How to use Helmet.js to secure your Node.js Express app

·

3 min read


If you are developing a web application with Node.js and Express, you might want to use Helmet.js to improve your security. Helmet.js is a module that helps you set some HTTP headers that can protect your app from common attacks. In this article, you will learn how to use Helmet.js and what each header does.

What is Helmet.js?

Helmet.js is a Node.js module that works as a middleware for Express and similar frameworks. A middleware is a function that runs between the request and the response, and can modify them in some way. Helmet.js modifies the response by setting some HTTP headers that can make your app more secure.

HTTP headers are pieces of information that are sent along with HTTP requests and responses. They can contain information about the client, the server, the content, the security, and other aspects of the communication. Some HTTP headers can be exploited by attackers to perform malicious actions on your web application.

Helmet.js helps you prevent some of these attacks by setting some HTTP headers that follow web security standards. For example, it can block others from loading your resources cross-origin, or tell browsers to prefer HTTPS over HTTP.

How to use Helmet.js?

To use Helmet.js, you need to install it with npm:

npm install helmet

Then, you need to import it in your Node.js file and use it as a middleware for your Express app:

// This imports the helmet module
const helmet = require("helmet");

// This creates an Express app
const express = require("express");
const app = express();

// This uses Helmet as a middleware for the app
app.use(helmet());

By default, Helmet sets 12 HTTP headers that can improve your security. However, you can also configure or disable each header individually using options passed to the helmet() function or to specific middleware functions. For example, if you want to set the Cross-Origin-Resource-Policy header to "cross-origin", you can do this:

// This sets the Cross-Origin-Resource-Policy header to "cross-origin"
// This header tells browsers to block resources from other origins
// unless they explicitly allow it
app.use(helmet.crossOriginResourcePolicy({ policy: "cross-origin" }));

What are the HTTP headers set by Helmet.js?

Here is a list of the HTTP headers set by Helmet.js and what they do:

  • Content-Security-Policy: A powerful allow-list of what can happen on your page which mitigates many attacks

  • Cross-Origin-Opener-Policy: Helps process-isolate your page

  • Cross-Origin-Resource-Policy: Blocks others from loading your resources cross-origin

  • Origin-Agent-Cluster: Changes process isolation to be origin-based

  • Referrer-Policy: Controls the Referer header

  • Strict-Transport-Security: Tells browsers to prefer HTTPS

  • X-Content-Type-Options: Avoids MIME sniffing

  • X-DNS-Prefetch-Control: Controls DNS prefetching

  • X-Download-Options: Forces downloads to be saved (Internet Explorer only)

  • X-Frame-Options: Legacy header that mitigates clickjacking attacks

  • X-Permitted-Cross-Domain-Policies: Controls cross-domain behavior for Adobe products, like Acrobat

  • X-Powered-By: Info about the web server. Removed because it could be used in simple attacks

  • X-XSS-Protection: Legacy header that tries to mitigate XSS attacks, but makes things worse, so Helmet disables it

You can learn more about each header and how to configure them in the Helmet documentation.

Conclusion

Helmet.js is a useful module that helps you secure your Node.js Express app by setting some HTTP headers that can prevent common attacks. You can use it as a middleware for your app and configure or disable each header according to your needs. Helmet.js is not a silver bullet, but it can make your app more secure and compliant with web security standards.