Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

frameguard

helmetjs566.4kMIT4.0.0TypeScript support: included

Middleware to set X-Frame-Options headers

express, security, x-frame-options, clickjack

readme

X-Frame-Options middleware

The X-Frame-Options HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. The header has two modes: DENY and SAMEORIGIN.

This header is superseded by the frame-ancestors Content Security Policy directive but is still useful on old browsers.

If your app does not need to be framed (and most don't) you can use DENY. If your site can be in frames from the same origin, you can set it to SAMEORIGIN.

Usage:

const frameguard = require("frameguard");

// Don't allow me to be in ANY frames:
app.use(frameguard({ action: "deny" }));

// Only let me be framed by people of the same origin:
app.use(frameguard({ action: "sameorigin" }));
app.use(frameguard()); // defaults to sameorigin

A legacy action, ALLOW-FROM, is not supported by this middleware. Read more here.

changelog

Changelog

4.0.0 - 2020-12-21

Removed

  • Dropped support for the ALLOW-FROM action. Read more here.
  • Dropped support for old Node versions. Node 10+ is now required

3.1.0 - 2019-05-04

Added

Changed

  • Updated some package metadata
  • Update some documentation
  • Excluded some files from npm package

Changes in versions 3.0.0 and below can be found in Helmet's changelog.