Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], }
}));
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], }
}));
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], }
}));
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
const securityHeaders = [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" }
]; module.exports = { async headers() { return [{ source: '/:path*', headers: securityHeaders }]; }
};
const securityHeaders = [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" }
]; module.exports = { async headers() { return [{ source: '/:path*', headers: securityHeaders }]; }
};
const securityHeaders = [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" }
]; module.exports = { async headers() { return [{ source: '/:path*', headers: securityHeaders }]; }
};
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
// Express.js
app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));
// Express.js
app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));
// Express.js
app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
app.use(helmet.noSniff());
app.use(helmet.noSniff());
app.use(helmet.noSniff());
add_header X-Content-Type-Options "nosniff" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Content-Type-Options "nosniff" always;
X-Frame-Options: DENY
X-Frame-Options: DENY
X-Frame-Options: DENY
app.use(helmet.frameguard({ action: 'deny' }));
app.use(helmet.frameguard({ action: 'deny' }));
app.use(helmet.frameguard({ action: 'deny' }));
add_header X-Frame-Options "DENY" always;
add_header X-Frame-Options "DENY" always;
add_header X-Frame-Options "DENY" always;
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
app.use(helmet.permittedCrossDomainPolicies());
// Or manually:
app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); next();
});
app.use(helmet.permittedCrossDomainPolicies());
// Or manually:
app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); next();
});
app.use(helmet.permittedCrossDomainPolicies());
// Or manually:
app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); next();
});
npm install helmet
npm install helmet
npm install helmet
const helmet = require('helmet');
app.use(helmet()); // Adds ALL security headers with sane defaults
const helmet = require('helmet');
app.use(helmet()); // Adds ALL security headers with sane defaults
const helmet = require('helmet');
app.use(helmet()); // Adds ALL security headers with sane defaults
# Quick check any website's security headers
curl -sI https://yoursite.com | grep -iE 'content-security|strict-transport|x-content-type|x-frame|permissions-policy'
# Quick check any website's security headers
curl -sI https://yoursite.com | grep -iE 'content-security|strict-transport|x-content-type|x-frame|permissions-policy'
# Quick check any website's security headers
curl -sI https://yoursite.com | grep -iE 'content-security|strict-transport|x-content-type|x-frame|permissions-policy'
import requests def check_security_headers(url): headers_to_check = [ 'Content-Security-Policy', 'Strict-Transport-Security', 'X-Content-Type-Options', 'X-Frame-Options', 'Permissions-Policy' ] try: resp = requests.head(url, timeout=10, allow_redirects=True) except requests.RequestException as e: return {"url": url, "error": str(e)} results = {} for header in headers_to_check: results[header] = header in resp.headers score = sum(results.values()) grade = {5: 'A+', 4: 'A', 3: 'B', 2: 'C', 1: 'D', 0: 'F'} print(f"{url}: {grade.get(score, 'F')} ({score}/5 headers)") for header, present in results.items(): status = 'OK' if present else 'MISSING' print(f" [{status}] {header}") return results # Check your sites
sites = [ "https://example.com", "https://yourapp.com",
] for site in sites: check_security_headers(site) print()
import requests def check_security_headers(url): headers_to_check = [ 'Content-Security-Policy', 'Strict-Transport-Security', 'X-Content-Type-Options', 'X-Frame-Options', 'Permissions-Policy' ] try: resp = requests.head(url, timeout=10, allow_redirects=True) except requests.RequestException as e: return {"url": url, "error": str(e)} results = {} for header in headers_to_check: results[header] = header in resp.headers score = sum(results.values()) grade = {5: 'A+', 4: 'A', 3: 'B', 2: 'C', 1: 'D', 0: 'F'} print(f"{url}: {grade.get(score, 'F')} ({score}/5 headers)") for header, present in results.items(): status = 'OK' if present else 'MISSING' print(f" [{status}] {header}") return results # Check your sites
sites = [ "https://example.com", "https://yourapp.com",
] for site in sites: check_security_headers(site) print()
import requests def check_security_headers(url): headers_to_check = [ 'Content-Security-Policy', 'Strict-Transport-Security', 'X-Content-Type-Options', 'X-Frame-Options', 'Permissions-Policy' ] try: resp = requests.head(url, timeout=10, allow_redirects=True) except requests.RequestException as e: return {"url": url, "error": str(e)} results = {} for header in headers_to_check: results[header] = header in resp.headers score = sum(results.values()) grade = {5: 'A+', 4: 'A', 3: 'B', 2: 'C', 1: 'D', 0: 'F'} print(f"{url}: {grade.get(score, 'F')} ({score}/5 headers)") for header, present in results.items(): status = 'OK' if present else 'MISSING' print(f" [{status}] {header}") return results # Check your sites
sites = [ "https://example.com", "https://yourapp.com",
] for site in sites: check_security_headers(site) print() - securityheaders.com
- observatory.mozilla.org
