet is [Express](https://expressjs.com) middleware. (It also works with [Connect](https://github.com/senchalabs/connect) or [no library at all](https://github.com/helmetjs/helmet/wiki/How-to-use-Helmet-without-Express)! If you need support for other frameworks or languages, [see this list](https://helmetjs.github.io/see-also/).) | ||
| The top-level `helmet` function is a wrapper around 15 smaller middlewares, 11 of which are enabled by default. | ||
| The top-level `helmet` function is a wrapper around 15 smaller middlewares. | ||
| In other words, these two things are equivalent: | ||
| In other words, these two code snippets are equivalent: | ||
| ```js | ||
| // This... | ||
| import helmet from "helmet"; | ||
| // ... | ||
| app.use(helmet()); | ||
| ``` | ||
| // ...is equivalent to this: | ||
| ```js | ||
| import * as helmet from "helmet"; | ||
| // ... | ||
| app.use(helmet.contentSecurityPolicy()); | ||
| app.use(helmet.crossOriginEmbedderPolicy()); | ||
| app.use(helmet.crossOriginOpenerPolicy()); | ||
| app.use(helmet.crossOriginResourcePolicy()); | ||
| app.use(helmet.dnsPrefetchControl()); | ||
@@ -55,2 +65,3 @@ app.use(helmet.expectCt()); | ||
| app.use(helmet.noSniff()); | ||
| app.use(helmet.originAgentCluster()); | ||
| app.use(helmet.permittedCrossDomainPolicies()); | ||
@@ -90,6 +101,4 @@ app.use(helmet.referrerPolicy()); | ||
| 11 of 15 middlewares are included by default. `crossOriginEmbedderPolicy`, `crossOriginOpenerPolicy`, `crossOriginResourcePolicy`, and `originAgentCluster` are not included by default. They must be explicitly enabled. They will be turned on by default in the next major version of Helmet. | ||
| ```js | ||
| // Includes all 11 middlewares | ||
| // Includes all 15 middlewares | ||
| app.use(helmet()); | ||
@@ -101,3 +110,3 @@ ``` | ||
| ```js | ||
| // Includes 10 middlewares, skipping `helmet.frameguard` | ||
| // Includes 14 out of 15 middlewares, skipping `helmet.frameguard` | ||
| app.use( | ||
@@ -113,3 +122,3 @@ helmet({ | ||
| ```js | ||
| // Includes all 11 middlewares, setting an option for `helmet.frameguard` | ||
| // Includes all 15 middlewares, setting an option for `helmet.frameguard` | ||
| app.use( | ||
@@ -137,6 +146,4 @@ helmet({ | ||
| `options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. | ||
| These directives are merged into a default policy, which you can disable by setting `options.useDefaults` to `false`. Here is the default policy (whitespace added for readability): | ||
| If no directives are supplied, the following policy is set (whitespace added for readability): | ||
| default-src 'self'; | ||
@@ -154,3 +161,3 @@ base-uri 'self'; | ||
| You can use this default with the `options.useDefaults` option. `options.useDefaults` is `true` by default. | ||
| `options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. | ||
@@ -165,3 +172,2 @@ You can also get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`. | ||
| helmet.contentSecurityPolicy({ | ||
| useDefaults: true, | ||
| directives: { | ||
@@ -190,3 +196,2 @@ "script-src": ["'self'", "example.com"], | ||
| helmet.contentSecurityPolicy({ | ||
| useDefaults: true, | ||
| directives: { | ||
@@ -206,3 +211,2 @@ /* ... */ | ||
| helmet.contentSecurityPolicy({ | ||
| useDefaults: true, | ||
| directives: { | ||
@@ -229,3 +233,2 @@ scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], | ||
| helmet.contentSecurityPolicy({ | ||
| useDefaults: true, | ||
| directives: { | ||
@@ -247,4 +250,2 @@ frameAncestors: ["'none'"], | ||
| This middleware is not included when calling `helmet()` by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet. | ||
| Example usage with Helmet: | ||
@@ -274,4 +275,2 @@ | ||
| This middleware is not included when calling `helmet()` by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet. | ||
| Example usage with Helmet: | ||
@@ -313,4 +312,2 @@ | ||
| This middleware is not included when calling `helmet()` by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet. | ||
| Example usage with Helmet: | ||
@@ -474,4 +471,2 @@ | ||
| This middleware is not included when calling `helmet()` by default, and must be enabled explicitly. It will be enabled by default in the next major version of Helmet. | ||
| Example usage with Helmet: | ||
@@ -478,0 +473,0 @@ |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
- decreased by-1.05%
86005
- Lines of code
- decreased by-0.38%
1048
- Number of lines in readme file
- decreased by-0.8%
618
No dependency changes