Helmet
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Looking for a version of Helmet that supports the Koa framework?
Quick start
First, run npm install helmet --save for your app. Then, in an Express (or Connect) app:
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
// ...
It's best to use Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
app.use(helmet.xssFilter())
app.use(helmet.frameguard())
You can disable a middleware that's normally enabled by default. This will disable frameguard but include the other defaults.
app.use(helmet({
frameguard: false
}))
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
app.use(helmet({
frameguard: {
action: 'deny'
}
}))
If you're using Express 3, make sure these middlewares are listed before app.router.
How it works
Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running app.use(helmet()) will not include all of these middleware functions by default., Module, Default?, ---, ---, contentSecurityPolicy for setting Content Security Policy, crossdomain for handling Adobe products' crossdomain requests, dnsPrefetchControl controls browser DNS prefetching, ✓, expectCt for handling Certificate Transparency, featurePolicy to limit your site's features, frameguard to prevent clickjacking, ✓, hidePoweredBy to remove the X-Powered-By header, ✓, hpkp for HTTP Public Key Pinning, hsts for HTTP Strict Transport Security, ✓, ieNoOpen sets X-Download-Options for IE8+, ✓, noCache to disable client-side caching, noSniff to keep clients from sniffing the MIME type, ✓, referrerPolicy to hide the Referer header, xssFilter adds some small XSS protections, ✓, You can see more in the documentation.