Given that it works with Express, Helmet is also a piece of middleware. Its installation and setup are rather easy, fortunately. Using npm takes care of the first part:
npm install helmet --save
Putting Helmet to work is just a matter of adding it at the top of the middleware stack:
const helmet = require("helmet");
app.use(helmet());
You're all set! By default, Helmet enables the following list of security measures, all of which imply adding, changing, or removing specific headers from your response to a request. For more documentation on specific headers or options, check out https://helmetjs.github.io/docs/:
Module | Effect |
dnsPrefetchControl | Sets the X-DNS-Prefetch-Control header to the disable browsers prefetching (requests done before the user has even clicked on a link) to prevent privacy implications for users, who may seem to be visiting pages they actually aren't visiting (https://helmetjs.github.io/docs/dns-prefetch-control). |
frameguard | Sets the X-Frame-Options header to prevent your page from being shown in an iframe, and thus avoids some clickjacking attacks that may cause you to unwittingly click on hidden links (https://helmetjs.github.io/docs/frameguard/). |
hidePoweredBy | Removes the X-Powered-By header, if present, so that would-be attackers won't know what technology powers the server, making targeting and taking advantage of vulnerabilities a bit harder (https://helmetjs.github.io/docs/hide-powered-by) |
hsts | Sets the Strict-Transport-Security header so that browsers will keep using HTTPS instead of switching to the insecure HTTP. (https://helmetjs.github.io/docs/hsts/) |
ieNoOpen | Sets the X-Download-Options header to prevent old versions of Internet Explorer from downloading untrusted HTML in your pages (https://helmetjs.github.io/docs/ienoopen). |
noSniff | Sets the X-Content-Type-Options header to prevent browsers from trying to sniff (guess) the MIME type of a downloaded file, to disable some attacks (https://helmetjs.github.io/docs/dont-sniff-mimetype). |
xssFilter | Sets the X-XSS-Protection header to disable some forms of Cross-side scripting (XSS) attacks, in which you could unwittingly run JS code on your page by clicking a link (https://helmetjs.github.io/docs/xss-filter). |
You can also opt to enable some extra options, if they apply to your requirements. For notes on how to do this, check out Helmet's documentation at https://helmetjs.github.io/docs/: the package, now at version 3.12.0, is often updated, and a plain npm install may not be enough to enable the newer features. Take a look at the following table:
Module | Effect |
contentSecurityPolicy | Lets you configure the Content-Security-Policy header to specify what things are allowed to be on your page, and where they may be downloaded from (https://helmetjs.github.io/docs/xss-filter). |
expectCt | Allows you to set the Expect-CT header to require Certificate Transparency (CT), to detect possibly invalid certificates or authorities (https://helmetjs.github.io/docs/expect-ct/). |
hpkp | Lets you configure the Public-Key-Pins header to prevent some possible person-in-the-middle attacks, by detecting possibly compromised certificates (https://helmetjs.github.io/docs/hpkp/). |
noCache | Sets several headers to prevent users from using old cached versions of files, which might have vulnerabilities or errors, despite newer versions being available (https://helmetjs.github.io/docs/nocache/). |
referrerPolicy | Lets you set the Referrer-Policy header to make browsers hide information as to the origin of a request, avoiding some possible privacy problems (https://helmetjs.github.io/docs/referrer-policy). |