frameguard
    Overview
    Documentation
    Insights
    Code
    Contributors
    Dependencies
    Alternatives

frameguard

Middleware to set X-Frame-Options headers

3.1.0  •  Published 7 months ago  •  by helmetjs  •  MIT License

Frameguard

Build Status

The X-Frame-Options HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM, defaulting to SAMEORIGIN. If your app does not need to be framed (and most don’t) you can use DENY. If your site can be in frames from the same origin, you can set it to SAMEORIGIN. If you want to allow it from a specific URL, you can allow that with ALLOW-FROM and a URL.

Usage:

const frameguard = require('frameguard')

// Don't allow me to be in ANY frames:
app.use(frameguard({ action: 'deny' }))

// Only let me be framed by people of the same origin:
app.use(frameguard({ action: 'sameorigin' }))
app.use(frameguard())  // defaults to sameorigin

// Allow from a specific host:
app.use(frameguard({
  action: 'allow-from',
  domain: 'https://example.com'
}))

This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. The ALLOW-FROM header option is not supported in Chrome or Safari. Those browsers will ignore the entire header, and the frame will be displayed, so you probably want to avoid using that option.

How do you feel about the name Devstore for this site?

Popularity

Weekly Downloads
622.2K
Stars
70

Maintenance

Development

Last ver 7 months ago
Created 5 years ago
Last commit 3 months ago
25 days between commits

Technology

Node version: 11.14.0
6.7K unpacked

Compliance

MIT License
OSI Approved
0 vulnerabilities

Contributors

5 contributors
Evan Hahn
Maintainer, 66 commits, 6 merges, 2 PRs
Works at Airtable
Eli Golding
3 commits, 1 PRs
Works at Tangoe
Alberto Gimeno
1 commits, 1 PRs
Works at GitHub
dependabot[bot]
1 commits
Charlie Briggs
1 commits
Adam Baldwin
Maintainer
Works at npm

Tags

helmet
security
express
connect
x-frame-options
clickjack
frame
Ready for the next level?
Join Devstore's founding team to help us build the ultimate open-source app store, work with the latest technologies, and enjoy great culture, impact and autonomy
© 2019 Devstore, Inc.
Devstore helps developers find and use open-source packages, so they can focus on building amazing things