Gathering detailed insights and metrics for helmet
Gathering detailed insights and metrics for helmet
Gathering detailed insights and metrics for helmet
Gathering detailed insights and metrics for helmet
Help secure Express apps with various HTTP headers
npm install helmet
100
Supply Chain
100
Quality
83.8
Maintenance
100
Vulnerability
100
License
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
10,253 Stars
981 Commits
368 Forks
101 Watching
1 Branches
47 Contributors
Updated on 27 Nov 2024
Minified
Minified + Gzipped
TypeScript (95.1%)
JavaScript (4.9%)
Cumulative downloads
Total Downloads
Last day
-3.2%
637,552
Compared to previous day
Last week
1.1%
3,343,589
Compared to previous week
Last month
9.1%
14,015,646
Compared to previous month
Last year
0.9%
162,261,746
Compared to previous year
No dependencies detected.
Help secure Express apps by setting HTTP response headers.
1import helmet from "helmet"; 2 3const app = express(); 4 5app.use(helmet());
Helmet sets the following headers by default:
Content-Security-Policy
: A powerful allow-list of what can happen on your page which mitigates many attacksCross-Origin-Opener-Policy
: Helps process-isolate your pageCross-Origin-Resource-Policy
: Blocks others from loading your resources cross-originOrigin-Agent-Cluster
: Changes process isolation to be origin-basedReferrer-Policy
: Controls the Referer
headerStrict-Transport-Security
: Tells browsers to prefer HTTPSX-Content-Type-Options
: Avoids MIME sniffingX-DNS-Prefetch-Control
: Controls DNS prefetchingX-Download-Options
: Forces downloads to be saved (Internet Explorer only)X-Frame-Options
: Legacy header that mitigates clickjacking attacksX-Permitted-Cross-Domain-Policies
: Controls cross-domain behavior for Adobe products, like AcrobatX-Powered-By
: Info about the web server. Removed because it could be used in simple attacksX-XSS-Protection
: Legacy header that tries to mitigate XSS attacks, but makes things worse, so Helmet disables itEach header can be configured. For example, here's how you configure the Content-Security-Policy
header:
1// Configure the Content-Security-Policy header. 2app.use( 3 helmet({ 4 contentSecurityPolicy: { 5 directives: { 6 "script-src": ["'self'", "example.com"], 7 }, 8 }, 9 }), 10);
Headers can also be disabled. For example, here's how you disable the Content-Security-Policy
and X-Download-Options
headers:
1// Disable the Content-Security-Policy and X-Download-Options headers 2app.use( 3 helmet({ 4 contentSecurityPolicy: false, 5 xDownloadOptions: false, 6 }), 7);
Content-Security-Policy
Default:
1Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
The Content-Security-Policy
header mitigates a large number of attacks, such as cross-site scripting. See MDN's introductory article on Content Security Policy.
This header is powerful but likely requires some configuration for your specific app.
To configure this header, pass an object with a nested directives
object. Each key is a directive name in camel case (such as defaultSrc
) or kebab case (such as default-src
). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.
1// Sets all of the defaults, but overrides `script-src` 2// and disables the default `style-src`. 3app.use( 4 helmet({ 5 contentSecurityPolicy: { 6 directives: { 7 "script-src": ["'self'", "example.com"], 8 "style-src": null, 9 }, 10 }, 11 }), 12);
1// Sets the `script-src` directive to 2// "'self' 'nonce-e33cc...'" 3// (or similar) 4app.use((req, res, next) => { 5 res.locals.cspNonce = crypto.randomBytes(32).toString("hex"); 6 next(); 7}); 8app.use( 9 helmet({ 10 contentSecurityPolicy: { 11 directives: { 12 scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], 13 }, 14 }, 15 }), 16);
These directives are merged into a default policy, which you can disable by setting useDefaults
to false
.
1// Sets "Content-Security-Policy: default-src 'self'; 2// script-src 'self' example.com;object-src 'none'; 3// upgrade-insecure-requests" 4app.use( 5 helmet({ 6 contentSecurityPolicy: { 7 useDefaults: false, 8 directives: { 9 defaultSrc: ["'self'"], 10 scriptSrc: ["'self'", "example.com"], 11 objectSrc: ["'none'"], 12 upgradeInsecureRequests: [], 13 }, 14 }, 15 }), 16);
You can get the default directives object with helmet.contentSecurityPolicy.getDefaultDirectives()
. Here is the default policy (formatted for readability):
default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
The default-src
directive can be explicitly disabled by setting its value to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc
, but this is not recommended.
You can set the Content-Security-Policy-Report-Only
instead:
1// Sets the Content-Security-Policy-Report-Only header 2app.use( 3 helmet({ 4 contentSecurityPolicy: { 5 directives: { 6 /* ... */ 7 }, 8 reportOnly: true, 9 }, 10 }), 11);
Helmet performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.
To disable the Content-Security-Policy
header:
1app.use( 2 helmet({ 3 contentSecurityPolicy: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.contentSecurityPolicy())
.
Cross-Origin-Embedder-Policy
This header is not set by default.
The Cross-Origin-Embedder-Policy
header helps control what resources can be loaded cross-origin. See MDN's article on this header for more.
1// Helmet does not set Cross-Origin-Embedder-Policy 2// by default. 3app.use(helmet()); 4 5// Sets "Cross-Origin-Embedder-Policy: require-corp" 6app.use(helmet({ crossOriginEmbedderPolicy: true })); 7 8// Sets "Cross-Origin-Embedder-Policy: credentialless" 9app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } }));
You can use this as standalone middleware with app.use(helmet.crossOriginEmbedderPolicy())
.
Cross-Origin-Opener-Policy
Default:
1Cross-Origin-Opener-Policy: same-origin
The Cross-Origin-Opener-Policy
header helps process-isolate your page. For more, see MDN's article on this header.
1// Sets "Cross-Origin-Opener-Policy: same-origin" 2app.use(helmet()); 3 4// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups" 5app.use( 6 helmet({ 7 crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" }, 8 }), 9);
To disable the Cross-Origin-Opener-Policy
header:
1app.use( 2 helmet({ 3 crossOriginOpenerPolicy: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.crossOriginOpenerPolicy())
.
Cross-Origin-Resource-Policy
Default:
1Cross-Origin-Resource-Policy: same-origin
The Cross-Origin-Resource-Policy
header blocks others from loading your resources cross-origin in some cases. For more, see "Consider deploying Cross-Origin Resource Policy" and MDN's article on this header.
1// Sets "Cross-Origin-Resource-Policy: same-origin" 2app.use(helmet()); 3 4// Sets "Cross-Origin-Resource-Policy: same-site" 5app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } }));
To disable the Cross-Origin-Resource-Policy
header:
1app.use( 2 helmet({ 3 crossOriginResourcePolicy: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.crossOriginResourcePolicy())
.
Origin-Agent-Cluster
Default:
1Origin-Agent-Cluster: ?1
The Origin-Agent-Cluster
header provides a mechanism to allow web applications to isolate their origins from other processes. Read more about it in the spec.
This header takes no options and is set by default.
1// Sets "Origin-Agent-Cluster: ?1" 2app.use(helmet());
To disable the Origin-Agent-Cluster
header:
1app.use( 2 helmet({ 3 originAgentCluster: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.originAgentCluster())
.
Referrer-Policy
Default:
1Referrer-Policy: no-referrer
The Referrer-Policy
header which controls what information is set in the Referer
request header. See "Referer header: privacy and security concerns" and the header's documentation on MDN for more.
1// Sets "Referrer-Policy: no-referrer" 2app.use(helmet());
policy
is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting a fallback policy. It defaults to no-referrer
.
1// Sets "Referrer-Policy: no-referrer" 2app.use( 3 helmet({ 4 referrerPolicy: { 5 policy: "no-referrer", 6 }, 7 }), 8); 9 10// Sets "Referrer-Policy: origin,unsafe-url" 11app.use( 12 helmet({ 13 referrerPolicy: { 14 policy: ["origin", "unsafe-url"], 15 }, 16 }), 17);
To disable the Referrer-Policy
header:
1app.use( 2 helmet({ 3 referrerPolicy: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.referrerPolicy())
.
Strict-Transport-Security
Default:
1Strict-Transport-Security: max-age=15552000; includeSubDomains
The Strict-Transport-Security
header tells browsers to prefer HTTPS instead of insecure HTTP. See the documentation on MDN for more.
1// Sets "Strict-Transport-Security: max-age=15552000; includeSubDomains" 2app.use(helmet());
maxAge
is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 15552000
, which is 180 days.
includeSubDomains
is a boolean which dictates whether to include the includeSubDomains
directive, which makes this policy extend to subdomains. It defaults to true
.
preload
is a boolean. If true, it adds the preload
directive, expressing intent to add your HSTS policy to browsers. See the "Preloading Strict Transport Security" section on MDN for more. It defaults to false
.
1// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains" 2app.use( 3 helmet({ 4 strictTransportSecurity: { 5 maxAge: 123456, 6 }, 7 }), 8); 9 10// Sets "Strict-Transport-Security: max-age=123456" 11app.use( 12 helmet({ 13 strictTransportSecurity: { 14 maxAge: 123456, 15 includeSubDomains: false, 16 }, 17 }), 18); 19 20// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload" 21app.use( 22 helmet({ 23 strictTransportSecurity: { 24 maxAge: 63072000, 25 preload: true, 26 }, 27 }), 28);
To disable the Strict-Transport-Security
header:
1app.use( 2 helmet({ 3 strictTransportSecurity: false, 4 }), 5);
You may wish to disable this header for local development, as it can make your browser force redirects from http://localhost
to https://localhost
, which may not be desirable if you develop multiple apps using localhost
. See this issue for more discussion.
You can use this as standalone middleware with app.use(helmet.strictTransportSecurity())
.
X-Content-Type-Options
Default:
1X-Content-Type-Options: nosniff
The X-Content-Type-Options
mitigates MIME type sniffing which can cause security issues. See documentation for this header on MDN for more.
This header takes no options and is set by default.
1// Sets "X-Content-Type-Options: nosniff" 2app.use(helmet());
To disable the X-Content-Type-Options
header:
1app.use( 2 helmet({ 3 xContentTypeOptions: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.xContentTypeOptions())
.
X-DNS-Prefetch-Control
Default:
1X-DNS-Prefetch-Control: off
The X-DNS-Prefetch-Control
header helps control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.
1// Sets "X-DNS-Prefetch-Control: off" 2app.use(helmet());
allow
is a boolean dictating whether to enable DNS prefetching. It defaults to false
.
Examples:
1// Sets "X-DNS-Prefetch-Control: off" 2app.use( 3 helmet({ 4 xDnsPrefetchControl: { allow: false }, 5 }), 6); 7 8// Sets "X-DNS-Prefetch-Control: on" 9app.use( 10 helmet({ 11 xDnsPrefetchControl: { allow: true }, 12 }), 13);
To disable the X-DNS-Prefetch-Control
header and use the browser's default value:
1app.use( 2 helmet({ 3 xDnsPrefetchControl: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.xDnsPrefetchControl())
.
X-Download-Options
Default:
1X-Download-Options: noopen
The X-Download-Options
header is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see this old post on MSDN.
This header takes no options and is set by default.
1// Sets "X-Download-Options: noopen" 2app.use(helmet());
To disable the X-Download-Options
header:
1app.use( 2 helmet({ 3 xDownloadOptions: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.xDownloadOptions())
.
X-Frame-Options
Default:
1X-Frame-Options: SAMEORIGIN
The legacy X-Frame-Options
header to help you mitigate clickjacking attacks. This header is superseded by the frame-ancestors
Content Security Policy directive but is still useful on old browsers or if no CSP is used. For more, see the documentation on MDN.
1// Sets "X-Frame-Options: SAMEORIGIN" 2app.use(helmet());
action
is a string that specifies which directive to use—either DENY
or SAMEORIGIN
. (A legacy directive, ALLOW-FROM
, is not supported by Helmet. Read more here.) It defaults to SAMEORIGIN
.
Examples:
1// Sets "X-Frame-Options: DENY" 2app.use( 3 helmet({ 4 xFrameOptions: { action: "deny" }, 5 }), 6); 7 8// Sets "X-Frame-Options: SAMEORIGIN" 9app.use( 10 helmet({ 11 xFrameOptions: { action: "sameorigin" }, 12 }), 13);
To disable the X-Frame-Options
header:
1app.use( 2 helmet({ 3 xFrameOptions: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.xFrameOptions())
.
X-Permitted-Cross-Domain-Policies
Default:
1X-Permitted-Cross-Domain-Policies: none
The X-Permitted-Cross-Domain-Policies
header tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See the description on OWASP for more.
1// Sets "X-Permitted-Cross-Domain-Policies: none" 2app.use(helmet());
permittedPolicies
is a string that must be "none"
, "master-only"
, "by-content-type"
, or "all"
. It defaults to "none"
.
Examples:
1// Sets "X-Permitted-Cross-Domain-Policies: none" 2app.use( 3 helmet({ 4 xPermittedCrossDomainPolicies: { 5 permittedPolicies: "none", 6 }, 7 }), 8); 9 10// Sets "X-Permitted-Cross-Domain-Policies: by-content-type" 11app.use( 12 helmet({ 13 xPermittedCrossDomainPolicies: { 14 permittedPolicies: "by-content-type", 15 }, 16 }), 17);
To disable the X-Permitted-Cross-Domain-Policies
header:
1app.use( 2 helmet({ 3 xPermittedCrossDomainPolicies: false, 4 }), 5);
You can use this as standalone middleware with app.use(helmet.xPermittedCrossDomainPolicies())
.
X-Powered-By
Default: the X-Powered-By
header, if present, is removed.
Helmet removes the X-Powered-By
header, which is set by default in Express and some other frameworks. Removing the header offers very limited security benefits (see this discussion) and is mostly removed to save bandwidth, but may thwart simplistic attackers.
Note: Express has a built-in way to disable the X-Powered-By
header, which you may wish to use instead.
The removal of this header takes no options. The header is removed by default.
To disable this behavior:
1// Not required, but recommended for Express users: 2app.disable("x-powered-by"); 3 4// Ask Helmet to ignore the X-Powered-By header. 5app.use( 6 helmet({ 7 xPoweredBy: false, 8 }), 9);
You can use this as standalone middleware with app.use(helmet.xPoweredBy())
.
X-XSS-Protection
Default:
1X-XSS-Protection: 0
Helmet disables browsers' buggy cross-site scripting filter by setting the legacy X-XSS-Protection
header to 0
. See discussion about disabling the header here and documentation on MDN.
This header takes no options and is set by default.
To disable the X-XSS-Protection
header:
1// This is not recommended. 2app.use( 3 helmet({ 4 xXssProtection: false, 5 }), 6);
You can use this as standalone middleware with app.use(helmet.xXssProtection())
.
No vulnerabilities found.
Reason
21 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
SAST tool is run on all commits
Details
Reason
security policy file detected
Details
Reason
2 existing vulnerabilities detected
Details
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
Reason
Found 0/24 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Score
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More