Skip to content
Set the X-Permitted-Cross-Domain-Policies header in Express apps
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
test
.gitignore
.npmignore
.travis.yml Travis should test on Node 10 Jan 7, 2019
LICENSE Update license year for 2018 Feb 16, 2018
README.md
index.js
package-lock.json
package.json

README.md

X-Permitted-Cross-Domain-Policies middleware

Build Status

Looking for a changelog?

The X-Permitted-Cross-Domain-Policies header tells some web clients (like Adobe Flash or Adobe Acrobat) your domain's policy for loading cross-domain content. See the description on OWASP for more.

Usage:

const crossdomain = require('helmet-crossdomain')

// Sets X-Permitted-Cross-Domain-Policies: none
app.use(crossdomain())

// You can use any of the following values:
app.use(crossdomain({ permittedPolicies: 'none' }))
app.use(crossdomain({ permittedPolicies: 'master-only' }))
app.use(crossdomain({ permittedPolicies: 'by-content-type' }))
app.use(crossdomain({ permittedPolicies: 'all' }))

The by-ftp-type is not currently supported. Please open an issue or pull request if you desire this feature!

If you don't expect Adobe products to load data from your site, you get a minor security benefit by adding this header.

You can’t perform that action at this time.