There is not much more to be said about using Helmet. After you add it to the middleware stack, and configure what to enable or disable, possibly giving some options as detailed in the documentation, Helmet will simply verify that the headers included in any response follow the security considerations that we listed in the preceding section. 

Let's do a quick check. If you run our hello_world.js server, the response for http://localhost:8080/ will include these headers:

Connection: keep-alive
Content-Length: 27
Content-Type: text/html; charset=utf-8
Date: Wed, 16 May 2018 01:57:10 GMT
ETag: W/"1b-bpQ4Q2jOe/d4pXTjItXGP42U4V0"
X-Powered-By: Express

The same results, but running helmet_world.js, which is essentially the same code but adding Helmet, shows more headers, as shown in the following code snippet in bold text:

Connection: keep-alive
Content-Length: 27
Content-Type: text/html; charset=utf-8
Date: Wed, 16 May 2018 01:58:50 GMT
ETag: W/"1b-bpQ4Q2jOe/d4pXTjItXGP42U4V0"
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

You would get even more headers if you were to individually enable some of the optional features, but the difference is clear: we managed to add some security controls with essentially almost zero coding!