New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider limiting helmet to document requests or add a note #436
Comments
This is a good and tricky question.
It's considered a side-effect of the design. Helmet is designed to be easy to use. It's not always possible to do this, but I try to make something that can be included with one line. Ideally, you'd just be able to do this: // The ideal
app.use(helmet()); As you point out, this creates a problem: many of Helmet's headers are wasteful for non-documents. This is further complicated by the fact that not all of Helmet's headers are wasteful in these cases. I believe
Documentation, IMO. I think it's too difficult to reliably set the appropriate headers automatically. Helmet is designed to work with Express but it doesn't require it. But even if it were supported, the We might be able to use
As I said above, they're not all document-related. I could see adding an API for document-specific headers, but I'm not sure what that looks like. I'd love suggestions. |
Thank you for the reply. I'll open a PR adding a note below that line in the documentation.
You're right. For something like this to exist, it would have to be derived on the response type somewhere. I now understand what you mean't by being difficult to "reliably set the appropriate headers automatically." 😄 Given how chaining works, should we also recommend (in the documentation) that this middleware should be the last one to be executed? |
Thanks for opening a PR.
Sorry, I don't understand this. Could you explain? |
Disregard my comment. 😄 Instead of: app.use(helmet());
app.use(middlewareThatAddsXPoweredBy()); Ensuring: app.use(middlewareThatAddsXPoweredBy());
app.use(helmet()); |
Currently helmet middleware is applied to every single requese-response pair.
This makes it so that mixed applications (that serve documents, files or XHR requests) are applying security headers to non-document requests.
Example:
Result:
This is unnecessarily inflating response sizes for clients and the documentation is not warning users about it.
I can help raise a PR if you find this a relevant issue but first, some questions:
req.accepts('html')
orreq.accepts(internalAllowListForMiddleware)
)? ORThe text was updated successfully, but these errors were encountered: