help secure Express/Connect apps with various HTTP headers
Helmet is a collection of 15 smaller middleware functions that set HTTP response headers to protect Express and Connect applications from common web vulnerabilities. Rather than manually configuring each security header, Helmet provides sensible defaults that work out of the box, addressing threats like cross-site scripting, clickjacking, MIME sniffing, and man-in-the-middle attacks.
The package works by setting headers like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and others that instruct browsers how to handle your content safely. With over 6.7 million weekly downloads, it's become the de facto standard for Express application security hardening. The middleware approach means you can enable comprehensive security with a single line of code, then customize individual headers as needed.
Helmet is particularly valuable for production Node.js applications where security headers are required by compliance standards or penetration testing guidelines. Each middleware function can be enabled, disabled, or configured independently, giving developers granular control over their security posture. The package is actively maintained, regularly updated to address new threats, and includes support for modern security headers like Cross-Origin-Embedder-Policy and Origin-Agent-Cluster.
const express = require('express');
const helmet = require('helmet');
const app = express();
// Basic usage with defaults
app.use(helmet());
// Advanced: Custom configuration for production API
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "https://cdn.example.com"],
styleSrc: ["'self'", "https://fonts.googleapis.com"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
}));
// Disable specific middleware if needed
app.use(helmet({
crossOriginEmbedderPolicy: false
}));
app.get('/api/data', (req, res) => {
res.json({ message: 'Secure response with proper headers' });
});
app.listen(3000, () => {
console.log('Secured Express server running on port 3000');
});Production Express APIs: REST APIs and GraphQL servers that need to pass security audits and comply with OWASP recommendations. Helmet ensures proper CSP, HSTS, and other headers are present without manual configuration.
Multi-tenant SaaS applications: Applications serving multiple customers need robust isolation and security boundaries. Helmet's Cross-Origin-Resource-Policy and CSP headers help prevent cross-tenant data leakage and XSS attacks.
Financial and healthcare applications: Industries with strict compliance requirements (PCI-DSS, HIPAA) often mandate specific security headers. Helmet's HSTS, X-Content-Type-Options, and CSP implementations satisfy many of these requirements.
Server-side rendered applications: Next.js, EJS, or Pug applications that render HTML on the server benefit from Helmet's X-Frame-Options and CSP to prevent clickjacking and script injection in dynamically generated content.
Public-facing web services: Any Express app exposed to the internet should use Helmet to reduce attack surface. Even simple applications benefit from preventing information leakage through headers like X-Powered-By.
npm install helmetpnpm add helmetbun add helmet