It’s dangerous on the internet, use some security headers. No, really. If you’re making a webapp, you need some of them lovely headers. Headers such as CSP, HSTS, X-Frame-Options. I previously implemented these in our Gmail Bridge, and then needed them again in another app. Copy over the headers code? Nonsense! That’s what libraries are for.
You can use hood without any configuration, and it will use sane defaults that most apps will want to enforce security-wise. You can also pass options to
hood(options) to configure parts to be different than default, or you can use each header individually, such as
Why didn’t I just use Helmet?
- helmet doesn’t by default use the
Content-Security-Policyheader for it’s
cspmiddleware, which is now the standard.
- I only expected to setup the middleware once, so needing to do pre-setup for
helmet.cspby adding and configuring policies felt wrong.
hood.cspjust accepts policy options, so you can use it once and be done.
Cover your head, v0.1.1.