Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));
X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));
Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));
X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));
X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());
Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));
X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());
X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());
Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());
Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Looking for a version of Helmet that supports the Koa framework?
First, run npm install helmet --save
for your app. Then, in an Express (or Connect) app:
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
// ...
It's best to use
Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
app.use(helmet.xssFilter())
app.use(helmet.frameguard())
You can disable a middleware that's normally enabled by default. This will disable frameguard
but include the other defaults.
app.use(helmet({
frameguard: false
}))
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
If you're using Express 3, make sure these middlewares are listed before app.router
.
Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running app.use(helmet())
will not include all of these middleware functions by default.
Module | Default? |
---|---|
contentSecurityPolicy for setting Content Security Policy | |
crossdomain for handling Adobe products' crossdomain requests | |
dnsPrefetchControl controls browser DNS prefetching | ✓ |
expectCt for handling Certificate Transparency | |
featurePolicy to limit your site's features | |
frameguard to prevent clickjacking | ✓ |
hidePoweredBy to remove the X-Powered-By header | ✓ |
hpkp for HTTP Public Key Pinning | |
hsts for HTTP Strict Transport Security | ✓ |
ieNoOpen sets X-Download-Options for IE8+ | ✓ |
noCache to disable client-side caching | |
noSniff to keep clients from sniffing the MIME type | ✓ |
referrerPolicy to hide the Referer header | |
xssFilter adds some small XSS protections | ✓ |
You can see more in the documentation.
3.20.1 - 2019-08-28
helmet-csp
to v2.9.0FAQs
help secure Express/Connect apps with various HTTP headers
The npm package helmet receives a total of 2,579,835 weekly downloads. As such, helmet popularity was classified as popular.
We found that helmet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.