New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →

helmet

Package Overview

Dependencies

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

helmet

help secure Express/Connect apps with various HTTP headers

3.23.3
Source
npm

Version published: 5 years ago

Weekly downloads: 0; decreased by-100%

Maintainers: 2

Weekly downloads

Created: 13 years ago

What is helmet?

Helmet is a middleware for Express applications that helps secure your apps by setting various HTTP headers. It's not a silver bullet, but it can help prevent some well-known web vulnerabilities by setting headers appropriately.

What are helmet's main functionalities?

Content Security Policy

Sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "https://trustedscripts.example.com"],
    objectSrc: ["'none'"],
    upgradeInsecureRequests: [],
  }
}));

X-DNS-Prefetch-Control

Controls browser DNS prefetching, which can improve user privacy at the expense of performance.

app.use(helmet.dnsPrefetchControl({ allow: false }));

Expect-CT

Sets the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.

app.use(helmet.expectCt({
  enforce: true,
  maxAge: 86400
}));

X-Frame-Options

Sets the X-Frame-Options header to control whether the browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.

app.use(helmet.frameguard({ action: 'deny' }));

X-Powered-By

Removes the X-Powered-By header to make it slightly harder for attackers to see what potentially vulnerable technology powers your site.

app.use(helmet.hidePoweredBy());

Strict-Transport-Security

Sets the Strict-Transport-Security header to enforce secure (HTTP over SSL/TLS) connections to the server.

app.use(helmet.hsts({
  maxAge: 15552000,
  includeSubDomains: true
}));

X-Download-Options

Sets X-Download-Options for IE8+ to prevent others from embedding your site in an iframe.

app.use(helmet.ieNoOpen());

X-Content-Type-Options

Sets the X-Content-Type-Options header to prevent browsers from MIME-sniffing a response away from the declared content-type.

app.use(helmet.noSniff());

Referrer Policy

Sets the Referrer-Policy header to control what information is sent along with the requests.

app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));

X-XSS-Protection

Sets the X-XSS-Protection header to enable the Cross-site scripting (XSS) filter in most recent web browsers.

app.use(helmet.xssFilter());

Other packages similar to helmet

Helmet

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!

Looking for a version of Helmet that supports the Koa framework?

Quick start

First, run npm install helmet --save for your app. Then, in an Express (or Connect) app:

const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(helmet());

// ...

It's best to use Helmet early in your middleware stack so that its headers are sure to be set.

You can also use its pieces individually:

app.use(helmet.xssFilter());
app.use(helmet.frameguard());

You can disable a middleware that's normally enabled by default. This will disable frameguard but include the other defaults.

app.use(
  helmet({
    frameguard: false,
  })
);

You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.

app.use(
  helmet({
    frameguard: {
      action: "deny",
    },
  })
);

If you're using Express 3, make sure these middlewares are listed before app.router.

How it works

Helmet is a collection of 11 smaller middleware functions that set HTTP response headers. Running app.use(helmet()) will not include all of these middleware functions by default.

Module	Default?
contentSecurityPolicy for setting Content Security Policy
crossdomain for handling Adobe products' crossdomain requests
dnsPrefetchControl controls browser DNS prefetching	✓
expectCt for handling Certificate Transparency
frameguard to prevent clickjacking	✓
hidePoweredBy to remove the X-Powered-By header	✓
hsts for HTTP Strict Transport Security	✓
ieNoOpen sets X-Download-Options for IE8+	✓
noSniff to keep clients from sniffing the MIME type	✓
referrerPolicy to hide the Referer header
xssFilter adds some small XSS protections	✓

You can see more in the documentation.

3.23.3 - 2020-06-26

Changed

helmet.expectCt is no longer a separate package. This should have no effect on end users.
helmet.frameguard is no longer a separate package. This should have no effect on end users.

Keywords

FAQs

What is helmet?

Is helmet popular?

Is helmet well maintained?

Package last updated on 26 Jun 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install