Node.js helmet and swagger-ui

Question

I am using a swagger for API documentation in Node.js. Now I want to use helmet for security, but when I am using helmet, error occur. However, if I place the helmet below the router for swagger, then it works fine, which means helmet do something that makes swagger-ui not be loaded.

Below code is how I used helmet.

var helmet = require('helmet')
app.use(helmet());

Below image is the error from swagger

Fix to allow cors but still got an error.

//allow cors
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*"); // update to match the domain you will make the request from
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
  });
  
// use helmet
var helmet = require('helmet')
app.use(helmet());

score 0 · Answer 1 · answered Feb 21 '21 at 04:15

0

You need to enable CORS , so that it sends the Access-Control-Allow-Origin: * header in responses. CORS stands for cross origin resource sharing. It opens up the content we intend to server to public for universal JavaScript/browser access.

example:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "YOUR-DOMAIN.TLD"); // update to match the domain you will make the request from
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});

answered Feb 21 '21 at 04:15

GrimReaper07

455
5
13

Thanks!! can you tell me which part of helmet disables the CORS? I could not find it in the documentation – yongseung Feb 21 '21 at 04:26
Check helmet 's contentSecurityPolicy in reference section of their documentation on github. – GrimReaper07 Feb 21 '21 at 05:25
It worked at first in Safari browser, but after refresh the page, it does not work.. – yongseung Feb 23 '21 at 03:43

Node.js helmet and swagger-ui

1 Answers1