Stack Overflow
Stack Overflow

Questions tagged [helmet.js]

Helmet is a javascript library that helps you secure your Express apps by setting various HTTP headers.

Helmet is a javascript library that helps you secure your Express apps by setting various HTTP headers.

https://www.npmjs.com/package/helmet

129 questions
21
votes
4 answers

Can React Helmet inject a javascript object into tag?

I've a question, I need to inject into the HEAD tag a javascript object, for tag management purposes. This is my Helmet component, but it accepts only specific parameters to set to metadata serverside through rewind() function. Is there a way still…
axel
  • 3,778
  • 4
  • 45
  • 72
9
votes
3 answers

CSP error while serving with express (with helmet) an app created with create-react-app

I'm struggling with serving a build created with "create-react-app" using Express with Helmet. I'm getting several errors in the explorer console related to Content Security Policy: csp-errors Of course, it isn't showing the app. I noticed that if a…
Nicolas Mauricio Cuadrado
  • 123
  • 2
  • 8
8
votes
6 answers

Helmet Express ERR_BLOCKED_BY_RESPONSE.NotSameOrigin 200

please I need help, I checked on all google and not get really answer for to open my issue. I want to use helmet to secure my express server. But when I am using it I get this error : ERR_BLOCKED_BY_RESPONSE.NotSameOrigin 200 for loaded my images…
jeremyl
  • 115
  • 1
  • 1
  • 8
8
votes
1 answer

Helmet causing MERN app hosted on heroku cause ERROR: Refused to execute inline script because it violates the following

I have hosted my MERN app on Heroku , but whenever I implement helmet in app.js file it's causing this issue. const path = require('path'); const express = require('express'); const morgan = require('morgan'); const cookieParser =…
GrimReaper07
  • 455
  • 5
  • 13
8
votes
8 answers

How to use helmet.js from typescript?

It is pretty easy to use helmet from pure js per documentation: const express = require('express') const helmet = require('helmet') const app = express() app.use(helmet()) But how can I use it from typescript? Typings file exports a bunch of…
eugenekr
  • 6,260
  • 3
  • 21
  • 26
7
votes
2 answers

Getting "NotSameOriginAfterDefaultedToSameOriginByCoep" error with Helmet

I'm seeing the following error in my browser console when using Helmet.js: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep What should I do?
Evan Hahn
  • 12,147
  • 9
  • 41
  • 59
7
votes
1 answer

Helmet and contentSecurityPolicy and using nonce AND adding it but still getting error

I am using Helmet.contentSecurityPolicy, and here the gist of my object: MY SCRIPTS ARE NOT LOADING..... this isn't loaded, but you can see I have it in my trusted items; NOT LOADING: THESE ARE ITEMS LOADED THRU GOOGLETAGMANGER, BUT I HAVE A NONCE…
james emanon
  • 11,185
  • 11
  • 56
  • 97
6
votes
3 answers

How do I set up helmet.js correctly to resolve CSP issue?

When I start my express app the browser gives me this error: Refused to load the script 'http://localhost:1337/main.js' because it violates the following Content Security Policy directive: "script-src unsafe-eval". Note that 'script-src-elem' was…
jgonzales394
  • 99
  • 1
  • 6
5
votes
4 answers

How to enable and disable upgradeInsecureRequests csp directive using Helmet 4.4.1 version node.js module

I have tried this using Helmet 4.4.1 version both of them below sets to true for upgrade-insecure-requests CSP upgradeInsecureRequests: [] and upgradeInsecureRequests: ['true'] Which of the above format is correct to use?
hitendra
  • 159
  • 2
  • 9
5
votes
1 answer

Helmet CSP not working correctly?

Using Vue SPA distributed by Express. this is my helmet code in express app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], styleSrc: ["'self'","'unsafe-inline'" ,'unpkg.com', 'cdn.jsdelivr.net', …
Tcadet
  • 47
  • 1
  • 3
4
votes
2 answers

What is the difference between Helmet and CORS packages node.js

I'm using Helmet and CORS packages to my node.js application. But I don't know what's the difference of both packages and the performance impact to the application. Also, by using these packages, will it secure the my node.js application or adds…
Kamal Silva
  • 53
  • 1
  • 4
4
votes
2 answers

Helmet: How to allow images to load from different domain (Err: NotSameOriginAfterDefaultedToSameOriginByCoep)

I am using helmet to set CSP headers. I am using React on the frontend. I store my images on a subdomain (assets.mydomain.com). For some reason I get the following error message: ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep…
Reinier68
  • 2,450
  • 1
  • 23
  • 47
4
votes
3 answers

What modules of Helmet should I use in my REST Api

Question: Which Helmet modules should be used for a rest API? Background: I am building a Node/Express REST Api and keep seeing Helmet pop up as a security middleware I should be using. Looking at Helmet's documentation is looks like some of the…
EchoNano
  • 303
  • 2
  • 13
3
votes
1 answer

Node.js helmet and swagger-ui

I am using a swagger for API documentation in Node.js. Now I want to use helmet for security, but when I am using helmet, error occur. However, if I place the helmet below the router for swagger, then it works fine, which means helmet do something…
yongseung
  • 71
  • 2
  • 13
3
votes
1 answer

Why is x-powered-by header showing after installing Express helmet?

I have an Express server running on port 8080 using webpack. I installed helmet as described in the package docs const express = require('express') const helmet = require('helmet') const app = express() app.use(helmet()) Yet when I npm start I…
Locokiter
  • 37
  • 2
  • 7
1
2 3
8 9