Merge pull request #43 from venables/expect-ct-readme

Add Expect-CT, Feature-Policy, and Cross-Domain from helmet

README.md

@@ -33,7 +33,10 @@ Helmet offers 11 security middleware functions:
 | Module | Default? |
 |---|---|
 | [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy |  |
+| [permittedCrossDomainPolicies](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests |  |
 | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |
+| [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency |  |
+| [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features |  |
 | [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |
 | [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |
 | [hpkp](https://helmetjs.github.io/docs/hpkp/) for HTTP Public Key Pinning |  |

test/koa-helmet.spec.js

@@ -50,6 +50,15 @@ test('it sets individual headers properly', t => {
   app.use(helmet.xssFilter());
   app.use(helmet.frameguard('deny'));
   app.use(helmet.noSniff());
+  app.use(helmet.permittedCrossDomainPolicies());
+  app.use(helmet.expectCt());
+  app.use(helmet.featurePolicy({
+    features: {
+      fullscreen: ['\'self\''],
+      notifications: ['\'none\''],
+      vibrate: ['\'none\'']
+    }
+  }));
   app.use(
     helmet.hpkp({
       maxAge: 1000,
@@ -89,6 +98,15 @@ test('it sets individual headers properly', t => {
       // noSniff
       .expect('X-Content-Type-Options', 'nosniff')
 
+      // permittedCrossDomainPolicies
+      .expect('X-Permitted-Cross-Domain-Policies', 'none')
+
+      // expectCt
+      .expect('Expect-CT', 'max-age=0')
+
+      // featurePolicy
+      .expect('Feature-Policy', 'fullscreen \'self\';notifications \'none\';vibrate \'none\'')
+
       // hpkp
       .expect(
         'Public-Key-Pins',