What is Helmet — Secure Express Apps with HTTP Headers?

Helmet is a collection of middleware functions for Express that set security-related HTTP response headers, helping protect apps from common web vulnerabilities like XSS, clickjacking, and MIME sniffing.

Is Helmet — Secure Express Apps with HTTP Headers free to use?

Yes. Helmet — Secure Express Apps with HTTP Headers is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Helmet — Secure Express Apps with HTTP Headers?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Helmet — Secure Express Apps with HTTP Headers

Introduction

Helmet wraps 15 smaller middleware functions that each set a specific HTTP security header. With a single app.use(helmet()) call, your Express app gets sensible defaults for Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and more.

What Helmet Does

Sets Content-Security-Policy to control which resources the browser can load
Enables Strict-Transport-Security to enforce HTTPS connections
Adds X-Content-Type-Options to prevent MIME type sniffing
Sets X-Frame-Options to block clickjacking via iframe embedding
Removes the X-Powered-By header to reduce information leakage

Architecture Overview

Helmet is a wrapper that calls up to 15 individual middleware functions in sequence. Each function targets one HTTP header: it reads its configuration, sets the appropriate header value on the response object, and calls next(). The top-level helmet() function accepts an options object where each header can be configured or disabled individually. Since each sub-middleware is independent, they can also be used standalone without the umbrella function.

Self-Hosting & Configuration

Install via npm: npm install helmet
Use all defaults with app.use(helmet())
Disable specific headers: helmet({ frameguard: false })
Configure CSP: helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } })
Use individual middleware: app.use(helmet.hsts({ maxAge: 31536000 }))

Key Features

One-line setup provides sensible security defaults for all supported headers
Each header middleware is independently configurable or can be disabled
Content-Security-Policy support with directive-level control
Cross-Origin headers (COOP, COEP, CORP) for modern isolation requirements
Zero dependencies beyond Express-compatible middleware interface

Comparison with Similar Tools

cors — handles Cross-Origin Resource Sharing headers; Helmet handles security headers (complementary)
csurf — provides CSRF token protection; Helmet focuses on response headers only
express-rate-limit — rate limiting middleware; Helmet does not handle rate limits
Nginx/Apache headers — server-level header configuration; Helmet operates at the application level

FAQ

Q: Does Helmet replace a web application firewall? A: No. Helmet sets browser-interpreted security headers. It does not inspect request payloads or block malicious traffic.

Q: Can I use Helmet with Fastify or Koa? A: Helmet is designed for Express. For Fastify, use @fastify/helmet. For Koa, use koa-helmet.

Q: Does Helmet set CORS headers? A: No. Use the cors package for Cross-Origin Resource Sharing. Helmet handles security headers like CSP and HSTS.

Q: Will Helmet break my app? A: The default CSP policy is restrictive. If your app loads external scripts or styles, you may need to configure the contentSecurityPolicy directives.

Helmet — Secure Express Apps with HTTP Headers

Introduction

What Helmet Does

Architecture Overview

Self-Hosting & Configuration

Key Features

Comparison with Similar Tools

FAQ

Sources

Discussion

Related Assets

Morgan — HTTP Request Logger Middleware for Node.js

NestJS — Progressive Node.js Framework for Enterprise Apps

Wasmtime — Fast Secure WebAssembly Runtime

Cosmos Server — Secure Self-Hosted Home Server Platform