What is helmet?
Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
What are helmet's main functionalities?
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));
X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));
Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));
X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));
X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());
Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));
X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());
X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());
Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());
Other packages similar to helmet
lusca
Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
cors
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Express / Connect middleware that implement various security headers. [with sane defaults where applicable]
Included Middleware
- csp (Content Security Policy)
- HSTS (HTTP Strict Transport Security)
- xframe (X-FRAME-OPTIONS)
- iexss (X-XSS-PROTECTION for IE8+)
- contentTypeOptions (X-Content-Type-Options nosniff)
- cacheControl (Cache-Control no-store, no-cache)
Installation
npm install helmet
Basic Express Usage
var helmet = require('helmet');
To use a particular middleware application wide just use it from your app.
Make sure it is listed before app.router.
app.use(express.methodOverride());
app.use(express.bodyParser());
app.use(helmet.csp());
app.use(helmet.xframe());
app.use(helmet.contentTypeOptions());
app.use(app.router);
If you just want to use the default-level policies, all you need to do is:
helmet.defaults(app);
Defaults is semi-configurable too. If you wanted for instance all the
defaults but wanted your own xframe options you could do this:
helmet.defaults(app, {xframe: false});
app.use(helmet.xframe('DENY'));
Content Security Policy
Content Security Policy (W3C Draft)
<- Pretty much required reading if you want to do anything with CSP
Browser Support
Currently there is CSP support in Firefox and experimental support in Chrome. Both X-Content-Security-Policy and X-WebKit-CSP
headers are set by helmet.
There are two different ways to build CSP policies with helmet.
Using policy()
policy() eats a json blob (including the output of it's own toJSON() function) to create a policy. By default
helmet has a defaultPolicy that looks like;
Content-Security-Policy: default-src 'self'
To override this and create a new policy you could do something like
policy = {
defaultPolicy: {
'default-src': ["'self'"],
'img-src': ['static.andyet.net','*.cdn.example.com'],
}
}
helmet.csp.policy(policy);
Using add()
The same thing could be accomplished using add() since the defaultPolicy default-src is already 'self'
helmet.csp.add('img-src', ['static.andyet.net', '*.cdn.example.com']);
Reporting Violations
CSP can report violations back to a specified URL. You can either set the report-uri using policy() or add() or
use the reportTo() helper function.
helmet.csp.reportTo('http://example.com/csp');
HTTP Strict Transport Security
draft-ietf-websec-strict-transport-sec-04
This middleware adds the Strict-Transport-Security header to the response
Basic Usage
To use the default header of Strict-Transport-Security: maxAge=15768000
helmet.hsts();
To adjust other values for maxAge and to include subdomains
helmet.hsts(1234567, true);
X-FRAME-OPTIONS
xFrame is a lot more straight forward than CSP. It has three modes. DENY, SAMEORIGIN, ALLOW-FROM. If your app does
not need to be framed (and most don't) you can use the default DENY.
Browser Support
- IE8+
- Opera 10.50+
- Safari 4+
- Chrome 4.1.249.1042+
- Firefox 3.6.9 (or earlier with NoScript)
Here is an example for both SAMEORIGIN and ALLOW-FROM
helmet.xframe('sameorigin');
helmet.xframe('allow-from', 'http://example.com');
X-XSS-PROTECTION
The following example sets the X-XSS-PROTECTION: 1; mode=block header
helmet.iexss();
X-Content-Type-Options
The following example sets the X-Content-Type-Options header to it's only and default option 'nosniff'
helmet.contentTypeOptions();
Cache-Control
The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
helmet.cacheControl();
To Be Implemented
- Warn when self, unsafe-inline or unsafe-eval are not single quoted
- Warn when unsafe-inline or unsafe-eval are used
- Caching of generated CSP headers
- Device to capture and parse reported CSP violations