The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
helmetjs/helmet
### [`v3.8.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#382---2017-09-27)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.1...v3.8.2)
##### Changed
- Updated `connect` dependency to latest
### [`v3.8.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#381---2017-07-28)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.0...v3.8.1)
##### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
### [`v3.8.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#380---2017-07-21)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.7.0...v3.8.0)
##### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
### [`v3.7.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#370---2017-07-21)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.1...v3.7.0)
##### Added
- `csp` now supports `report-to` directive
##### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
### [`v3.6.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#361---2017-05-21)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.0...v3.6.1)
##### Changed
- Bump `connect` version
### [`v3.6.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#360---2017-05-04)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.5.0...v3.6.0)
##### Added
- `expectCt` middleware for setting the `Expect-CT` header
### [`v3.5.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#350---2017-03-06)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.1...v3.5.0)
##### Added
- `csp` now supports the `worker-src` directive
### [`v3.4.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#341---2017-02-24)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.0...v3.4.1)
##### Changed
- Bump `connect` version
### [`v3.4.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#340---2017-01-13)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.3.0...v3.4.0)
##### Added
- `csp` now supports more `sandbox` directives
### [`v3.3.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#330---2016-12-31)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.2.0...v3.3.0)
##### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
##### Changed
- Bump `connect` version
### [`v3.2.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#320---2016-12-22)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.1.0...v3.2.0)
##### Added
- `csp` now allows `manifest-src` directive
### [`v3.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#310---2016-11-03)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.0.0...v3.1.0)
##### Added
- `csp` now allows `frame-src` directive
### [`v3.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#300---2016-10-28)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v2.3.0...v3.0.0)
##### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
##### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^2.0.0->^3.0.0By merging this PR, the issue #62 will be automatically resolved and closed:
Release Notes
helmetjs/helmet
### [`v3.8.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#382---2017-09-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.1...v3.8.2) ##### Changed - Updated `connect` dependency to latest ### [`v3.8.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#381---2017-07-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.0...v3.8.1) ##### Fixed - `csp` does not automatically set `report-to` when setting `report-uri` ### [`v3.8.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#380---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.7.0...v3.8.0) ##### Changed - `hsts` no longer cares whether it's HTTPS and always sets the header ### [`v3.7.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#370---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.1...v3.7.0) ##### Added - `csp` now supports `report-to` directive ##### Changed - Throw an error when used incorrectly - Add a few documentation files to `npmignore` ### [`v3.6.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#361---2017-05-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.0...v3.6.1) ##### Changed - Bump `connect` version ### [`v3.6.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#360---2017-05-04) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.5.0...v3.6.0) ##### Added - `expectCt` middleware for setting the `Expect-CT` header ### [`v3.5.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#350---2017-03-06) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.1...v3.5.0) ##### Added - `csp` now supports the `worker-src` directive ### [`v3.4.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#341---2017-02-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.0...v3.4.1) ##### Changed - Bump `connect` version ### [`v3.4.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#340---2017-01-13) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.3.0...v3.4.0) ##### Added - `csp` now supports more `sandbox` directives ### [`v3.3.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#330---2016-12-31) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.2.0...v3.3.0) ##### Added - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives ##### Changed - Bump `connect` version ### [`v3.2.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#320---2016-12-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.1.0...v3.2.0) ##### Added - `csp` now allows `manifest-src` directive ### [`v3.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#310---2016-11-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.0.0...v3.1.0) ##### Added - `csp` now allows `frame-src` directive ### [`v3.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#300---2016-10-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v2.3.0...v3.0.0) ##### Changed - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`. - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything. - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it. - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set. - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day) - `hsts`'s `maxAge` parameter is seconds, not milliseconds - `hsts` includes subdomains by default - `domain` parameter in `frameguard` cannot be empty ##### Removed - `noEtag` option no longer present in `noCache` - iOS Chrome `connect-src` workaround in CSP module