[](https://badge.fury.io/js/helmet) [](https://app.fossa.io/projects/git%2Bhttps%3A%2F%
Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.
Content Security Policy
Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trustedscripts.example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
}
}));X-DNS-Prefetch-Control
Controls browser DNS prefetching, which can improve user privacy at the expense of performance.
app.use(helmet.dnsPrefetchControl({ allow: false }));Expect-CT
Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
app.use(helmet.expectCt({
enforce: true,
maxAge: 86400
}));X-Frame-Options
Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.
app.use(helmet.frameguard({ action: 'deny' }));X-Powered-By
Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.
app.use(helmet.hidePoweredBy());Strict-Transport-Security
Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.
app.use(helmet.hsts({
maxAge: 15552000,
includeSubDomains: true
}));X-Download-Options
Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.
app.use(helmet.ieNoOpen());X-Content-Type-Options
Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.
app.use(helmet.noSniff());Referrer Policy
Sets the Referrer-Policy header to control what information is sent along with the requests.
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));X-XSS-Protection
Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.
app.use(helmet.xssFilter());Lusca is another security middleware for Express applications that offers a variety of security features such as CSRF protection, CSP, X-Frame options, and more. It is similar to Helmet but allows for more granular configuration of security policies.
CORS is a package for providing a Connect/Express middleware that can be used to enable CORS (Cross-Origin Resource Sharing) with various options. While Helmet focuses on securing your app from various web vulnerabilities, CORS specifically provides middleware to enable CORS and manage cross-origin requests.
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
First, run npm install helmet for your app. Then, in an Express app:
const express = require("express")
const helmet = require("helmet")
const app = express()
app.use(helmet())
// ...
You can also use ECMAScript modules if you prefer.
import helmet from "helmet"
const app = express()
app.use(helmet())
By default, Helmet sets the following headers:
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
To set custom options for a header, add options like this:
// This sets custom options for the `referrerPolicy` middleware.
app.use(
helmet({
referrerPolicy: {policy: "no-referrer"}
})
)
You can also disable a middleware:
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false
})
)
Helmet is Express middleware. (It also works with Connect or no library at all! If you need support for other frameworks or languages, see this list.)
The top-level helmet function is a wrapper around 14 smaller middlewares.
In other words, these two code snippets are equivalent:
import helmet from "helmet"
// ...
app.use(helmet())
import * as helmet from "helmet"
// ...
app.use(helmet.contentSecurityPolicy())
app.use(helmet.crossOriginEmbedderPolicy())
app.use(helmet.crossOriginOpenerPolicy())
app.use(helmet.crossOriginResourcePolicy())
app.use(helmet.dnsPrefetchControl())
app.use(helmet.frameguard())
app.use(helmet.hidePoweredBy())
app.use(helmet.hsts())
app.use(helmet.ieNoOpen())
app.use(helmet.noSniff())
app.use(helmet.originAgentCluster())
app.use(helmet.permittedCrossDomainPolicies())
app.use(helmet.referrerPolicy())
app.use(helmet.xssFilter())
helmet(options)Helmet is the top-level middleware for this module, including all 15 others.
// Includes all 15 middlewares
app.use(helmet())
If you want to disable one, pass options to helmet. For example, to disable frameguard:
// Includes 14 out of 15 middlewares, skipping `helmet.frameguard`
app.use(
helmet({
frameguard: false
})
)
Most of the middlewares have options, which are documented in more detail below. For example, to pass { action: "deny" } to frameguard:
// Includes all 15 middlewares, setting an option for `helmet.frameguard`
app.use(
helmet({
frameguard: {
action: "deny"
}
})
)
Each middleware's name is listed below.
helmet.contentSecurityPolicy(options)Default:
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
helmet.contentSecurityPolicy sets the Content-Security-Policy header which helps mitigate cross-site scripting attacks, among other things. See MDN's introductory article on Content Security Policy.
This middleware performs very little validation. You should rely on CSP checkers like CSP Evaluator instead.
options.directives is an object. Each key is a directive name in camel case (such as defaultSrc) or kebab case (such as default-src). Each value is an iterable (usually an array) of strings or functions for that directive. If a function appears in the iterable, it will be called with the request and response. The default-src can be explicitly disabled by setting its value to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc.
These directives are merged into a default policy, which you can disable by setting options.useDefaults to false. Here is the default policy (whitespace added for readability):
default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
options.reportOnly is a boolean, defaulting to false. If true, the Content-Security-Policy-Report-Only header will be set instead. If you want to set both the normal and Report-Only headers, see this code snippet.
You can also get the default directives object with helmet.contentSecurityPolicy.getDefaultDirectives().
Examples:
// Sets all of the defaults, but overrides `script-src` and disables the default `style-src`
app.use(
helmet.contentSecurityPolicy({
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null
}
})
)
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
helmet.contentSecurityPolicy({
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
})
)
// Sets the "Content-Security-Policy-Report-Only" header instead
app.use(
helmet.contentSecurityPolicy({
directives: {
/* ... */
},
reportOnly: true
})
)
// Sets the `script-src` directive to "'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'" (or similar)
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(16).toString("hex")
next()
})
app.use(
helmet.contentSecurityPolicy({
directives: {
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`]
}
})
)
// Sets "Content-Security-Policy: script-src 'self'"
app.use(
helmet.contentSecurityPolicy({
useDefaults: false,
directives: {
"default-src": helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
"script-src": ["'self'"]
}
})
)
// Sets the `frame-ancestors` directive to "'none'"
// See also: `helmet.frameguard`
app.use(
helmet.contentSecurityPolicy({
directives: {
frameAncestors: ["'none'"]
}
})
)
You can install this module separately as helmet-csp.
helmet.crossOriginEmbedderPolicy(options)Default:
Cross-Origin-Embedder-Policy: require-corp
helmet.crossOriginEmbedderPolicy sets the Cross-Origin-Embedder-Policy header to require-corp. See MDN's article on this header for more.
Standalone example:
// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet.crossOriginEmbedderPolicy())
// Sets "Cross-Origin-Embedder-Policy: credentialless"
app.use(helmet.crossOriginEmbedderPolicy({policy: "credentialless"}))
You can't install this module separately.
helmet.crossOriginOpenerPolicy()Cross-Origin-Opener-Policy: same-origin
helmet.crossOriginOpenerPolicy sets the Cross-Origin-Opener-Policy header. For more, see MDN's article on this header.
Example usage with Helmet:
// Uses the default Helmet options and adds the `crossOriginOpenerPolicy` middleware.
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet({crossOriginOpenerPolicy: true}))
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(helmet({crossOriginOpenerPolicy: {policy: "same-origin-allow-popups"}}))
Standalone example:
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet.crossOriginOpenerPolicy())
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(helmet.crossOriginOpenerPolicy({policy: "same-origin-allow-popups"}))
// Sets "unsafe-none-Opener-Policy: unsafe-none"
app.use(helmet.crossOriginOpenerPolicy({policy: "unsafe-none"}))
You can't install this module separately.
helmet.crossOriginResourcePolicy()Default:
Cross-Origin-Resource-Policy: same-origin
helmet.crossOriginResourcePolicy sets the Cross-Origin-Resource-Policy header. For more, see "Consider deploying Cross-Origin Resource Policy and MDN's article on this header.
Example usage with Helmet:
// Uses the default Helmet options and adds the `crossOriginResourcePolicy` middleware.
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet({crossOriginResourcePolicy: true}))
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet({crossOriginResourcePolicy: {policy: "same-site"}}))
Standalone example:
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet.crossOriginResourcePolicy())
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet.crossOriginResourcePolicy({policy: "same-site"}))
// Sets "Cross-Origin-Resource-Policy: cross-origin"
app.use(helmet.crossOriginResourcePolicy({policy: "cross-origin"}))
You can install this module separately as cross-origin-resource-policy.
helmet.expectCt(options)Default:
Expect-CT: max-age=0
helmet.expectCt sets the Expect-CT header which helps mitigate misissued SSL certificates. See MDN's article on Certificate Transparency and the Expect-CT header for more.
Expect-CT is no longer useful for new browsers in 2022. Therefore, helmet.expectCt is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet.
options.maxAge is the number of seconds to expect Certificate Transparency. It defaults to 0.
options.enforce is a boolean. If true, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to false.
options.reportUri is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
Examples:
// Sets "Expect-CT: max-age=86400"
app.use(
helmet.expectCt({
maxAge: 86400
})
)
// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report"
})
)
You can install this module separately as expect-ct.
helmet.referrerPolicy(options)Default:
Referrer-Policy: no-referrer
helmet.referrerPolicy sets the Referrer-Policy header which controls what information is set in the Referer header. See "Referer header: privacy and security concerns" and the header's documentation on MDN for more.
options.policy is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting a fallback policy. It defaults to no-referrer.
Examples:
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet.referrerPolicy({
policy: "no-referrer"
})
)
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet.referrerPolicy({
policy: ["origin", "unsafe-url"]
})
)
You can install this module separately as referrer-policy.
helmet.hsts(options)Default:
Strict-Transport-Security: max-age=15552000; includeSubDomains
helmet.hsts sets the Strict-Transport-Security header which tells browsers to prefer HTTPS over insecure HTTP. See the documentation on MDN for more.
options.maxAge is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 15552000, which is 180 days.
options.includeSubDomains is a boolean which dictates whether to include the includeSubDomains directive, which makes this policy extend to subdomains. It defaults to true.
options.preload is a boolean. If true, it adds the preload directive, expressing intent to add your HSTS policy to browsers. See the "Preloading Strict Transport Security" section on MDN for more. It defaults to false.
Examples:
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet.hsts({
maxAge: 123456
})
)
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet.hsts({
maxAge: 123456,
includeSubDomains: false
})
)
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet.hsts({
maxAge: 63072000,
preload: true
})
)
You can install this module separately as hsts.
helmet.noSniff()Default:
X-Content-Type-Options: nosniff
helmet.noSniff sets the X-Content-Type-Options header to nosniff. This mitigates MIME type sniffing which can cause security vulnerabilities. See documentation for this header on MDN for more.
This middleware takes no options.
Example:
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet.noSniff())
You can install this module separately as dont-sniff-mimetype.
helmet.originAgentCluster()Default:
Origin-Agent-Cluster: ?1
helmet.originAgentCluster sets the Origin-Agent-Cluster header, which provides a mechanism to allow web applications to isolate their origins. Read more about it in the spec.
Standalone example:
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet.originAgentCluster())
You can't install this module separately.
helmet.dnsPrefetchControl(options)Default:
X-DNS-Prefetch-Control: off
helmet.dnsPrefetchControl sets the X-DNS-Prefetch-Control header to help control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.
options.allow is a boolean dictating whether to enable DNS prefetching. It defaults to false.
Examples:
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet.dnsPrefetchControl({
allow: false
})
)
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet.dnsPrefetchControl({
allow: true
})
)
You can install this module separately as dns-prefetch-control.
helmet.ieNoOpen()Default:
X-Download-Options: noopen
helmet.ieNoOpen sets the X-Download-Options header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see this old post on MSDN.
This middleware takes no options.
Examples:
// Sets "X-Download-Options: noopen"
app.use(helmet.ieNoOpen())
You can install this module separately as ienoopen.
helmet.frameguard(options)Default:
X-Frame-Options: SAMEORIGIN
helmet.frameguard sets the X-Frame-Options header to help you mitigate clickjacking attacks. This header is superseded by the frame-ancestors Content Security Policy directive but is still useful on old browsers. For more, see helmet.contentSecurityPolicy, as well as the documentation on MDN.
options.action is a string that specifies which directive to use—either DENY or SAMEORIGIN. (A legacy directive, ALLOW-FROM, is not supported by this middleware. Read more here.) It defaults to SAMEORIGIN.
Examples:
// Sets "X-Frame-Options: DENY"
app.use(
helmet.frameguard({
action: "deny"
})
)
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin"
})
)
You can install this module separately as frameguard.
helmet.permittedCrossDomainPolicies(options)Default:
X-Permitted-Cross-Domain-Policies: none
helmet.permittedCrossDomainPolicies sets the X-Permitted-Cross-Domain-Policies header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See the description on OWASP for more.
options.permittedPolicies is a string that must be "none", "master-only", "by-content-type", or "all". It defaults to "none".
Examples:
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "none"
})
)
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "by-content-type"
})
)
You can install this module separately as helmet-crossdomain.
helmet.hidePoweredBy()Default: the X-Powered-By header, if present, is omitted.
helmet.hidePoweredBy removes the X-Powered-By header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see this discussion) and is mostly removed to save bandwidth.
This middleware takes no options.
Note: Express has a built-in way to disable the X-Powered-By header, which you may wish to use instead of this middleware.
Examples:
// Removes the X-Powered-By header if it was set.
app.use(helmet.hidePoweredBy())
You can install this module separately as hide-powered-by.
helmet.xssFilter()Default:
X-XSS-Protection: 0
helmet.xssFilter disables browsers' buggy cross-site scripting filter by setting the X-XSS-Protection header to 0. See discussion about disabling the header here and documentation on MDN.
This middleware takes no options.
Examples:
// Sets "X-XSS-Protection: 0"
app.use(helmet.xssFilter())
You can install this module separately as x-xss-protection.
6.1.0 - 2023-04-08
FAQs
help secure Express/Connect apps with various HTTP headers
The npm package helmet receives a total of 1,306,108 weekly downloads. As such, helmet popularity was classified as popular.
We found that helmet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.