Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
npm install helmet --save for your app. Then, in an Express (or Connect) app:
const express =const helmet =const app =app// ...
It's best to
use Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
You can disable a middleware that's normally enabled by default. This will disable
frameguard but include the other defaults.
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
If you're using Express 3, make sure these middlewares are listed before
How it works
Helmet is a collection of 12 smaller middleware functions that set HTTP headers. Running
app.use(helmet()) will not include all of these middleware functions by default.
|contentSecurityPolicy for setting Content Security Policy|
|expectCt for handling Certificate Transparency|
|dnsPrefetchControl controls browser DNS prefetching||✓|
|frameguard to prevent clickjacking||✓|
|hidePoweredBy to remove the X-Powered-By header||✓|
|hpkp for HTTP Public Key Pinning|
|hsts for HTTP Strict Transport Security||✓|
|ieNoOpen sets X-Download-Options for IE8+||✓|
|noCache to disable client-side caching|
|noSniff to keep clients from sniffing the MIME type||✓|
|referrerPolicy to hide the Referer header|
|xssFilter adds some small XSS protections||✓|
You can see more in the documentation.