Configuration

The module by default will register middlewares and route roules to make your application more secure. If you need, you can also modify or disable any of middlewares/routes if you do not need them or your project cannot use them (i.e. some Statically Generated websites will not be able to use middlewares).

Configuration Types

Each middleware configuration object is build using same TS type:

export type MiddlewareConfiguration<MIDDLEWARE> = {  value: MIDDLEWARE;  route: string;}
  • value is the value of certain header or middleware. It may be a simple string or an object depending on the method.
  • route is the route that should this header or middleware be attached to. By default for routeRoules (headers) the route is /** and for middlewares is '' (empty string) -> global middleware.

All module configuration is the following type:

export interface ModuleOptions {  headers: SecurityHeaders | false;  requestSizeLimiter: MiddlewareConfiguration<RequestSizeLimiter> | false;  rateLimiter: MiddlewareConfiguration<RateLimiter> | false;  xssValidator: MiddlewareConfiguration<XssValidator> | false;  corsHandler: MiddlewareConfiguration<CorsOptions> | false;  allowedMethodsRestricter: MiddlewareConfiguration<AllowedHTTPMethods> | false;  hidePoweredBy: boolean;  basicAuth: MiddlewareConfiguration<BasicAuth> | boolean;}

All above ModuleOptions are explained in more details in the next chapter

Default configuration

This module will by default set the following configuration options to enable middlewares:

security: {  headers: {    crossOriginResourcePolicy: {      value: 'same-origin',      route: '/**'    },    crossOriginOpenerPolicy: {      value: 'same-origin',      route: '/**'    },    crossOriginEmbedderPolicy: {      value: 'require-corp',      route: '/**'    },    contentSecurityPolicy: {      value: {        'base-uri': ["'self'"],        'font-src': ["'self'", 'https:', 'data:'],        'form-action': ["'self'"],        'frame-ancestors': ["'self'"],        'img-src': ["'self'", 'data:'],        'object-src': ["'none'"],        'script-src-attr': ["'none'"],        'style-src': ["'self'", 'https:', "'unsafe-inline'"],        'upgrade-insecure-requests': true      },      route: '/**'    },    originAgentCluster: {      value: '?1',      route: '/**'    },    referrerPolicy: {      value: 'no-referrer',      route: '/**'    },    strictTransportSecurity: {      value: {        maxAge: 15552000,        includeSubdomains: true      },      route: '/**'    },    xContentTypeOptions: {      value: 'nosniff',      route: '/**'    },    xDNSPrefetchControl: {      value: 'off',      route: '/**'    },    xDownloadOptions: {      value: 'noopen',      route: '/**'    },    xFrameOptions: {      value: 'SAMEORIGIN',      route: '/**'    },    xPermittedCrossDomainPolicies: {      value: 'none',      route: '/**'    },    xXSSProtection: {      value: '0',      route: '/**'    }  },  requestSizeLimiter: {    value: {      maxRequestSizeInBytes: 2000000,      maxUploadFileRequestInBytes: 8000000,    },    route: '',  },  rateLimiter: {    // Twitter search rate limiting    value: {      tokensPerInterval: 150,      interval: "hour",      fireImmediately: true,    },    route: '',  },  xssValidator: {    value: {},    route: '',  },  corsHandler: {    value: {      origin: '*',      methods: ['GET','HEAD','PUT','PATCH','POST','DELETE'],      preflight: {        statusCode: 204      }    },    route: '',  },  allowedMethodsRestricter: {    value: '*',    route: '',  },  hidePoweredBy: true,  basicAuth: false}

To read more about every security middleware, go to that middleware page in middlewares section.

Edit this page on GitHub

Getting Started

Quick start

Middlewares

Headers