HelmetHelmet helps you secure your Express apps by setting various HTTP headers. It’s not a silver bullet, but it can help!
Quick start
First, run npm install helmet --save for your app. Then, in an Express app:
var express = require('express')
var helmet = require('helmet')
var app = express()
app.use(helmet())
// ...
That’s it! Helmet will set various HTTP headers to help protect your app.
How it works
Helmet is a collection of 12 smaller middleware functions that set HTTP headers. Running app.use(helmet()) will not include all of these middleware functions by default.
You can see more in the documentation.
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| expectCt for handling Certificate Transparency | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hpkp for HTTP Public Key Pinning | |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noCache to disable client-side caching | |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |