# Helmet — Secure Express Apps with HTTP Headers > Helmet is a collection of middleware functions for Express that set security-related HTTP response headers, helping protect apps from common web vulnerabilities like XSS, clickjacking, and MIME sniffing. ## Install Save in your project root: # Helmet — Secure Express Apps with HTTP Headers ## Quick Use ```javascript const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet()); app.get('/', (req, res) => res.send('Secured with Helmet')); app.listen(3000); ``` ## Introduction Helmet wraps 15 smaller middleware functions that each set a specific HTTP security header. With a single `app.use(helmet())` call, your Express app gets sensible defaults for Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and more. ## What Helmet Does - Sets Content-Security-Policy to control which resources the browser can load - Enables Strict-Transport-Security to enforce HTTPS connections - Adds X-Content-Type-Options to prevent MIME type sniffing - Sets X-Frame-Options to block clickjacking via iframe embedding - Removes the X-Powered-By header to reduce information leakage ## Architecture Overview Helmet is a wrapper that calls up to 15 individual middleware functions in sequence. Each function targets one HTTP header: it reads its configuration, sets the appropriate header value on the response object, and calls `next()`. The top-level `helmet()` function accepts an options object where each header can be configured or disabled individually. Since each sub-middleware is independent, they can also be used standalone without the umbrella function. ## Self-Hosting & Configuration - Install via npm: `npm install helmet` - Use all defaults with `app.use(helmet())` - Disable specific headers: `helmet({ frameguard: false })` - Configure CSP: `helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } })` - Use individual middleware: `app.use(helmet.hsts({ maxAge: 31536000 }))` ## Key Features - One-line setup provides sensible security defaults for all supported headers - Each header middleware is independently configurable or can be disabled - Content-Security-Policy support with directive-level control - Cross-Origin headers (COOP, COEP, CORP) for modern isolation requirements - Zero dependencies beyond Express-compatible middleware interface ## Comparison with Similar Tools - **cors** — handles Cross-Origin Resource Sharing headers; Helmet handles security headers (complementary) - **csurf** — provides CSRF token protection; Helmet focuses on response headers only - **express-rate-limit** — rate limiting middleware; Helmet does not handle rate limits - **Nginx/Apache headers** — server-level header configuration; Helmet operates at the application level ## FAQ **Q: Does Helmet replace a web application firewall?** A: No. Helmet sets browser-interpreted security headers. It does not inspect request payloads or block malicious traffic. **Q: Can I use Helmet with Fastify or Koa?** A: Helmet is designed for Express. For Fastify, use `@fastify/helmet`. For Koa, use `koa-helmet`. **Q: Does Helmet set CORS headers?** A: No. Use the `cors` package for Cross-Origin Resource Sharing. Helmet handles security headers like CSP and HSTS. **Q: Will Helmet break my app?** A: The default CSP policy is restrictive. If your app loads external scripts or styles, you may need to configure the `contentSecurityPolicy` directives. ## Sources - https://github.com/helmetjs/helmet - https://helmetjs.github.io/ --- Source: https://tokrepo.com/en/workflows/asset-da3b3a60 Author: AI Open Source