Open in app

Sign in

Write

Sign in

What is Helmet.js ?

Utsav Gadhiya
3 min readApr 4, 2021

An Introductory guide to securing your Express.js apps by setting various secure HTTP headers.

Photo by Unsplash

Introduction

Helmet is a collection of middleware functions that has http response headers. It can be used in different Node.js frameworks but it has been promoted to use mainly with Express.js. We’ll also use Express for the demonstration of the library. Basically, it is used to secure your http response headers.

Why security of HTTP headers are important ?

Sometimes developers ignore the HTTP headers. Since HTTP headers can leak sensitive information about the application, therefore, it is important to use the headers in a secure way.

Headers included in Helmet.js: Helmet.js comes with more built-in modules for increasing the security of the Express application.

  • Content-Security-Policy: It sets up the Security Policy.
  • Expect-CT: It is used for handling Certificate Transparency.
  • X-DNS-Prefetch-Control: It is used for controlling the fetching of browser DNS.
  • X-Frame-Options: It is used to prevent ClickJacking.
  • X-Powered-By: It is used to remove X-Powered-By header. X-Powered-By header leaks the version of the server and its vendor.
  • Public-Key-Pins: It is used for HTTP public key pinning.
  • Strict-Transport-Security: It is used for HTTP Strict Transport policy.
  • X-Download-Options: It restricts to various Download-Options.
  • Cache control: It is used for disabling Client-Side caching.
  • X-Content-Type-Options: It is used to prevent the Sniffing attack.
  • Referrer-Policy: It is used to hide the referrer header.
  • X-XSS-Protection: It is used to add protection to XSS attacks.

Prerequisites

  • Node.js installed on your system. If you don’t have it install it from here
  • Any Editor of your choice

Let’s get started! Follow the below steps.

mkdir express-helmet-app

cd express-helmet-app

code .

npm init -y

Now let’s install both express and helmet packages.

npm i express helmet — save

package.json

Create a express server and a route like this:

app.js

Run the app with node app.js and go to your browser or postman and hit the localhost:3000 and you’ll see the response.

From the Screen shot below, you can see that we got the 200 status along with the response headers.

Now, let’s add helmet in the code.

app.js with helmet middleware

Repeat the same process as before by running the app, going to the browser and hitting the request.

As you can see from the Screen shot that now it has some additional headers. They are applied by our helmet.js module. These headers are added for an additional level of security.

Conclusion

Helmet.js module is very useful for Node.js developers as it adds security to the express applications. In this tutorial, we learned about helmet.js and seen its implementation in a basic express application.

Resources

Helmet

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help…

helmetjs.github.io

helmet

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help…

www.npmjs.com

Thanks for reading. Have a nice day!

Expressjs
Nodejs
Helmet

--

--

Utsav Gadhiya

Written by Utsav Gadhiya

11 Followers

Enthuastic Developer. Linux, Network and Security Excites me

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams