Information security with HelmetJS #lesson-2

I think there’s an issue with fcc code checking on this problem.
app.use(helmet.frameguard({ action: 'deny' }));
should cover both conditions to pass this test
1. helmet.frameguard() middleware should be mounted correctly
2. helmet.frameguard() 'action' should be set to 'DENY'

However it only passes the second condition. Am I missing something here?

glitch link: https://glitch.com/edit/#!/adventurous-magnificent-astronomy?path=myApp.js%3A43%3A0

Challenge: Mitigate the Risk of Clickjacking with helmet.frameguard()

Link to the challenge:

Heyyy, i sort of got into this problem and i tried both using the helmet as it was and updating it to no avail, the answers provided didnt help. It would be best if you just skipped that.

only the second test passed for me.

This is known issue, and it’s to do with the HelmetJS version:

Like @geraldombuthia said, it’s best to skip these challenges until it’s fixed. If you still want to pass it, you can downgrade your helmet and submit.

Solution

To get these tests to pass, we have to downgrade Helmet to 2.3.0, so in the Glitch Terminal (Tools > Terminal), run:

npm uninstall helmet
npm install helmet@2.3.0
refresh

The, mount helmet’s frameguard() middleware for all routes, with an object specifying the action as ‘deny’:

// We don't need our app to be framed, so you should use `helmet.frameguard()`
// passing to it the configuration object `{action: 'deny'}`
app.use(helmet.frameguard({action: 'deny'}))
3 Likes