Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

helmet

Package Overview
Dependencies
Maintainers
2
Versions
132
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

helmet

help secure Express/Connect apps with various HTTP headers

  • 3.20.0
  • Source
  • npm
  • Socket score

Version published
Maintainers
2
Created

What is helmet?

Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.

What are helmet's main functionalities?

Content Security Policy

Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "https://trustedscripts.example.com"],
    objectSrc: ["'none'"],
    upgradeInsecureRequests: [],
  }
}));

X-DNS-Prefetch-Control

Controls browser DNS prefetching, which can improve user privacy at the expense of performance.

app.use(helmet.dnsPrefetchControl({ allow: false }));

Expect-CT

Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.

app.use(helmet.expectCt({
  enforce: true,
  maxAge: 86400
}));

X-Frame-Options

Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.

app.use(helmet.frameguard({ action: 'deny' }));

X-Powered-By

Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.

app.use(helmet.hidePoweredBy());

Strict-Transport-Security

Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.

app.use(helmet.hsts({
  maxAge: 15552000,
  includeSubDomains: true
}));

X-Download-Options

Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.

app.use(helmet.ieNoOpen());

X-Content-Type-Options

Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.

app.use(helmet.noSniff());

Referrer Policy

Sets the Referrer-Policy header to control what information is sent along with the requests.

app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));

X-XSS-Protection

Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.

app.use(helmet.xssFilter());

Other packages similar to helmet

Keywords

FAQs

Package last updated on 24 Jul 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc