What is koa-helmet?
koa-helmet is a middleware for Koa.js that helps secure your Koa applications by setting various HTTP headers. It is a Koa wrapper for the popular Helmet.js library, which is widely used in Express.js applications.
What are koa-helmet's main functionalities?
Content Security Policy
This feature helps prevent cross-site scripting (XSS) attacks and other cross-site injections by setting the Content-Security-Policy header.
const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'https:']
}
}));
app.listen(3000);
DNS Prefetch Control
This feature controls browser DNS prefetching by setting the X-DNS-Prefetch-Control header.
const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();
app.use(helmet.dnsPrefetchControl({ allow: false }));
app.listen(3000);
Frameguard
This feature helps prevent clickjacking attacks by setting the X-Frame-Options header.
const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();
app.use(helmet.frameguard({ action: 'deny' }));
app.listen(3000);
Hide Powered-By
This feature removes the X-Powered-By header to make it harder for attackers to see what technology your site is using.
const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();
app.use(helmet.hidePoweredBy());
app.listen(3000);
HSTS
This feature adds the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
const Koa = require('koa');
const helmet = require('koa-helmet');
const app = new Koa();
app.use(helmet.hsts({ maxAge: 31536000 }));
app.listen(3000);
Other packages similar to koa-helmet
helmet
Helmet is a middleware for Express.js that helps secure your Express applications by setting various HTTP headers. It is the original library that koa-helmet wraps around. While koa-helmet is specifically designed for Koa.js, Helmet is designed for Express.js.
lusca
Lusca is another security middleware for Express.js that provides various security features such as CSRF protection, XSS protection, and more. It is similar to Helmet but offers additional features like CSRF protection out of the box.
express-rate-limit
Express-rate-limit is a middleware for Express.js that helps to limit repeated requests to public APIs and/or endpoints. While it does not provide the same HTTP header protections as koa-helmet, it is useful for preventing abuse and brute-force attacks.
koa-helmet
koa-helmet is a wrapper for helmet to work with koa. It provides important security headers to make your app more secure by default.
Installation
npm i koa-helmet helmet
yarn add koa-helmet helmet
Usage
Usage is the same as helmet
Helmet offers 11 security middleware functions:
app.use(helmet());
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
You can see more in the documentation.
Example
import Koa from "koa";
import helmet from "koa-helmet";
const app = new Koa();
app.use(helmet());
app.use((ctx) => {
ctx.body = "Hello World";
});
app.listen(4000);
Testing
To run the tests, simply run
npm test
Versioning
- koa-helmet >=2.x (master branch) supports koa 2.x
- koa-helmet 1.x (koa-1 branch) supports koa 0.x and koa 1.x