CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-helmet

Comprehensive Express.js security middleware library that automatically sets multiple HTTP response headers to protect web applications against common security vulnerabilities.

Pending
Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

index.mddocs/

Helmet

Helmet is a comprehensive Express.js security middleware library that automatically sets multiple HTTP response headers to protect web applications against common security vulnerabilities. It provides configurable protection through headers like Content-Security-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Strict-Transport-Security, and various X-* headers, offering defense against attacks including XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.

Package Information

  • Package Name: helmet
  • Package Type: npm
  • Language: TypeScript
  • Installation: npm install helmet

Core Imports

import helmet from "helmet";

For individual middleware:

import { 
  contentSecurityPolicy, 
  xFrameOptions, 
  strictTransportSecurity 
} from "helmet";

CommonJS:

const helmet = require("helmet");
const { contentSecurityPolicy, xFrameOptions } = require("helmet");

Basic Usage

import express from "express";
import helmet from "helmet";

const app = express();

// Use all default security headers
app.use(helmet());

// Configure specific options
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"]
    }
  },
  crossOriginEmbedderPolicy: false
}));

// Use individual middleware
app.use(helmet.xFrameOptions({ action: "deny" }));

Architecture

Helmet is built around several key components:

  • Main Function: The default export helmet() that combines all security middlewares based on configuration
  • Individual Middlewares: 14 specialized middleware functions, each setting specific security headers
  • Legacy Aliases: Backward-compatible function names for older API versions
  • Type System: Full TypeScript support with comprehensive option interfaces
  • Configurable Security: Each middleware can be enabled, disabled, or configured with specific options

Capabilities

Main Helmet Function

The primary function that combines all security middlewares into a single Express middleware with configurable options.

function helmet(options?: Readonly<HelmetOptions>): (
  req: IncomingMessage,
  res: ServerResponse,
  next: (err?: unknown) => void
) => void;

type HelmetOptions = {
  contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean;
  crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean;
  crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
  crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
  originAgentCluster?: boolean;
  referrerPolicy?: ReferrerPolicyOptions | boolean;
} & (
  | { strictTransportSecurity?: StrictTransportSecurityOptions | boolean; hsts?: never; }
  | { hsts?: StrictTransportSecurityOptions | boolean; strictTransportSecurity?: never; }
) & (
  | { xContentTypeOptions?: boolean; noSniff?: never }
  | { noSniff?: boolean; xContentTypeOptions?: never }
) & (
  | { xDnsPrefetchControl?: XDnsPrefetchControlOptions | boolean; dnsPrefetchControl?: never; }
  | { dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean; xDnsPrefetchControl?: never; }
) & (
  | { xDownloadOptions?: boolean; ieNoOpen?: never }
  | { ieNoOpen?: boolean; xDownloadOptions?: never }
) & (
  | { xFrameOptions?: XFrameOptionsOptions | boolean; frameguard?: never }
  | { frameguard?: XFrameOptionsOptions | boolean; xFrameOptions?: never }
) & (
  | { xPermittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean; permittedCrossDomainPolicies?: never; }
  | { permittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean; xPermittedCrossDomainPolicies?: never; }
) & (
  | { xPoweredBy?: boolean; hidePoweredBy?: never }
  | { hidePoweredBy?: boolean; xPoweredBy?: never }
) & (
  | { xXssProtection?: boolean; xssFilter?: never }
  | { xssFilter?: boolean; xXssProtection?: never }
);

Main Helmet Function

Content Security Policy

Comprehensive Content Security Policy header management with extensive directive configuration and built-in security defaults.

function contentSecurityPolicy(
  options?: ContentSecurityPolicyOptions
): MiddlewareFunction;

interface ContentSecurityPolicyOptions {
  useDefaults?: boolean;
  directives?: Record<string, CSPDirectiveValue>;
  reportOnly?: boolean;
}

function getDefaultDirectives(): CSPDirectives;

Content Security Policy

Cross-Origin Policies

Modern cross-origin security headers for controlling resource sharing, embedding, and browsing context isolation.

function crossOriginEmbedderPolicy(
  options?: CrossOriginEmbedderPolicyOptions
): MiddlewareFunction;

function crossOriginOpenerPolicy(
  options?: CrossOriginOpenerPolicyOptions
): MiddlewareFunction;

function crossOriginResourcePolicy(
  options?: CrossOriginResourcePolicyOptions
): MiddlewareFunction;

function originAgentCluster(): MiddlewareFunction;

Cross-Origin Policies

Transport Security

HTTPS enforcement and referrer policy configuration for secure communication and privacy protection.

function strictTransportSecurity(
  options?: StrictTransportSecurityOptions
): MiddlewareFunction;

function referrerPolicy(
  options?: ReferrerPolicyOptions
): MiddlewareFunction;

interface StrictTransportSecurityOptions {
  maxAge?: number;
  includeSubDomains?: boolean;
  preload?: boolean;
}

Transport Security

Legacy Security Headers

Traditional X-* headers for protecting against common web vulnerabilities including XSS, clickjacking, and information disclosure.

function xContentTypeOptions(): MiddlewareFunction;
function xDnsPrefetchControl(options?: XDnsPrefetchControlOptions): MiddlewareFunction;
function xDownloadOptions(): MiddlewareFunction;
function xFrameOptions(options?: XFrameOptionsOptions): MiddlewareFunction;
function xPermittedCrossDomainPolicies(options?: XPermittedCrossDomainPoliciesOptions): MiddlewareFunction;
function xPoweredBy(): MiddlewareFunction;
function xXssProtection(): MiddlewareFunction;

Legacy Security Headers

Types

type MiddlewareFunction = (
  req: IncomingMessage,
  res: ServerResponse,
  next: (error?: Error) => void
) => void;

interface Helmet {
  (options?: Readonly<HelmetOptions>): MiddlewareFunction;
  
  // Individual middleware properties
  contentSecurityPolicy: typeof contentSecurityPolicy;
  crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy;
  crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy;
  crossOriginResourcePolicy: typeof crossOriginResourcePolicy;
  originAgentCluster: typeof originAgentCluster;
  referrerPolicy: typeof referrerPolicy;
  strictTransportSecurity: typeof strictTransportSecurity;
  xContentTypeOptions: typeof xContentTypeOptions;
  xDnsPrefetchControl: typeof xDnsPrefetchControl;
  xDownloadOptions: typeof xDownloadOptions;
  xFrameOptions: typeof xFrameOptions;
  xPermittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
  xPoweredBy: typeof xPoweredBy;
  xXssProtection: typeof xXssProtection;
  
  // Legacy aliases
  dnsPrefetchControl: typeof xDnsPrefetchControl;
  frameguard: typeof xFrameOptions;
  hidePoweredBy: typeof xPoweredBy;
  hsts: typeof strictTransportSecurity;
  ieNoOpen: typeof xDownloadOptions;
  noSniff: typeof xContentTypeOptions;
  permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
  xssFilter: typeof xXssProtection;
}

docs

content-security-policy.md

cross-origin-policies.md

index.md

legacy-security-headers.md

main-helmet-function.md

transport-security.md

tile.json