What is helmet?
Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
What are helmet's main functionalities?
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));
X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));
Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));
X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));
X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());
Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));
X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());
X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());
Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());
Other packages similar to helmet
lusca
Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
cors
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Quick start
First, run npm install helmet --save
for your app. Then, in an Express app:
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
How it works
Helmet is Connect-style middleware, which is compatible with frameworks like Express. (If you need support for Koa, see koa-helmet
.)
The top-level helmet
function is a wrapper around 11 smaller middlewares.
In other words, these two things are equivalent:
app.use(helmet());
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
Reference
helmet(options)
Helmet is the top-level middleware for this module, including all 11 others.
All 11 middlewares are enabled by default.
app.use(helmet());
If you want to disable one, pass options to helmet
. For example, to disable frameguard
:
app.use(
helmet({
frameguard: false,
})
);
Most of the middlewares have options, which are documented in more detail below. For example, to pass { action: "deny" }
to frameguard
:
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
Each middleware's name is listed below.
helmet.contentSecurityPolicy(options)
helmet.contentSecurityPolicy
sets the Content-Security-Policy
header which helps mitigate cross-site scripting attacks, among other things. See MDN's introductory article on Content Security Policy.
This middleware performs very little validation. You should rely on CSP checkers like CSP Evaluator instead.
options.directives
is an object. Each key is a directive name in camel case (such as defaultSrc
) or kebab case (such as default-src
). Each value is an iterable (usually an array) of strings for that directive.
options.reportOnly
is a boolean, defaulting to false
. If true
, the Content-Security-Policy-Report-Only
header will be set instead.
If no directives are supplied, the following policy is set (whitespace added for readability):
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
Examples:
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
})
);
app.use(
helmet.contentSecurityPolicy({
directives: {
"default-src": ["'self'"],
"script-src": ["'self'", "example.com"],
"object-src": ["'none'"],
},
})
);
app.use(
helmet.contentSecurityPolicy({
directives: {
},
reportOnly: true,
})
);
See this wiki page to see how to set directives conditionally (to set per-request nonces, for example).
You can install this module separately as helmet-csp
.
helmet.expectCt(options)
helmet.expectCt
sets the Expect-CT
header which helps mitigate misissued SSL certificates. See MDN's article on Certificate Transparency and the Expect-CT
header for more.
options.maxAge
is the number of seconds to expect Certificate Transparency. It defaults to 0
.
options.enforce
is a boolean. If true
, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to false
.
options.reportUri
is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
Examples:
app.use(
helmet.expectCt({
maxAge: 86400,
})
);
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report",
})
);
You can install this module separately as expect-ct
.
helmet.referrerPolicy(options)
helmet.referrerPolicy
sets the Referrer-Policy
header which controls what information is set in the Referer
header. See "Referer header: privacy and security concerns" and the header's documentation on MDN for more.
options.policy
is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting a fallback policy. It defaults to no-referrer
.
Examples:
app.use(
helmet.referrerPolicy({
policy: "no-referrer",
})
);
app.use(
helmet.referrerPolicy({
policy: ["origin", "unsafe-url"],
})
);
You can install this module separately as referrer-policy
.
helmet.hsts(options)
helmet.hsts
sets the Strict-Transport-Security
header which tells browsers to prefer HTTPS over insecure HTTP. See the documentation on MDN for more.
options.maxAge
is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 15552000
, which is 180 days.
options.includeSubDomains
is a boolean which dictates whether to include the includeSubDomains
directive, which makes this policy extend to subdomains. It defaults to true
.
options.preload
is a boolean. If true, it adds the preload
directive, expressing intent to add your HSTS policy to browsers. See the "Preloading Strict Transport Security" section on MDN for more. It defaults to false
.
Examples:
app.use(
helmet.strictTransportSecurity({
maxAge: 123456,
})
);
app.use(
helmet.strictTransportSecurity({
maxAge: 123456,
includeSubDomains: false,
})
);
app.use(
helmet.strictTransportSecurity({
maxAge: 63072000,
preload: true,
})
);
You can install this module separately as hsts
.
helmet.noSniff()
helmet.noSniff
sets the X-Content-Type-Options
header to nosniff
. This mitigates MIME type sniffing which can cause security vulnerabilities. See documentation for this header on MDN for more.
This middleware takes no options.
Example:
app.use(helmet.noSniff());
You can install this module separately as dont-sniff-mimetype
.
helmet.dnsPrefetchControl(options)
helmet.dnsPrefetchControl
sets the X-DNS-Prefetch-Control
header to help control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.
options.allow
is a boolean dictating whether to enable DNS prefetching. It defaults to false
.
Examples:
app.use(
helmet.dnsPrefetchControl({
allow: false,
})
);
app.use(
helmet.dnsPrefetchControl({
allow: true,
})
);
You can install this module separately as dns-prefetch-control
.
helmet.ieNoOpen()
helmet.ieNoOpen
sets the X-Download-Options
header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see this old post on MSDN.
This middleware takes no options.
Examples:
app.use(helmet.ieNoOpen());
You can install this module separately as ienoopen
.
helmet.frameguard(options)
helmet.frameguard
sets the X-Frame-Options
header to help you mitigate clickjacking attacks. This header is superseded by the frame-ancestors
Content Security Policy directive but is still useful on old browsers. For more, see the documentation on MDN.
options.action
is a string that specifies which directive to use—either DENY
or SAMEORIGIN
. (A legacy directive, ALLOW-FROM
, is not supported by this middleware. Read more here.) It defaults to SAMEORIGIN
.
Examples:
app.use(
helmet.frameguard({
action: "deny",
})
);
app.use(
helmet.frameguard({
action: "sameorigin",
})
);
You can install this module separately as frameguard
.
helmet.permittedCrossDomainPolicies(options)
helmet.permittedCrossDomainPolicies
sets the X-Permitted-Cross-Domain-Policies
header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See the description on OWASP for more.
options.permittedPolicies
is a string that must be "none"
, "master-only"
, "by-content-type"
, or "all"
. It defaults to "none"
.
Examples:
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "none",
})
);
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "by-content-type",
})
);
You can install this module separately as helmet-crossdomain
.
helmet.hidePoweredBy(options)
helmet.hidePoweredBy
removes the X-Powered-By
header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see this discussion) and is mostly removed to save bandwidth.
This middleware takes no options.
If you're using Express, this middleware will work, but you should use app.disable("x-powered-by")
instead.
Examples:
app.use(helmet.hidePoweredBy());
You can install this module separately as hide-powered-by
.
helmet.xssFilter(options)
helmet.xssFilter
disables browsers' buggy cross-site scripting filter by setting the X-XSS-Protection
header to 0
. See discussion about disabling the header here and documentation on MDN.
This middleware takes no options.
Examples:
app.use(helmet.xssFilter());
You can install this module separately as x-xss-protection
.