helmet 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.| Name | Version | Size | License | Type | Vulnerabilities |
|---|
Helmet is a key security module for Node.js applications. It works by setting various HTTP response headers to help protect your Express apps from potential security threats. Features like mitigating cross-site scripting (XSS) attacks, preventing clickjacking, and enforcing secure (HTTPs-only) connections, among others, are part of Helmet's functionality. It's like a protective helmet for your Express-based web applications enhancing security and guarding against several common web vulnerabilities.
Utilizing Helmet in your Express application is quite straightforward. Install it via npm with the command npm install helmet and integrate it into your Express application as middleware like this:
import express from "express";
import helmet from "helmet";
const app = express();
// Enable Helmet
app.use(helmet());
app.get("/", (req, res) => {
res.send("Secured Hello world!");
});
app.listen(8000);
You can also customize which headers Helmet sets and tweak their configurations. For example, you can configure the Content-Security-Policy header followingly:
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
},
},
})
);
Or, you can disable some headers like this:
app.use(
helmet({
contentSecurityPolicy: false,
xDownloadOptions: false,
})
);
The complete helmet documentation can be found within the codebase on its GitHub repository at git://github.com/helmetjs/helmet.git. Here, you will find in-depth details about each header set by Helmet, their defaults, customization options, how to enable or disable individual headers, links to relevant external resources, and some FAQ. The readme in the GitHub repository serves as the primary point of documentation.
