# Helmet [![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet) [![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet) [![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield) Helmet helps you secure your Express apps by setting various HTTP headers. _It's not a silver bullet_, but it can help! ## Quick start First, run `npm install helmet --save` for your app. Then, in an Express app: ```js const express = require("express"); const helmet = require("helmet"); const app = express(); app.use(helmet()); // ... ``` ## How it works Helmet is [Connect](https://github.com/senchalabs/connect)-style middleware, which is compatible with frameworks like [Express](https://expressjs.com/). (If you need support for Koa, see [`koa-helmet`](https://github.com/venables/koa-helmet).) The top-level `helmet` function is a wrapper around 11 smaller middlewares. In other words, these two things are equivalent: ```js // This... app.use(helmet()); // ...is equivalent to this: app.use(helmet.contentSecurityPolicy()); app.use(helmet.dnsPrefetchControl()); app.use(helmet.expectCt()); app.use(helmet.frameguard()); app.use(helmet.hidePoweredBy()); app.use(helmet.hsts()); app.use(helmet.ieNoOpen()); app.use(helmet.noSniff()); app.use(helmet.permittedCrossDomainPolicies()); app.use(helmet.referrerPolicy()); app.use(helmet.xssFilter()); ``` To set custom options for one of the middleware, add options like this: ```js // This sets custom options for the `referrerPolicy` middleware. app.use( helmet({ referrerPolicy: { policy: "no-referrer" }, }) ); ``` You can also disable a middleware: ```js // This disables the `contentSecurityPolicy` middleware but keeps the rest. app.use( helmet({ contentSecurityPolicy: false, }) ); ``` ## Reference
helmet(options) Helmet is the top-level middleware for this module, including all 11 others. All 11 middlewares are enabled by default. ```js // Includes all 11 middlewares app.use(helmet()); ``` If you want to disable one, pass options to `helmet`. For example, to disable `frameguard`: ```js // Includes 10 middlewares, skipping `helmet.frameguard` app.use( helmet({ frameguard: false, }) ); ``` Most of the middlewares have options, which are documented in more detail below. For example, to pass `{ action: "deny" }` to `frameguard`: ```js // Includes all 11 middlewares, setting an option for `helmet.frameguard` app.use( helmet({ frameguard: { action: "deny", }, }) ); ``` Each middleware's name is listed below.
helmet.contentSecurityPolicy(options) `helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). This middleware performs very little validation. You should rely on CSP checkers like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) instead. `options.directives` is an object. Each key is a directive name in camel case (such as `defaultSrc`) or kebab case (such as `default-src`). Each value is an iterable (usually an array) of strings or functions for that directive. If a function appears in the iterable, it will be called with the request and response. `options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. If no directives are supplied, the following policy is set (whitespace added for readability): default-src 'self'; base-uri 'self'; block-all-mixed-content; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests You can fetch this default with `helmet.contentSecurityPolicy.getDefaultDirectives()`. Examples: ```js // Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests" app.use( helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "example.com"], objectSrc: ["'none'"], upgradeInsecureRequests: [], }, }) ); // Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none'" app.use( helmet.contentSecurityPolicy({ directives: { "default-src": ["'self'"], "script-src": ["'self'", "example.com"], "object-src": ["'none'"], }, }) ); // Sets all of the defaults, but overrides script-src app.use( helmet.contentSecurityPolicy({ directives: { ...helmet.contentSecurityPolicy.getDefaultDirectives(), "script-src": ["'self'", "example.com"], }, }) ); // Sets the "Content-Security-Policy-Report-Only" header instead app.use( helmet.contentSecurityPolicy({ directives: { /* ... */ }, reportOnly: true, }) ); // Sets "Content-Security-Policy: default-src 'self';script-src 'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'" app.use((req, res, next) => { res.locals.cspNonce = crypto.randomBytes(16).toString("hex"); next(); }); app.use( helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], }, }) ); ``` You can install this module separately as `helmet-csp`.
helmet.expectCt(options) `helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more. `options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`. `options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`. `options.reportUri` is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default. Examples: ```js // Sets "Expect-CT: max-age=86400" app.use( helmet.expectCt({ maxAge: 86400, }) ); // Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report" app.use( helmet.expectCt({ maxAge: 86400, enforce: true, reportUri: "https://example.com/report", }) ); ``` You can install this module separately as `expect-ct`.
helmet.referrerPolicy(options) `helmet.referrerPolicy` sets the `Referrer-Policy` header which controls what information is set in [the `Referer` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer). See ["Referer header: privacy and security concerns"](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) and [the header's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) on MDN for more. `options.policy` is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy). It defaults to `no-referrer`. Examples: ```js // Sets "Referrer-Policy: no-referrer" app.use( helmet.referrerPolicy({ policy: "no-referrer", }) ); // Sets "Referrer-Policy: origin,unsafe-url" app.use( helmet.referrerPolicy({ policy: ["origin", "unsafe-url"], }) ); ``` You can install this module separately as `referrer-policy`.
helmet.hsts(options) `helmet.hsts` sets the `Strict-Transport-Security` header which tells browsers to prefer HTTPS over insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more. `options.maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to `15552000`, which is 180 days. `options.includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`. `options.preload` is a boolean. If true, it adds the `preload` directive, expressing intent to add your HSTS policy to browsers. See [the "Preloading Strict Transport Security" section on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for more. It defaults to `false`. Examples: ```js // Sets "Strict-Transport-Security: max-age=123456; includeSubDomains" app.use( helmet.hsts({ maxAge: 123456, }) ); // Sets "Strict-Transport-Security: max-age=123456" app.use( helmet.hsts({ maxAge: 123456, includeSubDomains: false, }) ); // Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload" app.use( helmet.hsts({ maxAge: 63072000, preload: true, }) ); ``` You can install this module separately as `hsts`.
helmet.noSniff() `helmet.noSniff` sets the `X-Content-Type-Options` header to `nosniff`. This mitigates [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing) which can cause security vulnerabilities. See [documentation for this header on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) for more. This middleware takes no options. Example: ```js // Sets "X-Content-Type-Options: nosniff" app.use(helmet.noSniff()); ``` You can install this module separately as `dont-sniff-mimetype`.
helmet.dnsPrefetchControl(options) `helmet.dnsPrefetchControl` sets the `X-DNS-Prefetch-Control` header to help control DNS prefetching, which can improve user privacy at the expense of performance. See [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) for more. `options.allow` is a boolean dictating whether to enable DNS prefetching. It defaults to `false`. Examples: ```js // Sets "X-DNS-Prefetch-Control: off" app.use( helmet.dnsPrefetchControl({ allow: false, }) ); // Sets "X-DNS-Prefetch-Control: on" app.use( helmet.dnsPrefetchControl({ allow: true, }) ); ``` You can install this module separately as `dns-prefetch-control`.
helmet.ieNoOpen() `helmet.ieNoOpen` sets the `X-Download-Options` header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [this old post on MSDN](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection). This middleware takes no options. Examples: ```js // Sets "X-Download-Options: noopen" app.use(helmet.ieNoOpen()); ``` You can install this module separately as `ienoopen`.
helmet.frameguard(options) `helmet.frameguard` sets the `X-Frame-Options` header to help you mitigate [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers. For more, see [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). `options.action` is a string that specifies which directive to use—either `DENY` or `SAMEORIGIN`. (A legacy directive, `ALLOW-FROM`, is not supported by this middleware. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)) It defaults to `SAMEORIGIN`. Examples: ```js // Sets "X-Frame-Options: DENY" app.use( helmet.frameguard({ action: "deny", }) ); // Sets "X-Frame-Options: SAMEORIGIN" app.use( helmet.frameguard({ action: "sameorigin", }) ); ``` You can install this module separately as `frameguard`.
helmet.permittedCrossDomainPolicies(options) `helmet.permittedCrossDomainPolicies` sets the `X-Permitted-Cross-Domain-Policies` header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [the description on OWASP](https://owasp.org/www-project-secure-headers/) for more. `options.permittedPolicies` is a string that must be `"none"`, `"master-only"`, `"by-content-type"`, or `"all"`. It defaults to `"none"`. Examples: ```js // Sets "X-Permitted-Cross-Domain-Policies: none" app.use( helmet.permittedCrossDomainPolicies({ permittedPolicies: "none", }) ); // Sets "X-Permitted-Cross-Domain-Policies: by-content-type" app.use( helmet.permittedCrossDomainPolicies({ permittedPolicies: "by-content-type", }) ); ``` You can install this module separately as `helmet-crossdomain`.
helmet.hidePoweredBy() `helmet.hidePoweredBy` removes the `X-Powered-By` header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see [this discussion](https://github.com/expressjs/express/pull/2813#issuecomment-159270428)) and is mostly removed to save bandwidth. This middleware takes no options. If you're using Express, this middleware will work, but you should use `app.disable("x-powered-by")` instead. Examples: ```js // Removes the X-Powered-By header if it was set. app.use(helmet.hidePoweredBy()); ``` You can install this module separately as `hide-powered-by`.
helmet.xssFilter() `helmet.xssFilter` disables browsers' buggy cross-site scripting filter by setting the `X-XSS-Protection` header to `0`. See [discussion about disabling the header here](https://github.com/helmetjs/helmet/issues/230) and [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection). This middleware takes no options. Examples: ```js // Sets "X-XSS-Protection: 0" app.use(helmet.xssFilter()); ``` You can install this module separately as `x-xss-protection`.