Security Headers Middleware
Reference: OWASP Secure Headers Project
Security Headers middleware sets HTTP security headers to protect your application from common vulnerabilities like clickjacking, MIME type sniffing, and XSS attacks.
Basic Usage
Apply security headers middleware using Deserve's built-in middleware:
import { Router, Mware } from '@neabyte/deserve'
const router = new Router()
router.use(Mware.securityHeaders({
xContentTypeOptions: 'nosniff',
xFrameOptions: 'DENY',
referrerPolicy: 'no-referrer'
}))
await router.serve(8000)Route-Specific Security Headers
Apply different security headers to specific routes:
// Strict headers for admin routes
router.use('/admin', Mware.securityHeaders({
xContentTypeOptions: 'nosniff',
xFrameOptions: 'DENY',
referrerPolicy: 'no-referrer',
strictTransportSecurity: 'max-age=31536000; includeSubDomains'
}))
// Less strict for public routes
router.use('/api/public', Mware.securityHeaders({
xContentTypeOptions: 'nosniff',
xFrameOptions: 'SAMEORIGIN'
}))Configuration Options
All headers are optional. Set each header option to a string value to enable it, false to disable it explicitly, or leave it undefined to skip entirely.
contentSecurityPolicy
Content Security Policy (CSP) to control resource loading:
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'"crossOriginEmbedderPolicy
Cross-Origin Embedder Policy (COEP):
crossOriginEmbedderPolicy: 'require-corp' // or 'unsafe-none', 'credentialless'crossOriginOpenerPolicy
Cross-Origin Opener Policy (COOP):
crossOriginOpenerPolicy: 'same-origin' // or 'same-origin-allow-popups', 'unsafe-none'crossOriginResourcePolicy
Cross-Origin Resource Policy (CORP):
crossOriginResourcePolicy: 'same-origin' // or 'same-site', 'cross-origin'originAgentCluster
Origin Agent Cluster isolation:
originAgentCluster: '?1'referrerPolicy
Referrer Policy to control referrer information:
referrerPolicy: 'no-referrer' // or 'strict-origin-when-cross-origin', etc.strictTransportSecurity
HTTP Strict Transport Security (HSTS):
strictTransportSecurity: 'max-age=31536000; includeSubDomains'xContentTypeOptions
Prevents MIME type sniffing:
xContentTypeOptions: 'nosniff'xDnsPrefetchControl
Controls DNS prefetching:
xDnsPrefetchControl: 'off' // or 'on'xDownloadOptions
Controls file download options:
xDownloadOptions: 'noopen'xFrameOptions
Prevents clickjacking attacks:
xFrameOptions: 'DENY' // or 'SAMEORIGIN', 'ALLOW-FROM uri'xPermittedCrossDomainPolicies
Cross-domain policy for Flash:
xPermittedCrossDomainPolicies: 'none' // or 'master-only', 'all'xPoweredBy
Remove or customize X-Powered-By header:
xPoweredBy: false // Remove header
xPoweredBy: 'Custom' // Set custom valueComplete Example
import { Router, Mware } from '@neabyte/deserve'
const router = new Router({ routesDir: './routes' })
router.use(Mware.securityHeaders({
xContentTypeOptions: 'nosniff',
xFrameOptions: 'DENY',
referrerPolicy: 'no-referrer',
xDnsPrefetchControl: 'off',
strictTransportSecurity: 'max-age=31536000; includeSubDomains',
contentSecurityPolicy: "default-src 'self'",
crossOriginOpenerPolicy: 'same-origin',
crossOriginResourcePolicy: 'same-origin'
}))
await router.serve(8000)Important Notes
- All headers optional: Headers are only set if you explicitly provide values
- Set to
false: Explicitly disable a header that might be set elsewhere - Undefined: Skip setting the header entirely
- X-Powered-By: Set to
falseto remove, string to customize - HSTS: Only use
strictTransportSecurityon HTTPS servers - CSP: Content Security Policy can be complex - test thoroughly