hood

It’s dangerous on the internet, use some security headers. No, really. If you’re making a webapp, you need some of them lovely headers. Headers such as CSP, HSTS, X-Frame-Options. I previously implemented these in our Gmail Bridge, and then needed them again in another app. Copy over the headers code? Nonsense! That’s what libraries are for.

hood

You can use hood without any configuration, and it will use sane defaults that most apps will want to enforce security-wise. You can also pass options to hood(options) to configure parts to be different than default, or you can use each header individually, such as hood.csp().

Included middlewares:

csp
hsts
xframe
nosniff

Why didn’t I just use Helmet?

helmet doesn’t by default use the Content-Security-Policy header for it’s csp middleware, which is now the standard.
I only expected to setup the middleware once, so needing to do pre-setup for helmet.csp by adding and configuring policies felt wrong. hood.csp just accepts policy options, so you can use it once and be done.

v0.1.1

Cover your head, v0.1.1.