securityHeaders
securityHeaders: (
options?) =>Function
Defined in: http/security-headers.js:58
Creates a security headers middleware that returns pre-computed header tuples.
Pass false for any header to omit it entirely. Pass a string to override
the default value.
Parameters
Section titled “Parameters”options?
Section titled “options?”Security header configuration
contentSecurityPolicy?
Section titled “contentSecurityPolicy?”string | false
Content-Security-Policy header
permissionsPolicy?
Section titled “permissionsPolicy?”string
Permissions-Policy header (omitted by default)
referrerPolicy?
Section titled “referrerPolicy?”string | false
Referrer-Policy header
strictTransportSecurity?
Section titled “strictTransportSecurity?”string | false
Strict-Transport-Security header.
Defaults to false because this middleware has no request context to verify the connection
is HTTPS, and HSTS MUST only be sent over secure transport (RFC 6797 §7.2). Enable explicitly
when the app is known to be behind HTTPS, or use ergo-router’s transport layer which performs
the HTTPS check automatically.
xContentTypeOptions?
Section titled “xContentTypeOptions?”string | false
X-Content-Type-Options header
xFrameOptions?
Section titled “xFrameOptions?”string | false
X-Frame-Options header
xXssProtection?
Section titled “xXssProtection?”string | false
X-XSS-Protection header (0 disables the browser filter)
Returns
Section titled “Returns”Function
- Ergo middleware
() => Array<[string, string]>