or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

content-security-policy.mdcross-origin-policies.mdindex.mdlegacy-security-headers.mdmain-helmet-function.mdtransport-security.md
tile.json

tessl/npm-helmet

Comprehensive Express.js security middleware library that automatically sets multiple HTTP response headers to protect web applications against common security vulnerabilities.

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
npmpkg:npm/helmet@8.1.x

To install, run

npx @tessl/cli install tessl/npm-helmet@8.1.0

index.mddocs/

Helmet

Helmet is a comprehensive Express.js security middleware library that automatically sets multiple HTTP response headers to protect web applications against common security vulnerabilities. It provides configurable protection through headers like Content-Security-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Strict-Transport-Security, and various X-* headers, offering defense against attacks including XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.

Package Information

  • Package Name: helmet
  • Package Type: npm
  • Language: TypeScript
  • Installation: npm install helmet

Core Imports

import helmet from "helmet";

For individual middleware:

import { 
  contentSecurityPolicy, 
  xFrameOptions, 
  strictTransportSecurity 
} from "helmet";

CommonJS:

const helmet = require("helmet");
const { contentSecurityPolicy, xFrameOptions } = require("helmet");

Basic Usage

import express from "express";
import helmet from "helmet";

const app = express();

// Use all default security headers
app.use(helmet());

// Configure specific options
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"]
    }
  },
  crossOriginEmbedderPolicy: false
}));

// Use individual middleware
app.use(helmet.xFrameOptions({ action: "deny" }));

Architecture

Helmet is built around several key components:

  • Main Function: The default export helmet() that combines all security middlewares based on configuration
  • Individual Middlewares: 14 specialized middleware functions, each setting specific security headers
  • Legacy Aliases: Backward-compatible function names for older API versions
  • Type System: Full TypeScript support with comprehensive option interfaces
  • Configurable Security: Each middleware can be enabled, disabled, or configured with specific options

Capabilities

Main Helmet Function

The primary function that combines all security middlewares into a single Express middleware with configurable options.

function helmet(options?: Readonly<HelmetOptions>): (
  req: IncomingMessage,
  res: ServerResponse,
  next: (err?: unknown) => void
) => void;

type HelmetOptions = {
  contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean;
  crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean;
  crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
  crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
  originAgentCluster?: boolean;
  referrerPolicy?: ReferrerPolicyOptions | boolean;
} & (
  | { strictTransportSecurity?: StrictTransportSecurityOptions | boolean; hsts?: never; }
  | { hsts?: StrictTransportSecurityOptions | boolean; strictTransportSecurity?: never; }
) & (
  | { xContentTypeOptions?: boolean; noSniff?: never }
  | { noSniff?: boolean; xContentTypeOptions?: never }
) & (
  | { xDnsPrefetchControl?: XDnsPrefetchControlOptions | boolean; dnsPrefetchControl?: never; }
  | { dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean; xDnsPrefetchControl?: never; }
) & (
  | { xDownloadOptions?: boolean; ieNoOpen?: never }
  | { ieNoOpen?: boolean; xDownloadOptions?: never }
) & (
  | { xFrameOptions?: XFrameOptionsOptions | boolean; frameguard?: never }
  | { frameguard?: XFrameOptionsOptions | boolean; xFrameOptions?: never }
) & (
  | { xPermittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean; permittedCrossDomainPolicies?: never; }
  | { permittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean; xPermittedCrossDomainPolicies?: never; }
) & (
  | { xPoweredBy?: boolean; hidePoweredBy?: never }
  | { hidePoweredBy?: boolean; xPoweredBy?: never }
) & (
  | { xXssProtection?: boolean; xssFilter?: never }
  | { xssFilter?: boolean; xXssProtection?: never }
);

Main Helmet Function

Content Security Policy

Comprehensive Content Security Policy header management with extensive directive configuration and built-in security defaults.

function contentSecurityPolicy(
  options?: ContentSecurityPolicyOptions
): MiddlewareFunction;

interface ContentSecurityPolicyOptions {
  useDefaults?: boolean;
  directives?: Record<string, CSPDirectiveValue>;
  reportOnly?: boolean;
}

function getDefaultDirectives(): CSPDirectives;

Content Security Policy

Cross-Origin Policies

Modern cross-origin security headers for controlling resource sharing, embedding, and browsing context isolation.

function crossOriginEmbedderPolicy(
  options?: CrossOriginEmbedderPolicyOptions
): MiddlewareFunction;

function crossOriginOpenerPolicy(
  options?: CrossOriginOpenerPolicyOptions
): MiddlewareFunction;

function crossOriginResourcePolicy(
  options?: CrossOriginResourcePolicyOptions
): MiddlewareFunction;

function originAgentCluster(): MiddlewareFunction;

Cross-Origin Policies

Transport Security

HTTPS enforcement and referrer policy configuration for secure communication and privacy protection.

function strictTransportSecurity(
  options?: StrictTransportSecurityOptions
): MiddlewareFunction;

function referrerPolicy(
  options?: ReferrerPolicyOptions
): MiddlewareFunction;

interface StrictTransportSecurityOptions {
  maxAge?: number;
  includeSubDomains?: boolean;
  preload?: boolean;
}

Transport Security

Legacy Security Headers

Traditional X-* headers for protecting against common web vulnerabilities including XSS, clickjacking, and information disclosure.

function xContentTypeOptions(): MiddlewareFunction;
function xDnsPrefetchControl(options?: XDnsPrefetchControlOptions): MiddlewareFunction;
function xDownloadOptions(): MiddlewareFunction;
function xFrameOptions(options?: XFrameOptionsOptions): MiddlewareFunction;
function xPermittedCrossDomainPolicies(options?: XPermittedCrossDomainPoliciesOptions): MiddlewareFunction;
function xPoweredBy(): MiddlewareFunction;
function xXssProtection(): MiddlewareFunction;

Legacy Security Headers

Types

type MiddlewareFunction = (
  req: IncomingMessage,
  res: ServerResponse,
  next: (error?: Error) => void
) => void;

interface Helmet {
  (options?: Readonly<HelmetOptions>): MiddlewareFunction;
  
  // Individual middleware properties
  contentSecurityPolicy: typeof contentSecurityPolicy;
  crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy;
  crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy;
  crossOriginResourcePolicy: typeof crossOriginResourcePolicy;
  originAgentCluster: typeof originAgentCluster;
  referrerPolicy: typeof referrerPolicy;
  strictTransportSecurity: typeof strictTransportSecurity;
  xContentTypeOptions: typeof xContentTypeOptions;
  xDnsPrefetchControl: typeof xDnsPrefetchControl;
  xDownloadOptions: typeof xDownloadOptions;
  xFrameOptions: typeof xFrameOptions;
  xPermittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
  xPoweredBy: typeof xPoweredBy;
  xXssProtection: typeof xXssProtection;
  
  // Legacy aliases
  dnsPrefetchControl: typeof xDnsPrefetchControl;
  frameguard: typeof xFrameOptions;
  hidePoweredBy: typeof xPoweredBy;
  hsts: typeof strictTransportSecurity;
  ieNoOpen: typeof xDownloadOptions;
  noSniff: typeof xContentTypeOptions;
  permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
  xssFilter: typeof xXssProtection;
}