What is helmet?
Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
What are helmet's main functionalities?
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));
X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));
Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));
X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));
X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());
Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));
X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());
X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());
Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());
Other packages similar to helmet
lusca
Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
cors
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Looking for a version of Helmet that supports the Koa framework?
Quick start
First, run npm install helmet --save
for your app. Then, in an Express (or Connect) app:
var express = require('express')
var helmet = require('helmet')
var app = express()
app.use(helmet())
It's best to use
Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
app.use(helmet.noCache())
app.use(helmet.frameguard())
You can disable a middleware that's normally enabled by default. This will disable frameguard
but include the other defaults.
app.use(helmet({
frameguard: false
}))
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
If you're using Express 3, make sure these middlewares are listed before app.router
.
How it works
Helmet is a collection of 11 smaller middleware functions that set HTTP headers. Running app.use(helmet())
will not include all of these middleware functions by default.
You can see more in the documentation.