CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-helmet

Comprehensive Express.js security middleware library that automatically sets multiple HTTP response headers to protect web applications against common security vulnerabilities.

Pending
Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

legacy-security-headers.mddocs/

Legacy Security Headers

Traditional X-* headers for protecting against common web vulnerabilities including XSS, clickjacking, and information disclosure.

Capabilities

X-Content-Type-Options

Prevents MIME type sniffing by instructing browsers to use the declared Content-Type.

/**
 * Sets X-Content-Type-Options header to "nosniff"
 * @returns Express middleware function
 */
function xContentTypeOptions(): MiddlewareFunction;

Usage Example:

import { xContentTypeOptions } from "helmet";

app.use(xContentTypeOptions());
// Sets: X-Content-Type-Options: nosniff

This prevents browsers from interpreting files as different MIME types than declared, which can prevent XSS attacks via file upload vulnerabilities.

X-DNS-Prefetch-Control

Controls DNS prefetching to improve privacy and reduce unnecessary DNS lookups.

/**
 * Sets X-DNS-Prefetch-Control header
 * @param options - DNS prefetch control options
 * @returns Express middleware function
 */
function xDnsPrefetchControl(
  options?: XDnsPrefetchControlOptions
): MiddlewareFunction;

interface XDnsPrefetchControlOptions {
  /** Whether to allow DNS prefetching (default: false) */
  allow?: boolean;
}

Usage Examples:

import { xDnsPrefetchControl } from "helmet";

// Default: disable DNS prefetching
app.use(xDnsPrefetchControl());
// Sets: X-DNS-Prefetch-Control: off

// Enable DNS prefetching
app.use(xDnsPrefetchControl({ allow: true }));
// Sets: X-DNS-Prefetch-Control: on

DNS prefetching can improve performance but may leak information about user browsing patterns. Disabling it improves privacy.

X-Download-Options

Prevents Internet Explorer from executing downloads in the site's context.

/**
 * Sets X-Download-Options header to "noopen"
 * @returns Express middleware function
 */
function xDownloadOptions(): MiddlewareFunction;

Usage Example:

import { xDownloadOptions } from "helmet";

app.use(xDownloadOptions());
// Sets: X-Download-Options: noopen

This prevents IE from opening downloads directly in the browser context, reducing XSS risks from malicious downloads.

X-Frame-Options

Prevents clickjacking attacks by controlling whether the page can be embedded in frames.

/**
 * Sets X-Frame-Options header to prevent clickjacking
 * @param options - Frame options configuration
 * @returns Express middleware function
 */
function xFrameOptions(
  options?: XFrameOptionsOptions
): MiddlewareFunction;

interface XFrameOptionsOptions {
  /** Frame policy action (default: "sameorigin") */
  action?: "deny" | "sameorigin";
}

Usage Examples:

import { xFrameOptions } from "helmet";

// Default: allow same-origin framing
app.use(xFrameOptions());
// Sets: X-Frame-Options: SAMEORIGIN

// Deny all framing
app.use(xFrameOptions({ action: "deny" }));
// Sets: X-Frame-Options: DENY

Action Values:

  • sameorigin: Allow framing by same-origin pages only
  • deny: Prevent all framing (most secure)

Note: Consider using CSP frame-ancestors directive instead, as it's more flexible and part of modern security standards.

X-Permitted-Cross-Domain-Policies

Controls cross-domain policy file access for Flash and PDF content.

/**
 * Sets X-Permitted-Cross-Domain-Policies header
 * @param options - Cross-domain policies configuration
 * @returns Express middleware function
 */
function xPermittedCrossDomainPolicies(
  options?: XPermittedCrossDomainPoliciesOptions
): MiddlewareFunction;

interface XPermittedCrossDomainPoliciesOptions {
  /** Policy permission level (default: "none") */
  permittedPolicies?: "none" | "master-only" | "by-content-type" | "all";
}

Usage Examples:

import { xPermittedCrossDomainPolicies } from "helmet";

// Default: no cross-domain policies
app.use(xPermittedCrossDomainPolicies());
// Sets: X-Permitted-Cross-Domain-Policies: none

// Allow master policy file only
app.use(xPermittedCrossDomainPolicies({ 
  permittedPolicies: "master-only" 
}));
// Sets: X-Permitted-Cross-Domain-Policies: master-only

Policy Values:

  • none: No policy files allowed (most secure)
  • master-only: Only /crossdomain.xml allowed
  • by-content-type: Allow policy files served with correct Content-Type
  • all: Allow all policy files

X-Powered-By

Removes the X-Powered-By header to hide server technology information.

/**
 * Removes X-Powered-By header
 * @returns Express middleware function
 */
function xPoweredBy(): MiddlewareFunction;

Usage Example:

import { xPoweredBy } from "helmet";

app.use(xPoweredBy());
// Removes: X-Powered-By header

This prevents information disclosure about the server technology stack, making it slightly harder for attackers to identify potential vulnerabilities.

X-XSS-Protection

Disables legacy XSS filtering in browsers due to potential security issues.

/**
 * Sets X-XSS-Protection header to "0" to disable legacy XSS filtering
 * @returns Express middleware function
 */
function xXssProtection(): MiddlewareFunction;

Usage Example:

import { xXssProtection } from "helmet";

app.use(xXssProtection());
// Sets: X-XSS-Protection: 0

Legacy XSS filters in browsers can sometimes be bypassed or cause legitimate content to be blocked. Modern CSP is more effective for XSS prevention.

Legacy Aliases

Helmet provides backward-compatible aliases for these headers:

// Legacy aliases (same functionality as above)
const noSniff: typeof xContentTypeOptions;
const dnsPrefetchControl: typeof xDnsPrefetchControl;
const ieNoOpen: typeof xDownloadOptions;
const frameguard: typeof xFrameOptions;
const permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
const hidePoweredBy: typeof xPoweredBy;
const xssFilter: typeof xXssProtection;

Usage Examples:

import { 
  noSniff, 
  frameguard, 
  hidePoweredBy 
} from "helmet";

// These are equivalent to their X-* counterparts
app.use(noSniff());
app.use(frameguard({ action: "deny" }));
app.use(hidePoweredBy());

Modern Alternatives

Many of these legacy headers have modern replacements:

X-Frame-Options → CSP frame-ancestors

// Legacy
app.use(xFrameOptions({ action: "deny" }));

// Modern (preferred)
app.use(contentSecurityPolicy({
  directives: {
    "frame-ancestors": ["'none'"]
  }
}));

X-XSS-Protection → CSP script-src

// Legacy (now disabled by Helmet)
app.use(xXssProtection());

// Modern (preferred) 
app.use(contentSecurityPolicy({
  directives: {
    "script-src": ["'self'"],
    "object-src": ["'none'"]
  }
}));

Security Impact

High Impact

  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME confusion attacks

Medium Impact

  • X-Download-Options: Reduces IE-specific XSS risks
  • X-Permitted-Cross-Domain-Policies: Prevents Flash/PDF policy abuse

Low Impact

  • X-DNS-Prefetch-Control: Privacy improvement
  • X-Powered-By: Information disclosure prevention
  • X-XSS-Protection: Disables potentially harmful legacy feature

Browser Support

All these headers have excellent browser support, including legacy versions. However, modern CSP-based approaches are preferred for new applications as they provide more granular control and better security.

docs

content-security-policy.md

cross-origin-policies.md

index.md

legacy-security-headers.md

main-helmet-function.md

transport-security.md

tile.json