To get started, you can enable CORS on a specific event handler by using the object syntax definitions intorduced in nitro v2.6.0 and h3 v1.8.0 as follows:

import { helmet } from 'nitro-helmet'

export default eventHandler({
  onResponse: helmet({
    crossOriginResourcePolicy: 'cross-origin'
    // ... add your options overrides here
  }),
  async handler(event) {
    return 'Hello Helmet!'
  }
})

nitro-helmet aims to provide a simple wrapper to define standard security headers for any event handler per nitro event handler, or per route. To use it, simply import the defineHelmetEventHandler function and wrap your event handler with it as follows:

import { defineHelmetEventHandler } from 'nitro-helmet'

const handler = eventHandler(async event => {
  // ...
})

export default defineHelmetEventHandler(handler)

...or... using as nitro middleware:

// :file middleware/helmet.ts
import { helmetEventHandler } from 'nitro-helmet'

export default helmetEventHandler(_event => {}, {
  crossOriginResourcePolicy: 'cross-origin'
  // ... add your options overrides here
})

If you would like to override the default options, you can do so as follows:

import { defineHelmetEventHandler } from 'nitro-helmet'

const handler = eventHandler(async event => {
  // ...
})

const options: H3HelmetOptions = {}

export default defineHelmetEventHandler(handler, {
  crossOriginResourcePolicy: 'same-origin',
  crossOriginOpenerPolicy: 'same-origin',
  crossOriginEmbedderPolicy: 'require-corp',
  contentSecurityPolicy: "default-src 'self';base-uri 'self'",
  originAgentCluster: '?1',
  referrerPolicy: 'no-referrer',
  strictTransportSecurity: 'max-age=15552000; includeSubDomains',
  xContentTypeOptions: 'nosniff',
  xDNSPrefetchControl: 'off',
  xDownloadOptions: 'noopen',
  xFrameOptions: 'SAMEORIGIN',
  xPermittedCrossDomainPolicies: 'none',
  xXSSProtection: '0'
})

The defineHelmetEventHandler functions take two arguments:

handler: the event handler to wrap of type EventHandler<T>, which will ensure typesafety for the event handler return type.
options: the options to pass to the cors handler of type H3HelmetOptions.

Acknowledgements

This library would not be possible if it were not for standing on the shoulders of these giants:

Keywords

FAQs

What is nitro-helmet?

Is nitro-helmet well maintained?

Package last updated on 02 Sep 2023

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

nitro-helmet

nitro Helmet-esque Security Headers

Requirements

Installation

Usage

Acknowledgements

Keywords

Related posts

Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets

NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates