Security & Quality

Helmet.js HTTP Security

Set essential HTTP security headers with Helmet.js to protect Express apps from common web vulnerabilities.

Claude Code Cursor Copilot Windsurf Gemini CLI Codex

Overview

Helmet.js is a collection of middleware functions that set HTTP security headers in Express applications. With a single line of code, it configures 15+ security headers that protect against clickjacking, XSS, MIME sniffing, and other common web attacks. It is recommended by the Express.js team and used by thousands of production applications.

The headers set by Helmet include X-Content-Type-Options (prevents MIME sniffing), X-Frame-Options (prevents clickjacking), Strict-Transport-Security (enforces HTTPS), X-XSS-Protection, Referrer-Policy, and Content-Security-Policy among others. Each header can be individually configured or disabled based on your application's needs.

Helmet follows a secure-by-default approach, enabling the most protective settings out of the box. For example, it sets CSP to only allow same-origin resources, enables HSTS with a one-year max-age, and prevents framing entirely. You can selectively relax these defaults for specific requirements like embedding third-party scripts or allowing your site to be framed by specific domains.

Who Is This For?

Add security headers to an Express app with one line
Prevent clickjacking with X-Frame-Options
Enforce HTTPS with Strict-Transport-Security
Configure Referrer-Policy for privacy protection

Installation

Setup for Claude Code

npm install helmet

Configuration

import helmet from "helmet"

// Use all defaults (recommended)
app.use(helmet())

// Or customize specific headers
app.use(helmet({
  contentSecurityPolicy: false, // configure separately
  crossOriginEmbedderPolicy: false,
  hsts: { maxAge: 31536000, includeSubDomains: true },
}))