Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Looking for a version of Helmet that supports the Koa framework?
First, run npm install helmet --save for your app. Then, in an Express (or Connect) app:
var express = require('express')
var helmet = require('helmet')
var app = express()
app.use(helmet())
// ...
You can also use its pieces individually:
app.use(helmet.noCache())
app.use(helmet.frameguard())
If you're using Express 3, make sure these middlewares are listed before app.router.
Helmet is a collection of 11 smaller middleware functions that set HTTP headers. Running app.use(helmet()) will not include all of these middleware functions by default.
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hpkp for HTTP Public Key Pinning | |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noCache to disable client-side caching | |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |
You can also use each module individually as documented below.
For each of the middlewares, we'll talk about three things:
Let's get started.
The top-level helmet package will include 7 of the following 11 packages. You can use it like this:
app.use(helmet())
You can disable a middleware that's normally enabled by default. This will disable frameguard but include the other 6 defaults.
app.use(helmet({
frameguard: false
}))
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
Trying to prevent: Injecting anything unintended into our page. That could cause XSS vulnerabilities, unintended tracking, malicious frames, and more.
How to use Helmet to mitigate this: Set an appropriate Content Security Policy. If you want to learn how CSP works, check out the fantastic HTML5 Rocks guide and the Content Security Policy Reference.
Usage:
app.use(helmet.contentSecurityPolicy({
// Specify directives as normal.
directives: {
defaultSrc: ["'self'", 'default.com'],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ['style.com'],
imgSrc: ['img.com', 'data:'],
sandbox: ['allow-forms', 'allow-scripts'],
reportUri: '/report-violation',
objectSrc: [] // An empty array allows nothing through
},
// Set to true if you only want browsers to report errors, not block them
reportOnly: false,
// Set to true if you want to blindly set all headers: Content-Security-Policy,
// X-WebKit-CSP, and X-Content-Security-Policy.
setAllHeaders: false,
// Set to true if you want to disable CSP on Android where it can be buggy.
disableAndroid: false,
// Set to false if you want to completely disable any user-agent sniffing.
// This may make the headers less compatible but it will be much faster.
// This defaults to `true`.
browserSniff: true
}))
You can specify keys in a camel-cased fashion (imgSrc) or dashed (img-src); they are equivalent.
There are a lot of inconsistencies in how browsers implement CSP. Helmet sniffs the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is matched, it will set all the headers with the latest spec.
Note: If you're using the reportUri feature and you're using csurf, you might have errors. Check this out for a workaround.
Limitations: CSP is often difficult to tune properly, as it's a whitelist and not a blacklist. It isn't supported on old browsers but is pretty well-supported on newer browsers.
Trying to prevent: Cross-site scripting attacks (XSS), a subset of the attacks mentioned above.
How to use Helmet to mitigate this: The X-XSS-Protection HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well. Helmet lets you use it easily:
app.use(helmet.xssFilter())
This sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it. To force the header on all versions of IE, add the option:
app.use(helmet.xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!
Limitations: This isn't anywhere near as thorough as CSP. It's only properly supported on IE9+ and Chrome; no other major browsers support it at this time. Old versions of IE support it in a buggy way, which we disable by default.
Trying to prevent: Your page being put in a <frame> or <iframe> without your consent. This can result in clickjacking attacks, among other things.
How to use Helmet to mitigate this: The X-Frame-Options HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM, defaulting to SAMEORIGIN. If your app does not need to be framed (and most don't) you can use DENY. If your site can be in frames from the same origin, you can set it to SAMEORIGIN. If you want to allow it from a specific URL, you can allow that with ALLOW-FROM and a URL.
Usage:
// Don't allow me to be in ANY frames:
app.use(helmet.frameguard({ action: 'deny' }))
// Only let me be framed by people of the same origin:
app.use(helmet.frameguard({ action: 'sameorigin' }))
app.use(helmet.frameguard()) // defaults to sameorigin
// Allow from a specific host:
app.use(helmet.frameguard({
action: 'allow-from',
domain: 'http://example.com'
}))
Limitations: This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
Trying to prevent: Users viewing your site on HTTP instead of HTTPS. HTTP is pretty insecure!
How to use Helmet to mitigate this: This middleware adds the Strict-Transport-Security header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.)
This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next ninety days:
var ninetyDaysInMilliseconds = 7776000000;
app.use(helmet.hsts({ maxAge: ninetyDaysInMilliseconds }))
You can also include subdomains. If this is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. Here's how you do that:
app.use(helmet.hsts({
maxAge: 123000,
includeSubdomains: true
}))
Chrome lets you submit your site for baked-into-Chrome HSTS by adding preload to the header. You can add that with the following code, and then submit your site to the Chrome team at hstspreload.appspot.com.
app.use(helmet.hsts({
maxAge: 10886400000, // Must be at least 18 weeks to be approved by Google
includeSubdomains: true, // Must be enabled to be approved by Google
preload: true
}))
This'll be set if req.secure is true, a boolean auto-populated by Express. If you're not using Express, that value won't necessarily be set, so you have two options:
// Set the header based on silly conditions
app.use(helmet.hsts({
maxAge: 1234000,
setIf: function(req, res) {
return Math.random() < 0.5;
}
}));
// ALWAYS set the header
app.use(helmet.hsts({
maxAge: 1234000,
force: true
}))
Note that the max age is in milliseconds, even though the spec uses seconds. This middleware will round to the nearest full second.
Limitations: This only works if your site actually has HTTPS. It won't tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce this with the express-enforces-ssl module. It's somewhat well-supported by browsers.
The Referer HTTP header is typically set by web browsers to tell the server where it's coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia's servers will see Referer: example.com. This can have privacy implications—websites can see where you are coming from. The new Referrer-Policy HTTP header lets authors control how browsers set the Referer header.
Read the spec to see the options you can provide.
Usage:
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))
// Referrer-Policy: same-origin
app.use(helmet.referrerPolicy({ policy: 'unsafe-url' }))
// Referrer-Policy: unsafe-url
app.use(helmet.referrerPolicy())
// Referrer-Policy: no-referrer
Trying to prevent: Hackers can exploit known vulnerabilities in Express/Node if they see that your site is powered by Express (or whichever framework you use). X-Powered-By: Express is sent in every HTTP request coming from Express by default. Disabling this won't provide much security benefit (as discussed here), but might help a tiny bit. It will also improve performance by reducing the number of bytes sent.
How to use Helmet to mitigate this: The hidePoweredBy middleware will remove the X-Powered-By header if it is set (which it will be by default in Express).
app.use(helmet.hidePoweredBy())
You can also explicitly set the header to something else, if you want. This could throw people off:
app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))
Note: if you're using Express, you can skip Helmet's middleware if you want:
app.disable('x-powered-by')
Limitations: There might be other telltale signs that your site is Express-based (a blog post about your tech stack, for example). And if a hacker wants to hack your site, they could try Express (even if they're not sure that's what your site is built on).
Trying to prevent: Some web applications will serve untrusted HTML for download. By default, some versions of Internet Explorer will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see this MSDN blog post.
How to use Helmet to mitigate this: Set the X-Download-Options header to noopen to prevent IE users from executing downloads in your site's context.
app.use(helmet.ieNoOpen())
Limitations: This is pretty obscure, fixing a small bug on IE only. No real drawbacks other than performance/bandwidth of setting the headers, though.
Trying to prevent: Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.
How to use Helmet to mitigate this: Use Helmet's noSniff middleware to keep Chrome, Opera, and IE from doing this sniffing (and Firefox soon). The following example sets the X-Content-Type-Options header to its only option, nosniff:
app.use(helmet.noSniff())
MSDN has a good description of how browsers behave when this header is sent.
Limitations: This only prevents against a certain kind of attack.
Trying to prevent: Users caching your old, buggy resources. It's possible that you've got bugs in an old HTML or JavaScript file, and with a cache, some users will be stuck with those old versions.
How to use Helmet to mitigate this: Use Helmet to disable this kind of caching. This sets a number of HTTP headers that stop caching.
app.use(helmet.noCache())
This sets four headers, disabling a lot of browser caching:
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidatePragma: no-cacheExpires: 0Surrogate-Control: no-storeLimitations: Caching has performance benefits, and you lose them here. It's also possible that you'll introduce new bugs and you'll wish people had old resources cached, but that's less likely.
Trying to prevent: HTTPS certificates can be forged, allowing man-in-the middle attacks. HTTP Public Key Pinning aims to help that.
How to use Helmet to mitigate this: Pass the "Public-Key-Pins" header to better assert your SSL certificates. See the spec for more.
var ninetyDaysInMilliseconds = 7776000000;
app.use(helmet.hpkp({
maxAge: ninetyDaysInMilliseconds,
sha256s: ['AbCdEf123=', 'ZyXwVu456='],
includeSubdomains: true, // optional
reportUri: 'http://example.com' // optional
reportOnly: false, // optional
// Set the header based on a condition.
// This is optional.
setIf: function (req, res) {
return req.secure
}
}))
Setting reportOnly to true will change the header from Public-Key-Pins to Public-Key-Pins-Report-Only.
Limitations: Don't let these get out of sync with your certs!
Trying to prevent: Some browsers can start doing DNS lookups of other domains before visiting those domains. This can improve performance but can worsen security. Mozilla Developer Network describes how browsers do this prefetching. Chromium's documentation describes some ways that DNS lookups can be abused.
How to use Helmet to mitigate this: Browsers will listen for the X-DNS-Prefetch-Control header and will disable DNS prefetching if the header is set to off.
// Disable DNS prefetching (these two lines are equivalent):
app.use(helmet.dnsPrefetchControl())
app.use(helmet.dnsPrefetchControl({ allow: false }))
// Enable DNS prefetching (less secure but faster):
app.use(helmet.dnsPrefetchControl({ allow: true }))
Limitations: This hurts performance—browsers will no longer prefetch resources from your site.
Helmet only deals with HTTP headers, but there are a number of other helpful security modules for Express. We haven't heavily audited these—that's what the Node Security Project is for—but take a look at some of these modules!
This module has also been ported to other environments.
2.3.0 - 2016-09-30
hpkp middleware now supports the includeSubDomains property with a capital Dhpkp was setting includeSubdomains instead of includeSubDomainsFAQs
help secure Express/Connect apps with various HTTP headers
The npm package helmet receives a total of 2,488,240 weekly downloads. As such, helmet popularity was classified as popular.
We found that helmet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.