integralhelm

this module combines helmet, permissions-policy, hardcore settings and best practices

Usage no npm install needed!

<script type="module">
  import integralhelm from 'https://cdn.skypack.dev/integralhelm';
</script>

README

integralhelm

npm NPM Snyk Vulnerabilities for npm package Website

everything is disabled by default! just enable the things your need!

this module combines helmet, permissions-policy, hardcore settings and best practices

this will get you the best possible score on https://observatory.mozilla.org

install

yarn add integralhelm

or

npm i integralhelm

Use as expressjs middleware

Everything is disabled by default!

Our site is only using a style sheet a font and a autoplay video so we are only enabling the document to use these content/features.

const express = require("express");
const app = express();
const ih = require("integralhelm");
app.use(
    ih({
        helmet: {
            csp: { "style-src": ["'self'"], "font-src": ["'self'"] }
        },
        pp: { autoplay: ["self"] }
    })
);

Links

helmet - NPM

permissions-policy - NPM

NPM

Documentation

Code

helmet

You can use all helmet features and put them in the helmet object:

app.use(
    ih({
        helmet: {
            hsts: {
                maxAge: 10
            }
        }
    })
);

As a shorthand for the helmet csp (same as "helmet.contentSecurityPolicy.directives") you can use the key "csp":

app.use(
    ih({
        helmet: {
            csp: {
                "style-src": ["'self'"],
                "font-src": ["'self'"]
            }
        }
    })
);

is the same as

app.use(
    ih({
        helmet: {
            contentSecurityPolicy: {
                directives: {
                    "style-src": ["'self'"],
                    "font-src": ["'self'"]
                }
            }
        }
    })
);

permission-policy features

read the standard

you can just add the features to the pp object:

app.use(
    ih({
        pp: { camera: ["self"], fullscreen: ["self"] }
    })
);

const standardizedFeatures = {
    // features defined in the spec: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
    accelerometer: [],
    "ambient-light-sensor": [],
    autoplay: [],
    battery: [],
    camera: [],
    "cross-origin-isolated": [],
    "display-capture": [],
    "document-domain": [],
    "encrypted-media": [],
    "execution-while-not-rendered": [],
    "execution-while-out-of-viewport": [],
    fullscreen: [],
    geolocation: [],
    gyroscope: [],
    magnetometer: [],
    microphone: [],
    midi: [],
    "navigation-override": [],
    payment: [],
    "picture-in-picture": [],
    "publickey-credentials-get": [],
    "screen-wake-lock": [],
    "sync-xhr": [],
    usb: [],
    "xr-spatial-tracking": [],
    "web-share": []
};

const nonStandardizedFeatures = {
    documentWrite: [],
    fontDisplayLateSwap: [],
    notifications: [],
    push: [],
    speaker: [],
    interestCohort: [],
    layoutAnimations: [],
    legacyImageFormats: [],
    loadingFrameDefaultEager: [],
    oversizedImages: [],
    serial: [],
    syncScript: [],
    unoptimizedImages: [],
    unoptimizedLosslessImages: [],
    unoptimizedLossyImages: [],
    unsizedMedia: [],
    verticalScroll: [],
    vibrate: [],
    vr: [],
    xr: []
};

Need help or missing a feature?

Feel free to contact me via xl9jthv_7bvgakv9o9wg0jabn2ylm91xxrzzgt0e@y.gy in english or german