This add-on attaches headers that opt-in to stricter browser security policies. These policies are very restrictive and some are scoped to the entire domain. As such, it's important that this middleware is only used under these circumstances:
-
The app's domain does not mix HTTP and HTTPS.
-
The response is an API response, i.e. it is not being directly rendered by the browser.
-
The responses have an accurate
Content-Typeheader.
If the above conditions are not met then the app should send customised security headers tailored to its use case. koa-helmet provides a set of fine-grained middleware useful for constructing custom security headers.
import { SecureHeaders } from 'seek-koala';
// Opt-in to strict browser security
app.use(SecureHeaders.middleware);