Security headers plugin for Kori framework
npm install @korix/security-headers-pluginSecurity headers plugin for Kori framework that adds common security headers to HTTP responses.
``bash`
pnpm add @korix/security-headers-plugin
`typescript
import { createKori } from '@korix/kori';
import { securityHeadersPlugin } from '@korix/security-headers-plugin';
const app = createKori()
.applyPlugin(securityHeadersPlugin())
.get('/api/users', (ctx) => {
return ctx.res.json({ users: [] });
});
`
`typescript`
const app = createKori()
.applyPlugin(
securityHeadersPlugin({
frameOptions: 'sameorigin',
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'",
strictTransportSecurity: 'max-age=63072000; includeSubDomains; preload',
customHeaders: {
'X-Custom-Header': 'custom-value',
},
skipPaths: ['/public', /^\/assets/],
}),
)
.get('/api/data', (ctx) => {
return ctx.res.json({ data: 'secure' });
});
The plugin sets the following headers by default:
- x-frame-options: deny
- x-content-type-options:
- x-xss-protection: (explicitly disabled - this header is deprecated and can introduce vulnerabilities)max-age=31536000; includeSubDomains
- strict-transport-security:
- referrer-policy:
- x-permitted-cross-domain-policies:
- x-download-options:
Additional headers can be enabled through configuration.
The x-xss-protection header is deprecated and modern browsers (Chrome, Edge, Firefox) have removed support for it. When enabled (xssProtection: true), this plugin sets the header to 0 to explicitly disable the legacy XSS auditor in older browsers, as it can introduce security vulnerabilities.
Recommendation: Use Content Security Policy (CSP) instead for modern XSS protection:
`typescript``
securityHeadersPlugin({
contentSecurityPolicy: "default-src 'self'; script-src 'self'",
xssProtection: true, // Sets X-XSS-Protection: 0
});
MIT