Helmet helps you secure your Express apps by setting various HTTP headers. It’s not a silver bullet, but it can help!
npm install helmet --save for your app. Then, in an Express app:
const express = require('express') const helmet = require('helmet') const app = express() app.use(helmet()) // ...
That’s it! Helmet will set various HTTP headers to help protect your app.
How it works
Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running
app.use(helmet()) will not include all of these middleware functions by default.
You can see more in the documentation.
|contentSecurityPolicy for setting Content Security Policy|
|crossdomain for handling Adobe products’ crossdomain requests|
|dnsPrefetchControl controls browser DNS prefetching||✓|
|expectCt for handling Certificate Transparency|
|featurePolicy to limit your site’s features|
|frameguard to prevent clickjacking||✓|
|hidePoweredBy to remove the X-Powered-By header||✓|
|hpkp for HTTP Public Key Pinning|
|hsts for HTTP Strict Transport Security||✓|
|ieNoOpen sets X-Download-Options for IE8+||✓|
|noCache to disable client-side caching|
|noSniff to keep clients from sniffing the MIME type||✓|
|referrerPolicy to hide the Referer header|
|xssFilter adds some small XSS protections||✓|