image de chargement
Back to glossary

Helmet.js

Security middleware for Express.js that automatically configures HTTP headers to protect web applications against common vulnerabilities.

Updated on January 12, 2026

Helmet.js is an essential security middleware for Node.js applications using Express. It automatically configures various HTTP security headers to protect against XSS attacks, clickjacking, MIME sniffing, and other common web vulnerabilities. Helmet acts as a shield that strengthens your web application's security posture by enforcing security best practices recommended by OWASP.

Technical Fundamentals

  • Collection of 15 Express middlewares that set HTTP security headers
  • Default configuration based on OWASP recommendations and web security standards
  • Modular architecture allowing specific protections to be enabled/disabled as needed
  • Native compatibility with Express.js and derived frameworks like NestJS or Fastify

Key Benefits

  • Automatic protection against the 10 most critical web vulnerabilities (OWASP Top 10)
  • Single-line implementation with secure default configuration
  • Significant attack surface reduction through disabling revealing headers
  • Simplified compliance with security standards and audits (PCI-DSS, ISO 27001)
  • Optimal performance with negligible overhead on response times

Implementation Example

server.ts
import express from 'express';
import helmet from 'helmet';

const app = express();

// Default configuration (recommended)
app.use(helmet());

// Advanced custom configuration
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "'unsafe-inline'", 'cdn.example.com'],
        styleSrc: ["'self'", "'unsafe-inline'"],
        imgSrc: ["'self'", 'data:', 'https:'],
        connectSrc: ["'self'", 'api.example.com'],
        fontSrc: ["'self'", 'fonts.gstatic.com'],
        objectSrc: ["'none'"],
        upgradeInsecureRequests: []
      }
    },
    hsts: {
      maxAge: 31536000,
      includeSubDomains: true,
      preload: true
    },
    referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
  })
);

app.get('/api/data', (req, res) => {
  res.json({ message: 'Secured with Helmet' });
});

app.listen(3000);

Configured Security Headers

  • Content-Security-Policy: prevents XSS attacks and malicious code injection
  • X-Frame-Options: protects against clickjacking by controlling iframe embedding
  • Strict-Transport-Security (HSTS): enforces HTTPS for all communications
  • X-Content-Type-Options: prevents browser MIME type sniffing
  • X-DNS-Prefetch-Control: controls DNS prefetching to limit information leakage
  • X-Download-Options: prevents Internet Explorer from executing unsafe downloads
  • X-Permitted-Cross-Domain-Policies: restricts Adobe cross-domain policies
  • Referrer-Policy: controls referrer information transmitted in requests
  • X-XSS-Protection: enables built-in XSS protection in legacy browsers

Strategic Implementation

  1. Install Helmet via npm: `npm install helmet` or `yarn add helmet`
  2. Integrate the middleware early in the Express chain for maximum protection
  3. Test the default configuration in development environment
  4. Analyze security headers with tools like Security Headers or Mozilla Observatory
  5. Customize CSP according to external resources used (CDN, analytics, fonts)
  6. Configure HSTS progressively starting with a short maxAge then increase it
  7. Validate compatibility with target browsers and adjust if necessary
  8. Implement monitoring of CSP errors via CSP violation reports

Production Tip

In production, always enable HSTS with preload and submit your domain to the browser HSTS preload list (hstspreload.org). Also configure CSP reports to detect violations and progressively refine your security policy without blocking legitimate functionality.

Tools and Ecosystem

  • Security Headers: online tool to analyze security header configuration
  • Mozilla Observatory: comprehensive web security scanner with detailed recommendations
  • OWASP ZAP: penetration testing suite to validate configuration effectiveness
  • CSP Evaluator: Google tool to analyze and optimize CSP policies
  • Snyk: vulnerability detection in Helmet and its dependencies
  • express-rate-limit: complement to Helmet for brute-force protection

Beware of Restrictive Configurations

An overly restrictive CSP can block legitimate functionality like inline scripts, dynamic styles, or external resources. Start in report-only mode to identify violations before enforcing a blocking policy in production.

Helmet.js represents a fundamental defense layer for any Node.js application exposed on the Internet. Its simple yet effective implementation drastically reduces security risks with minimal investment. By combining Helmet with other security practices like input validation, robust authentication, and rate limiting, you build a resilient architecture that protects both your users and infrastructure against modern web threats.

Themoneyisalreadyonthetable.

In 1 hour, discover exactly how much you're losing and how to recover it.

Agence de développement web, automatisation & IA

contact@peaklab.fr
Follow us

© PeakLab 2025

Mentions légalesPolitique de confidentialitéPlan du site