Skip to content

Helmet.js

Conditionally setting header options

To change a header conditionally, create your own small middleware function that conditionally calls different invocations of Helmet.

For example, you could decide to conditionally change the Referrer Policy for a subset of users. Here’s how that could look:

const helmetWithNoReferrer = helmet({ referrerPolicy: {  policy: "no-referrer" }})
const helmetWithSameOrigin = helmet({ referrerPolicy: {  policy: "same-origin" }})

app.use((req, res, next) => {
  if (req.user.useSameOrigin) {
    helmetWithSameOrigin(req,res,next)
  } else {
    helmetWithNoReferrer(req,res,next)
  }
});

As a special case, the Content-Security-Policy header can be set conditionally. For example, here’s how to use a CSP nonce:

app.use((req, res, next) => {
  res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
  next();
});
app.use(
  helmet({
    contentSecurityPolicy:{
    directives: {
      scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
    },
  }
  })
);