Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Express / Connect middleware that implement various security headers. [with sane defaults where applicable]
npm install helmet
var helmet = require('helmet');
To use a particular middleware application wide just add it to your app configuration. Make sure it is listed before app.router.
app.configure(function(){
app.use(express.methodOverride());
app.use(express.bodyParser());
app.use(helmet.csp());
app.use(helmet.xframe());
app.use(helmet.contentTypeOptions());
app.use(app.router);
});
Content Security Policy (W3C Draft) <- Pretty much required reading if you want to do anything with CSP
Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP headers are set by helmet.
There are two different ways to build CSP policies with helmet.
policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default helmet has a defaultPolicy that looks like;
Content-Security-Policy: default-src 'self'
To override this and create a new policy you could do something like
policy = {
defaultPolicy: {
'default-src': ["'self'"],
'img-src': ['static.andyet.net','*.cdn.example.com'],
}
}
helmet.csp.policy(policy);
The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'
helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);
CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or use the reportTo() helper function.
helmet.csp.reportTo('http://example.com/csp');
draft-ietf-websec-strict-transport-sec-04
This middleware adds the Strict-Transport-Security header to the response
To use the default header of Strict-Transport-Security: maxAge=15768000
helmet.hsts();
To adjust other values for maxAge and to include subdomains
helmet.hsts(1234567, true); // hsts(maxAge, includeSubdomains)
xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.
Here is an example for both SAMEORIGIN and ALLOW-FROM
helmet.xframe('sameorigin');
helmet.xframe('allow-from', 'http://example.com');
The following example sets the X-XSS-PROTECTION: 1; mode=block header
helmet.iexss();
The following example sets the X-Content-Type-Options header to it's only and default option 'nosniff'
helmet.contentTypeOptions();
The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
helmet.cacheControl();
FAQs
help secure Express/Connect apps with various HTTP headers
The npm package helmet receives a total of 1,306,108 weekly downloads. As such, helmet popularity was classified as popular.
We found that helmet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.