cf-workers-helmet is a wrapper for helmet to work with Cloudflare Workers. It provides important security headers to make your app more secure by default. cf-workers-helmet has been heavily inspired by koa-helmet.
npm install cf-workers-helmet --save
Usage is the same as helmet.
Helmet is a collection of 11 smaller middleware functions that set HTTP response headers.
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| crossdomain for handling Adobe products' crossdomain requests | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| expectCt for handling Certificate Transparency | |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
import Helmet from 'cf-workers-helmet';
import {getAssetFromKV} from '@cloudflare/kv-asset-handler';
let helmet = new Helmet();
addEventListener('fetch', event => {
event.respondWith(serverResponse(event));
});
async function serverResponse(event) {
try {
let response = await handleEvent(event);
return helmet(event.request, response);
} catch (e) {
return new Response('Internal Error', {
status: 500
});
}
}
async function handleEvent(event) {
try {
return await getAssetFromKV(event)
} catch (e) {
let pathname = new URL(event.request.url).pathname;
return new Response(`"${pathname}" not found`, {
status: 404,
statusText: 'not found',
});
}
}