1.0.2 • Published 15 days ago

elysiajs-helmet v1.0.2

Weekly downloads
-
License
MIT
Repository
github
Last release
15 days ago

Elysia Helmet

A comprehensive security middleware for Elysia.js applications that helps secure your apps by setting various HTTP headers.

NPM Version License: MIT

Features

  • 🛡️ Content Security Policy (CSP)
  • 🔒 X-Frame-Options protection
  • 🚫 XSS Protection
  • 🌐 DNS Prefetch Control
  • 📜 Referrer Policy
  • 🔑 Permissions Policy
  • 🔐 HTTP Strict Transport Security (HSTS)
  • 🌍 Cross-Origin Resource Policy (CORP)
  • 🚪 Cross-Origin Opener Policy (COOP)
  • 📝 Report-To header configuration
  • ✨ Custom headers support

Installation

bun add elysiajs-helmet

Basic Usage

import { Elysia } from 'elysia'
import { elysiaHelmet } from 'elysiajs-helmet'

const app = new Elysia()
  .use(elysiaHelmet({}))
  .get('/', () => 'Hello, Secure World!')
  .listen(3000)

Note: Production mode is automatically enabled when NODE_ENV is set to 'production'. In production mode, additional security measures are enforced.

Advanced Configuration

import { Elysia } from 'elysia'
import { elysiaHelmet } from 'elysiajs-helmet'

const app = new Elysia()
  .use(elysiaHelmet({
    csp: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      useNonce: true
    },
    hsts: {
      maxAge: 31536000,
      includeSubDomains: true,
      preload: true
    },
    frameOptions: 'DENY',
    referrerPolicy: 'strict-origin-when-cross-origin',
    permissionsPolicy: {
      camera: ["'none'"],
      microphone: ["'none'"]
    }
  }))
  .listen(3000)

Configuration Options

Content Security Policy (CSP)

interface CSPConfig {
    defaultSrc?: string[];
    scriptSrc?: string[];
    styleSrc?: string[];
    imgSrc?: string[];
    fontSrc?: string[];
    connectSrc?: string[];
    frameSrc?: string[];
    objectSrc?: string[];
    baseUri?: string[];
    reportUri?: string;
    useNonce?: boolean;
    reportOnly?: boolean;
}

HSTS Configuration

interface HSTSConfig {
    maxAge?: number;
    includeSubDomains?: boolean;
    preload?: boolean;
}

Report-To Configuration

interface ReportToConfig {
    group: string;
    maxAge: number;
    endpoints: Array<{
        url: string;
        priority?: number;
        weight?: number;
    }>;
    includeSubdomains?: boolean;
}

Default Configuration

The middleware comes with secure defaults:

  • CSP with 'self' as default source
  • Frame options set to DENY
  • XSS Protection enabled
  • DNS Prefetch Control disabled
  • Strict Referrer Policy
  • And more secure defaults

You can override any of these defaults by passing your own configuration.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT Abdelrahman Shaheen