Github url


by helmetjs

helmetjs /helmet

Help secure Express apps with various HTTP headers

7.2K Stars 271 Forks Last release: Not found MIT License 649 Commits 71 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


npm versionnpm dependency statusBuild StatusFOSSA Status

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!

Looking for a version of Helmet that supports the Koa framework?

Quick start

First, run

npm install helmet --save

for your app. Then, in an Express (or Connect) app:

const express = require("express"); const helmet = require("helmet"); const app = express(); app.use(helmet()); // ...

It's best to


Helmet early in your middleware stack so that its headers are sure to be set.

You can also use its pieces individually:

app.use(helmet.xssFilter()); app.use(helmet.frameguard());

You can disable a middleware that's normally enabled by default. This will disable


but include the other defaults.

app.use( helmet({ frameguard: false, }) );

You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.

app.use( helmet({ frameguard: { action: "deny", }, }) );

_If you're using Express 3, make sure these middlewares are listed before



How it works

Helmet is a collection of 11 smaller middleware functions that set HTTP response headers. Running


will not include all of these middleware functions by default.

| Module | Default? | | ------------------------------------------------------------------------------------------------------------- | -------- | | contentSecurityPolicy for setting Content Security Policy | | | crossdomain for handling Adobe products' crossdomain requests | | | dnsPrefetchControl controls browser DNS prefetching | ✓ | | expectCt for handling Certificate Transparency | | | frameguard to prevent clickjacking | ✓ | | hidePoweredBy to remove the X-Powered-By header | ✓ | | hsts for HTTP Strict Transport Security | ✓ | | ieNoOpen sets X-Download-Options for IE8+ | ✓ | | noSniff to keep clients from sniffing the MIME type | ✓ | | referrerPolicy to hide the Referer header | | | xssFilter adds some small XSS protections | ✓ |

You can see more in the documentation.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.