integralhelm

# integralhelm [![npm](https://ico.y.gy/npm/dm/integralhelm?style=flat-square&logo=npm)](https://www.npmjs.com/package/integralhelm) [![NPM](https://ico.y.gy/npm/l/integralhelm?style=flat-square&color=brightgreen)](https://www.npmjs.com/package/integralhelm) [![Snyk Vulnerabilities for npm package](https://ico.y.gy/snyk/vulnerabilities/npm/integralhelm?style=flat-square&logo=snyk)](https://snyk.io/test/npm/integralhelm) [![Website](https://ico.y.gy/website?down_color=red&down_message=offline&label=repository&up_color=success&up_message=online&url=https%3A%2F%2Fgit.y.gy%2Ffirstdorsal%2Fintegralhelm&style=flat-square&logo=gitlab)](https://git.y.gy/firstdorsal/integralhelm/) ### everything is disabled by default! just enable the things your need! ### this module combines helmet, permissions-policy, hardcore settings and best practices ### this will get you the best possible score on https://observatory.mozilla.org # install ```sh yarn add integralhelm ``` or ```sh npm i integralhelm ``` # Use as expressjs middleware Everything is disabled by default! Our site is only using a style sheet a font and a autoplay video so we are only enabling the document to use these content/features. ```js const express = require("express"); const app = express(); const ih = require("integralhelm"); app.use( ih({ helmet: { csp: { "style-src": ["'self'"], "font-src": ["'self'"] } }, pp: { autoplay: ["self"] } }) ); ``` ## Links [helmet - NPM](https://www.npmjs.com/package/helmet) [permissions-policy - NPM]() [NPM](https://www.npmjs.com/package/integralhelm) [Documentation](https://git.y.gy/firstdorsal/integralhelm) [Code](https://git.y.gy/firstdorsal/integralhelm) # helmet You can use all helmet features and put them in the helmet object: ```js app.use( ih({ helmet: { hsts: { maxAge: 10 } } }) ); ``` As a shorthand for the helmet csp (same as "helmet.contentSecurityPolicy.directives") you can use the key "csp": ```js app.use( ih({ helmet: { csp: { "style-src": ["'self'"], "font-src": ["'self'"] } } }) ); ``` is the same as ```js app.use( ih({ helmet: { contentSecurityPolicy: { directives: { "style-src": ["'self'"], "font-src": ["'self'"] } } } }) ); ``` # permission-policy features ## [read the standard](https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md) you can just add the features to the pp object: ```js app.use( ih({ pp: { camera: ["self"], fullscreen: ["self"] } }) ); ``` ```js const standardizedFeatures = { // features defined in the spec: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md accelerometer: [], "ambient-light-sensor": [], autoplay: [], battery: [], camera: [], "cross-origin-isolated": [], "display-capture": [], "document-domain": [], "encrypted-media": [], "execution-while-not-rendered": [], "execution-while-out-of-viewport": [], fullscreen: [], geolocation: [], gyroscope: [], magnetometer: [], microphone: [], midi: [], "navigation-override": [], payment: [], "picture-in-picture": [], "publickey-credentials-get": [], "screen-wake-lock": [], "sync-xhr": [], usb: [], "xr-spatial-tracking": [], "web-share": [] }; const nonStandardizedFeatures = { documentWrite: [], fontDisplayLateSwap: [], notifications: [], push: [], speaker: [], interestCohort: [], layoutAnimations: [], legacyImageFormats: [], loadingFrameDefaultEager: [], oversizedImages: [], serial: [], syncScript: [], unoptimizedImages: [], unoptimizedLosslessImages: [], unoptimizedLossyImages: [], unsizedMedia: [], verticalScroll: [], vibrate: [], vr: [], xr: [] }; ``` # Need help or missing a feature? Feel free to contact me via [xl9jthv_7bvgakv9o9wg0jabn2ylm91xxrzzgt0e@y.gy](mailto:xl9jthv_7bvgakv9o9wg0jabn2ylm91xxrzzgt0e@y.gy) in english or german