import { serve } from "https://deno.land/std@0.167.0/http/server.ts";
import { Hono } from "npm:hono@2.7.7";
import { honoHelmet } from "https://github.com/Catminusminus/hono-helmet/raw/main/src/index.ts";
const app = new Hono();
app.use(honoHelmet());
app.get("/", (c) => c.text("Hello Hono!"));
serve(app.fetch);Sorry, but not published yet
npm i @catminusminus/hono-helmetor
yarn add @catminusminus/hono-helmet
index.js:
import { Hono } from "hono";
import { honoHelmet } from "@catminusminus/hono-helmet";
import { serve } from "@hono/node-server";
const app = new Hono();
app.use(honoHelmet());
app.get("/", (c) => c.text("Hello Hono!"));
serve(app);The default header fields are as follows:
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
To set custom options:
app.use(
honoHelmet({
permittedCrossDomainPolicies: {
permittedPolicies: "all",
},
}),
);To disable header fields:
app.use(
honoHelmet({
contentSecurityPolicy: false,
}),
);honoHelmet(options)
// Use the default header fields
app.use(honoHelmet());
// Disable one or more header fields
app.use(
honoHelmet({
contentSecurityPolicy: false,
}),
);
// Use the default header fields but X-Permitted-Cross-Domain-Policies: all
app.use(
honoHelmet({
permittedCrossDomainPolicies: {
permittedPolicies: "all",
},
}),
);honoHelmet({contentSecurityPolicy: options})
The default directives are as follows:
"default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
// Use the defaults but "default-src 'none'
app.use(
honoHelmet({
contentSecurityPolicy: {
defaultSrc: ["'none'"],
},
}),
);
// Use the defaults but "default-src 'self' 'nonce-<nonce>'
app.use(
honoHelmet({
contentSecurityPolicy: {
defaultSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
}),
);
// Use the defaults but disable "default-src"
app.use(
honoHelmet({
contentSecurityPolicy: {
defaultSrc: false,
},
}),
);
// Disable the defaults and "default-src 'none'
app.use(
honoHelmet({
contentSecurityPolicy: {
useDefaults: false,
defaultSrc: ["'none'"],
},
}),
);honoHelmet({crossOriginEmbedderPolicy: options})
Default:
Cross-Origin-Embedder-Policy: require-corp
// Cross-Origin-Embedder-Policy: credentialless
app.use(
honoHelmet({
crossOriginEmbedderPolicy: {
policy: "credentialless",
},
}),
);honoHelmet({crossOriginOpenerPolicy: options})
Default:
Cross-Origin-Opener-Policy: same-origin
// Cross-Origin-Opener-Policy: same-origin-allow-popups
app.use(
honoHelmet({
crossOriginOpenerPolicy: {
policy: "same-origin-allow-popups",
},
}),
);honoHelmet({referrerPolicy: options})
Default:
Referrer-Policy: no-referrer
// Referrer-Policy: no-referrer-when-downgrade
app.use(
honoHelmet({
referrerPolicy: {
policy: "no-referrer-when-downgrade",
},
}),
);
// Referrer-Policy: origin,no-referrer-when-downgrade
app.use(
honoHelmet({
referrerPolicy: {
policy: ["origin", "no-referrer-when-downgrade"],
},
}),
);honoHelmet({hsts: options})
Default:
Strict-Transport-Security: max-age=15552000; includeSubDomains
// Strict-Transport-Security: max-age=123456; includeSubDomains
app.use(
honoHelmet({
hsts: {
maxAge: 123456,
},
}),
);
// Strict-Transport-Security: max-age=123456
app.use(
honoHelmet({
hsts: {
maxAge: 123456,
includeSubDomains: false,
},
}),
);
// Strict-Transport-Security: max-age=123456; includeSubDomains; preload
app.use(
honoHelmet({
hsts: {
maxAge: 123456,
preload: true,
},
}),
);honoHelmet({nosniff: options})
Default:
X-Content-Type-Options: nosniff
// Disable X-Content-Type-Options: nosniff
app.use(
honoHelmet({
nosniff: false,
}),
);honoHelmet({originAgentCluster: options})
Default:
Origin-Agent-Cluster: ?1
// Origin-Agent-Cluster: ?0
app.use(
honoHelmet({
originAgentCluster: "?0",
}),
);honoHelmet({dnsPrefetchControl: options})
Default:
X-DNS-Prefetch-Control: off
// X-DNS-Prefetch-Control: on
app.use(
honoHelmet({
dnsPrefetchControl: {
allow: true,
},
}),
);honoHelmet({ieNoOpen: options})
Default:
X-Download-Options: noopen
// Disable X-Download-Options: noopen
app.use(
honoHelmet({
ieNoOpen: false,
}),
);honoHelmet({frameguard: options})
Default:
X-Frame-Options: SAMEORIGIN
// X-Frame-Options: DENY
app.use(
honoHelmet({
frameguard: {
action: "deny",
},
}),
);honoHelmet({permittedCrossDomainPolicies: options})
Default:
X-Permitted-Cross-Domain-Policies: none
// X-Permitted-Cross-Domain-Policies: by-content-type
app.use(
honoHelmet({
permittedCrossDomainPolicies: {
permittedPolicies: "by-content-type",
},
}),
);honoHelmet({hidePoweredBy: options})
Default: remove X-Powered-By field
// Do not remove X-Powered-By field
app.use(
honoHelmet({
hidePoweredBy: false,
}),
);honoHelmet({xssFilter: options})
Default:
X-XSS-Protection: 0
// Disable X-XSS-Protection: 0
app.use(
honoHelmet({
xssFilter: false,
}),
);