Docs
Helmet is a collection of 13 middleware functions to help set some HTTP response headers.
First, run npm install helmet --save
for your app. Then, in an Express (or Connect) app:
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
// ...
It’s best to use
Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
app.use(helmet.noCache())
app.use(helmet.frameguard())
You can disable a middleware that’s normally enabled by default. This will disable frameguard
but include the other defaults.
app.use(helmet({
frameguard: false
}))
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it’s a default.
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
If you’re using Express 3, make sure these middlewares are listed before app.router
.
Visit each module’s page to learn more.
Module | Included by default? |
---|---|
contentSecurityPolicy for setting Content Security Policy | |
dnsPrefetchControl controls browser DNS prefetching | ✓ |
expectCt for handling Certificate Transparency | |
featurePolicy to limit your site’s features | |
frameguard to prevent clickjacking | ✓ |
hidePoweredBy to remove the X-Powered-By header | ✓ |
hsts for HTTP Strict Transport Security | ✓ |
ieNoOpen sets X-Download-Options for IE8+ | ✓ |
noCache to disable client-side caching | |
noSniff to keep clients from sniffing the MIME type | ✓ |
permittedCrossDomainPolicies for handling Adobe products’ crossdomain requests | |
referrerPolicy to hide the Referer header | |
xssFilter adds some small XSS protections | ✓ |