Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet is a series of middlewares for Express/Connect apps that implement various security headers to make your app more secure. It's not a silver bullet, but it can help!
Helmet includes the following middlewares:
csp (Content Security Policy)hsts (HTTP Strict Transport Security)xframe (X-Frame-Options)iexss (X-XSS-Protection for IE8+)ienoopen (X-Download-Options for IE8+)contentTypeOptions (X-Content-Type-Options)cacheControl (Cache-Control)crossdomain (crossdomain.xml)hidePoweredBy (remove X-Powered-By)npm install helmet
To use a particular middleware application-wide, just use it:
var helmet = require('helmet')
var app = express() // or connect
app.use(helmet.csp())
app.use(helmet.xframe('deny'))
app.use(helmet.contentTypeOptions())
If you're using Express 3, make sure these middlewares are listed before app.router.
If you just want to use the default-level policies, all you need to do is:
app.use(helmet.defaults())
Don't want all the defaults?
helmet.defaults(app, { xframe: false })
app.use(helmet.xframe('sameorigin'))
Setting an appropriate Content Security Policy can protect your users against a variety of attacks (perhaps the largest of which is XSS). To learn more about CSP, check out the HTML5 Rocks guide.
Usage:
app.use(helmet.csp({
'default-src': ["'self'", 'default.com'],
'script-src': ['scripts.com'],
'style-src': ['style.com'],
'img-src': ['img.com'],
'connect-src': ['connect.com'],
'font-src': ['font.com'],
'object-src': ['object.com'],
'media-src': ['media.com'],
'frame-src': ['frame.com'],
'sandbox': ['allow-forms', 'allow-scripts'],
'report-uri': ['/report-violation'],
reportOnly: false, // set to true if you only want to report errors
setAllHeaders: false, // set to true if you want to set all headers
safari5: false // set to true if you want to force buggy CSP in Safari 5
})
There are a lot of inconsistencies in how browsers implement CSP. Helmet sniffs the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is found, it will set all the headers with the 1.0 spec.
This middleware adds the Strict-Transport-Security header to the response. See the spec.
To use the default header of Strict-Transport-Security: maxAge=15768000 (about 6 months):
app.use(helmet.hsts())
To adjust other values for maxAge and to include subdomains:
app.use(helmet.hsts(1234567, true))
Note that the max age is in seconds, not milliseconds (as is typical in JavaScript).
X-Frame specifies whether your app can be put in a frame or iframe. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.
Usage:
// These are equivalent:
app.use(helmet.xframe())
app.use(helmet.xframe('deny'))
// Only let me be framed by people of the same origin:
app.use(helmet.xframe('sameorigin'))
// Allow from a specific host:
app.use(helmet.xframe('allow-from', 'http://example.com'))
The X-XSS-Protection header is a basic protection against XSS.
Usage:
app.use(helmet.iexss())
This sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0. To force the header on all versions of IE, add the option:
app.use(helmet.iexss({ setOnOldIE: true }))
Sets the X-Download-Options header to noopen to prevent IE users from executing downloads in your site's context. For more, see this MSDN blog post.
app.use(helmet.ienoopen())
The following example sets the X-Content-Type-Options header to its only and default option, nosniff:
app.use(helmet.contentTypeOptions())
The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.
app.use(helmet.cacheControl())
The following example sets the most restrictive crossdomain.xml:
app.use(helmet.crossdomain())
This middleware will remove the X-Powered-By header if it is set.
app.use(helmet.hidePoweredBy())
Note: if you're using Express, you can skip Helmet's middleware if you want:
app.disable('x-powered-by')
FAQs
help secure Express/Connect apps with various HTTP headers
The npm package helmet receives a total of 1,306,108 weekly downloads. As such, helmet popularity was classified as popular.
We found that helmet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.