koa-helmet

What is koa-helmet?

koa-helmet is a middleware for Koa.js that helps secure your Koa applications by setting various HTTP headers. It is a Koa wrapper for the popular Helmet.js library, which is widely used in Express.js applications.

What are koa-helmet's main functionalities?

Content Security Policy

This feature helps prevent cross-site scripting (XSS) attacks and other cross-site injections by setting the Content-Security-Policy header.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    styleSrc: ["'self'", 'https:']
  }
}));

app.listen(3000);

DNS Prefetch Control

This feature controls browser DNS prefetching by setting the X-DNS-Prefetch-Control header.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet.dnsPrefetchControl({ allow: false }));

app.listen(3000);

Frameguard

This feature helps prevent clickjacking attacks by setting the X-Frame-Options header.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet.frameguard({ action: 'deny' }));

app.listen(3000);

Hide Powered-By

This feature removes the X-Powered-By header to make it harder for attackers to see what technology your site is using.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet.hidePoweredBy());

app.listen(3000);

HSTS

This feature adds the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.

const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();

app.use(helmet.hsts({ maxAge: 31536000 }));

app.listen(3000);

Other packages similar to koa-helmet

helmet

Helmet is a middleware for Express.js that helps secure your Express applications by setting various HTTP headers. It is the original library that koa-helmet wraps around. While koa-helmet is specifically designed for Koa.js, Helmet is designed for Express.js.

lusca

Lusca is another security middleware for Express.js that provides various security features such as CSRF protection, XSS protection, and more. It is similar to Helmet but offers additional features like CSRF protection out of the box.

express-rate-limit

Express-rate-limit is a middleware for Express.js that helps to limit repeated requests to public APIs and/or endpoints. While it does not provide the same HTTP header protections as koa-helmet, it is useful for preventing abuse and brute-force attacks.

README

koa-helmet

koa-helmet is a wrapper for helmet to work with koa. It provides important security headers to make your app more secure by default.

Installation

npm i koa-helmet

# or:

yarn add koa-helmet

Usage

Usage is the same as helmet

Helmet offers 11 security middleware functions:

// This...
app.use(helmet());

// ...is equivalent to this:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());

You can see more in the documentation.

Example

import Koa from 'koa';
import helmet from 'koa-helmet';

const app = new Koa();

app.use(helmet());

app.use((ctx) => {
  ctx.body = "Hello World"
});

app.listen(4000);

Testing

To run the tests, simply run

npm test

Versioning

• koa-helmet >=2.x (master branch) supports koa 2.x
• koa-helmet 1.x (koa-1 branch) supports koa 0.x and koa 1.x