Helmet ====== [![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet) [![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet) [![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield) Helmet helps you secure your Express apps by setting various HTTP headers. *It's not a silver bullet*, but it can help! [Looking for a version of Helmet that supports the Koa framework?](https://github.com/venables/koa-helmet) Quick start ----------- First, run `npm install helmet --save` for your app. Then, in an Express (or Connect) app: ```js const express = require('express') const helmet = require('helmet') const app = express() app.use(helmet()) // ... ``` It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set. You can also use its pieces individually: ```js app.use(helmet.xssFilter()) app.use(helmet.frameguard()) ``` You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults. ```js app.use(helmet({ frameguard: false })) ``` You can also set options for a middleware. Setting options like this will *always* include the middleware, whether or not it's a default. ```js app.use(helmet({ frameguard: { action: 'deny' } })) ``` *If you're using Express 3, make sure these middlewares are listed before `app.router`.* How it works ------------ Helmet is a collection of 14 smaller middleware functions that set HTTP response headers. Running `app.use(helmet())` will not include all of these middleware functions by default. | Module | Default? | |---|---| | [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy | | | [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests | | | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ | | [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency | | | [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features | | | [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ | | [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ | | [hpkp](https://helmetjs.github.io/docs/hpkp/) for HTTP Public Key Pinning | | | [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security | ✓ | | [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+ | ✓ | | [noCache](https://helmetjs.github.io/docs/nocache/) to disable client-side caching | | | [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type | ✓ | | [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header | | | [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections | ✓ | You can see more in [the documentation](https://helmetjs.github.io/docs/).