or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

content-security-policy.mdcross-origin-policies.mdindex.mdlegacy-security-headers.mdmain-helmet-function.mdtransport-security.md
tile.json

legacy-security-headers.mddocs/

Legacy Security Headers

Traditional X-* headers for protecting against common web vulnerabilities including XSS, clickjacking, and information disclosure.

Capabilities

X-Content-Type-Options

Prevents MIME type sniffing by instructing browsers to use the declared Content-Type.

/**
 * Sets X-Content-Type-Options header to "nosniff"
 * @returns Express middleware function
 */
function xContentTypeOptions(): MiddlewareFunction;

Usage Example:

import { xContentTypeOptions } from "helmet";

app.use(xContentTypeOptions());
// Sets: X-Content-Type-Options: nosniff

This prevents browsers from interpreting files as different MIME types than declared, which can prevent XSS attacks via file upload vulnerabilities.

X-DNS-Prefetch-Control

Controls DNS prefetching to improve privacy and reduce unnecessary DNS lookups.

/**
 * Sets X-DNS-Prefetch-Control header
 * @param options - DNS prefetch control options
 * @returns Express middleware function
 */
function xDnsPrefetchControl(
  options?: XDnsPrefetchControlOptions
): MiddlewareFunction;

interface XDnsPrefetchControlOptions {
  /** Whether to allow DNS prefetching (default: false) */
  allow?: boolean;
}

Usage Examples:

import { xDnsPrefetchControl } from "helmet";

// Default: disable DNS prefetching
app.use(xDnsPrefetchControl());
// Sets: X-DNS-Prefetch-Control: off

// Enable DNS prefetching
app.use(xDnsPrefetchControl({ allow: true }));
// Sets: X-DNS-Prefetch-Control: on

DNS prefetching can improve performance but may leak information about user browsing patterns. Disabling it improves privacy.

X-Download-Options

Prevents Internet Explorer from executing downloads in the site's context.

/**
 * Sets X-Download-Options header to "noopen"
 * @returns Express middleware function
 */
function xDownloadOptions(): MiddlewareFunction;

Usage Example:

import { xDownloadOptions } from "helmet";

app.use(xDownloadOptions());
// Sets: X-Download-Options: noopen

This prevents IE from opening downloads directly in the browser context, reducing XSS risks from malicious downloads.

X-Frame-Options

Prevents clickjacking attacks by controlling whether the page can be embedded in frames.

/**
 * Sets X-Frame-Options header to prevent clickjacking
 * @param options - Frame options configuration
 * @returns Express middleware function
 */
function xFrameOptions(
  options?: XFrameOptionsOptions
): MiddlewareFunction;

interface XFrameOptionsOptions {
  /** Frame policy action (default: "sameorigin") */
  action?: "deny" | "sameorigin";
}

Usage Examples:

import { xFrameOptions } from "helmet";

// Default: allow same-origin framing
app.use(xFrameOptions());
// Sets: X-Frame-Options: SAMEORIGIN

// Deny all framing
app.use(xFrameOptions({ action: "deny" }));
// Sets: X-Frame-Options: DENY

Action Values:

  • sameorigin: Allow framing by same-origin pages only
  • deny: Prevent all framing (most secure)

Note: Consider using CSP 

frame-ancestors
directive instead, as it's more flexible and part of modern security standards.

X-Permitted-Cross-Domain-Policies

Controls cross-domain policy file access for Flash and PDF content.

/**
 * Sets X-Permitted-Cross-Domain-Policies header
 * @param options - Cross-domain policies configuration
 * @returns Express middleware function
 */
function xPermittedCrossDomainPolicies(
  options?: XPermittedCrossDomainPoliciesOptions
): MiddlewareFunction;

interface XPermittedCrossDomainPoliciesOptions {
  /** Policy permission level (default: "none") */
  permittedPolicies?: "none" | "master-only" | "by-content-type" | "all";
}

Usage Examples:

import { xPermittedCrossDomainPolicies } from "helmet";

// Default: no cross-domain policies
app.use(xPermittedCrossDomainPolicies());
// Sets: X-Permitted-Cross-Domain-Policies: none

// Allow master policy file only
app.use(xPermittedCrossDomainPolicies({ 
  permittedPolicies: "master-only" 
}));
// Sets: X-Permitted-Cross-Domain-Policies: master-only

Policy Values:

  • none: No policy files allowed (most secure)
  • master-only: Only /crossdomain.xml allowed
  • by-content-type: Allow policy files served with correct Content-Type
  • all: Allow all policy files

X-Powered-By

Removes the X-Powered-By header to hide server technology information.

/**
 * Removes X-Powered-By header
 * @returns Express middleware function
 */
function xPoweredBy(): MiddlewareFunction;

Usage Example:

import { xPoweredBy } from "helmet";

app.use(xPoweredBy());
// Removes: X-Powered-By header

This prevents information disclosure about the server technology stack, making it slightly harder for attackers to identify potential vulnerabilities.

X-XSS-Protection

Disables legacy XSS filtering in browsers due to potential security issues.

/**
 * Sets X-XSS-Protection header to "0" to disable legacy XSS filtering
 * @returns Express middleware function
 */
function xXssProtection(): MiddlewareFunction;

Usage Example:

import { xXssProtection } from "helmet";

app.use(xXssProtection());
// Sets: X-XSS-Protection: 0

Legacy XSS filters in browsers can sometimes be bypassed or cause legitimate content to be blocked. Modern CSP is more effective for XSS prevention.

Legacy Aliases

Helmet provides backward-compatible aliases for these headers:

// Legacy aliases (same functionality as above)
const noSniff: typeof xContentTypeOptions;
const dnsPrefetchControl: typeof xDnsPrefetchControl;
const ieNoOpen: typeof xDownloadOptions;
const frameguard: typeof xFrameOptions;
const permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
const hidePoweredBy: typeof xPoweredBy;
const xssFilter: typeof xXssProtection;

Usage Examples:

import { 
  noSniff, 
  frameguard, 
  hidePoweredBy 
} from "helmet";

// These are equivalent to their X-* counterparts
app.use(noSniff());
app.use(frameguard({ action: "deny" }));
app.use(hidePoweredBy());

Modern Alternatives

Many of these legacy headers have modern replacements:

X-Frame-Options → CSP frame-ancestors

// Legacy
app.use(xFrameOptions({ action: "deny" }));

// Modern (preferred)
app.use(contentSecurityPolicy({
  directives: {
    "frame-ancestors": ["'none'"]
  }
}));

X-XSS-Protection → CSP script-src

// Legacy (now disabled by Helmet)
app.use(xXssProtection());

// Modern (preferred) 
app.use(contentSecurityPolicy({
  directives: {
    "script-src": ["'self'"],
    "object-src": ["'none'"]
  }
}));

Security Impact

High Impact

  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME confusion attacks

Medium Impact

  • X-Download-Options: Reduces IE-specific XSS risks
  • X-Permitted-Cross-Domain-Policies: Prevents Flash/PDF policy abuse

Low Impact

  • X-DNS-Prefetch-Control: Privacy improvement
  • X-Powered-By: Information disclosure prevention
  • X-XSS-Protection: Disables potentially harmful legacy feature

Browser Support

All these headers have excellent browser support, including legacy versions. However, modern CSP-based approaches are preferred for new applications as they provide more granular control and better security.