shelf_helmet library

Support for doing something awesome.

More dartdocs go here.

Classes

ContentSecurityPolicyOptions

Options for the Content Security Policy middleware.

HelmetOptions

Options for the helmet middleware. Set the options beginning with enable to false to disable the header.

StrictTransportSecurityOptions

Enums

CrossOriginEmbedderPolicyOptions

CrossOriginOpenerPolicyOptions

CrossOriginResourcePolicyOptions

PermittedPolicies

The X-Permitted-Cross-Domain-Policies HTTP header controls Adobe Flash Player and Adobe Acrobat's behavior when loading content from other domains.

ReferrerPolicyToken

The ReferrerPolicyToken controls the Referrer-Policy header which can be set.

XFrameOptions

Extensions

CSPExtensions on String

Functions

contentSecurityPolicy({ContentSecurityPolicyOptions options = const ContentSecurityPolicyOptions.useDefaults()}) → Middleware

Content Security Policy (CSP) helps prevent unwanted content from being injected/loaded into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, clickjacking, formjacking, malicious frames, unwanted trackers, and other web client-side attacks. If you want to learn how CSP works, check out the fantastic HTML5 Rocks guide, the Content Security Policy Reference, and the Content Security Policy specification.

crossOriginEmbedderPolicy({CrossOriginEmbedderPolicyOptions policy = CrossOriginEmbedderPolicyOptions.requireCorp}) → Middleware

Sets the Cross-Origin-Embedder-Policy header to require-corp. See MDN's article on this header for more. Example:

crossOriginOpenerPolicy({CrossOriginOpenerPolicyOptions policy = CrossOriginOpenerPolicyOptions.sameOrigin}) → Middleware

Sets the Cross-Origin-Opener-Policy header. For more, see MDN's article on this header. Example:

crossOriginResourcePolicy({CrossOriginResourcePolicyOptions policy = CrossOriginResourcePolicyOptions.sameOrigin}) → Middleware

This middleware sets the Cross-Origin-Resource-Policy header. Read about it in the spec.

getHeaderValue(Directive normalizedDirectives) → String

helmet({HelmetOptions options = const HelmetOptions()}) → Middleware

Helmet middleware for Dart. This middleware sets various HTTP headers to help secure your app.

originAgentCluster() → Middleware

Sets the Origin-Agent-Cluster header, which provides a mechanism to allow web applications to isolate their origins. Read more about it in the spec.

referrerPolicy({List<ReferrerPolicyToken> policies = const [ReferrerPolicyToken.noReferrer]}) → Middleware

The Referer HTTP header is typically set by web browsers to tell the server where it's coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia's servers will see Referer: example.com. This can have privacy implications—websites can see where you are coming from. The new Referrer-Policy HTTP header lets authors control how browsers set the Referer header.

strictTransportSecurity({StrictTransportSecurityOptions options = const StrictTransportSecurityOptions()}) → Middleware

This middleware adds the Strict-Transport-Security header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.) Note that the header won't tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the shelf-enforces-ssl package.

xContentTypeOptions() → Middleware

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. Browsers' same-origin policies generally prevent remote resources from being loaded dangerously, but vulnerabilities in web browsers can cause this to be abused. Some browsers, like Chrome, will further isolate memory if the X-Content-Type-Options header is seen.

xDnsPrefetchControl({bool allow = false}) → Middleware

This middleware lets you set the X-DNS-Prefetch-Control to control browsers' DNS prefetching. Read more about it on MDN and on Chromium's docs.

xDownloadOptions() → Middleware

This middleware sets the X-Download-Options header to noopen to prevent Internet Explorer users from executing downloads in your site's context.

xFrameOptions({XFrameOptions xFrameOption = XFrameOptions.sameorigin}) → Middleware

The X-Frame-Options HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. The header has two modes: DENY and SAMEORIGIN.

xPermittedCrossDomainPolicies({PermittedPolicies permittedPolicy = PermittedPolicies.none}) → Middleware

The X-Permitted-Cross-Domain-Policies header tells some web clients (like Adobe Flash or Adobe Acrobat) your domain's policy for loading cross-domain content. See the description on OWASP for more.

xXssProtection() → Middleware

The X-XSS-Protection HTTP header aimed to offer a basic protection against cross-site scripting (XSS) attacks. However, you probably should disable it, which is what this middleware does.

Typedefs

Directive = Map<String, List<String>?>