Nov 08 2013


It’s dangerous on the internet, use some security headers. No, really. If you’re making a webapp, you need some of them lovely headers. Headers such as CSP, HSTS, X-Frame-Options. I previously implemented these in our Gmail Bridge, and then needed them again in another app. Copy over the headers code? Nonsense! That’s what libraries are for.



You can use hood without any configuration, and it will use sane defaults that most apps will want to enforce security-wise. You can also pass options to hood(options) to configure parts to be different than default, or you can use each header individually, such as hood.csp().

Included middlewares:

  • csp
  • hsts
  • xframe
  • nosniff

Why didn’t I just use Helmet?

  • helmet doesn’t by default use the Content-Security-Policy header for it’s csp middleware, which is now the standard.
  • I only expected to setup the middleware once, so needing to do pre-setup for helmet.csp by adding and configuring policies felt wrong. hood.csp just accepts policy options, so you can use it once and be done.


Cover your head, v0.1.1.

  • #javascript
  • #programming
  • #nodejs
  • #hood
  • #middleware
  • #security
  • #planet