An Introductory guide to securing your Express.js apps by setting various secure HTTP headers.

Photo by Unsplash


Helmet is a collection of middleware functions that has http response headers. It can be used in different Node.js frameworks but it has been promoted to use mainly with Express.js. We’ll also use Express for the demonstration of the library. Basically, it is used to secure your http response headers.

Sometimes developers ignore the HTTP headers. Since HTTP headers can leak sensitive information about the application, therefore, it is important to use the headers in a secure way.

Headers included in Helmet.js: Helmet.js comes with more built-in modules for increasing the security of the Express application.

  • Content-Security-Policy: It sets up the Security Policy.
  • Expect-CT: It is used for handling Certificate Transparency.
  • X-DNS-Prefetch-Control: It is used for controlling the fetching of browser DNS.
  • X-Frame-Options: It is used to prevent ClickJacking.
  • X-Powered-By: It is used to remove X-Powered-By header. X-Powered-By header leaks the version of the server and its vendor.
  • Public-Key-Pins: It is used for HTTP public key pinning.
  • Strict-Transport-Security: It is used for HTTP Strict Transport policy.
  • X-Download-Options: It restricts to various Download-Options.
  • Cache control: It is used for disabling Client-Side caching.
  • X-Content-Type-Options: It is used to prevent the Sniffing attack.
  • Referrer-Policy: It is used to hide the referrer header.
  • X-XSS-Protection: It is used to add protection to XSS attacks.


  • Node.js installed on your system. If you don’t have it install it from here
  • Any Editor of your choice

Let’s get started! Follow the below steps.

mkdir express-helmet-app

cd express-helmet-app

code .

npm init -y

Now let’s install both express and helmet packages.

npm i express helmet — save


Create a express server and a route like this:


Run the app with node app.js and go to your browser or postman and hit the localhost:3000 and you’ll see the response.

From the Screen shot below, you can see that we got the 200 status along with the response headers.

Now, let’s add helmet in the code.

app.js with helmet middleware

Repeat the same process as before by running the app, going to the browser and hitting the request.

As you can see from the Screen shot that now it has some additional headers. They are applied by our helmet.js module. These headers are added for an additional level of security.


Helmet.js module is very useful for Node.js developers as it adds security to the express applications. In this tutorial, we learned about helmet.js and seen its implementation in a basic express application.


Thanks for reading. Have a nice day!

Enthuastic Developer. Linux, Network and Security Excites me

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store