integralhelm/index.js

this module combines helmet, permissions-policy, hardcore settings and best practices

const helmet = require("helmet");
const permissionPolicy = require("permissions-policy");

module.exports = (args = { helmet: {}, pp: {} }) => {
    const h = helmet({
        useDefaults: false,
        contentSecurityPolicy: {
            directives: {
                "default-src": ["'none'"],
                upgradeInsecureRequests: [],
                "block-all-mixed-content": [],
                "require-trusted-types-for": ["'script'"],
                "frame-ancestors": ["'none'"],
                "base-uri": ["'none'"],
                "form-action": ["'none'"],
                ...args.helmet?.csp
            }
        },
        frameguard: {
            action: "deny"
        },
        hsts: {
            maxAge: 3153600000
        },
        ...args.helmet
    });
    const pp = permissionPolicy({
        features: { ...standardizedFeatures, ...args.pp }
    });
    return [h, pp];
};

const standardizedFeatures = {
    // features defined in the spec: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
    accelerometer: [],
    "ambient-light-sensor": [],
    autoplay: [],
    battery: [],
    camera: [],
    "cross-origin-isolated": [],
    "display-capture": [],
    "document-domain": [],
    "encrypted-media": [],
    "execution-while-not-rendered": [],
    "execution-while-out-of-viewport": [],
    fullscreen: [],
    geolocation: [],
    gyroscope: [],
    magnetometer: [],
    microphone: [],
    midi: [],
    "navigation-override": [],
    payment: [],
    "picture-in-picture": [],
    "publickey-credentials-get": [],
    "screen-wake-lock": [],
    "sync-xhr": [],
    usb: [],
    "xr-spatial-tracking": [],
    "web-share": []
};