Changelog
4.4.0 - 2021-01-17
helmet.originAgentCluster
: a new middleware for the Origin-Agent-Cluster
header, disabled by defaultChangelog
4.3.0 - 2020-12-27
helmet.contentSecurityPolicy
: setting the default-src
to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc
disables ithelmet.frameguard
: slightly improved error messages for non-stringsChangelog
4.2.0 - 2020-11-01
helmet.contentSecurityPolicy
: get the default directives with contentSecurityPolicy.getDefaultDirectives()
helmet()
now supports objects that don't have Object.prototype
in their chain, such as Object.create(null)
, as optionshelmet.expectCt
: max-age
is now first. See #264Changelog
4.1.0 - 2020-08-15
helmet.contentSecurityPolicy
:
HelmetOptions
interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this commentChangelog
4.0.0 - 2020-08-02
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
helmet.contentSecurityPolicy
:
default-src
directive is supplied, an error is thrownhelmet.contentSecurityPolicy
:
helmet.xssFilter
now disables the buggy XSS filter by default. See #230helmet.featurePolicy
. If you still need it, use the feature-policy
package on npm.helmet.hpkp
. If you still need it, use the hpkp
package on npm.helmet.noCache
. If you still need it, use the nocache
package on npm.helmet.contentSecurityPolicy
:
browserSniff
and disableAndroid
parameters). See helmetjs/csp#97reportOnly
. Read this if you need help.setAllHeaders
parameter). Read this if you need help.loose
optionhelmet.frameguard
:
ALLOW-FROM
action. Read more here.helmet.hidePoweredBy
no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts
:
includeSubdomains
with a lowercase D. See #231setIf
. Read this if you need help. See #232helmet.xssFilter
no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report
directive with X-XSS-Protection" if you need the legacy behavior.