MCPcopy Index your code
hub / github.com/helmetjs/helmet

github.com/helmetjs/helmet @v8.2.0 sqlite

repository ↗ · DeepWiki ↗ · release v8.2.0 ↗
88 symbols 278 edges 42 files 0 documented · 0% 39 cross-repo links
README

Helmet

Helmet helps secure Node/Express apps. It sets HTTP response headers such as Content-Security-Policy and Strict-Transport-Security. It aims to be quick to integrate and be low maintenance afterward.

Quick start

import helmet from "helmet";

const app = express();

app.use(helmet());

This will set 13 HTTP response headers in your app.

See the docs for more info, including the FAQ.

Configuration

Each header can be disabled. To disable a header:

// Disable the Content-Security-Policy and X-Download-Options headers
app.use(
  helmet({
    contentSecurityPolicy: false,
    xDownloadOptions: false,
  }),
);

To configure a header, pass header-specific options:

// Configure the Content-Security-Policy header.
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        "script-src": ["'self'", "example.com"],
      },
    },
  }),
);

HTTP header reference

Content-Security-Policy

Default:

Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

The Content-Security-Policy header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See MDN's introductory article on Content Security Policy.

This header is powerful but likely requires some configuration for your specific app.

To configure this header, pass an object with a nested directives object. Each key is a directive name in camel case (such as defaultSrc) or kebab case (such as default-src). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.

// Sets all of the defaults, but overrides `script-src`
// and disables the default `style-src`.
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        "script-src": ["'self'", "example.com"],
        "style-src": null,
      },
    },
  }),
);
// Sets the `script-src` directive to
// "'self' 'nonce-e33cc...'"
// (or similar)
app.use((req, res, next) => {
  res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
  next();
});
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
      },
    },
  }),
);

These directives are merged into a default policy, which you can disable by setting useDefaults to false.

// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
  helmet({
    contentSecurityPolicy: {
      useDefaults: false,
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "example.com"],
        objectSrc: ["'none'"],
        upgradeInsecureRequests: [],
      },
    },
  }),
);

You can get the default directives object with helmet.contentSecurityPolicy.getDefaultDirectives(). Here is the default policy (formatted for readability):

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests

The default-src directive can be explicitly disabled by setting its value to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc, but this is not recommended.

You can set the Content-Security-Policy-Report-Only instead:

// Sets the Content-Security-Policy-Report-Only header
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        /* ... */
      },
      reportOnly: true,
    },
  }),
);

upgrade-insecure-requests, a directive that causes browsers to upgrade HTTP to HTTPS, is set by default. You may wish to avoid this in development, as you may not be developing with HTTPS. Notably, Safari will upgrade http://localhost to https://localhost, which can cause problems. To work around this, you may wish to disable the upgrade-insecure-requests directive in development. For example:

const isDevelopment = app.get("env") === "development";

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        // Disable upgrade-insecure-requests in development.
        "upgrade-insecure-requests": isDevelopment ? null : [],
      },
    },
  }),
);

Helmet performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.

To disable the Content-Security-Policy header:

app.use(
  helmet({
    contentSecurityPolicy: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.contentSecurityPolicy()).

Cross-Origin-Embedder-Policy

This header is not set by default.

The Cross-Origin-Embedder-Policy header helps control what resources can be loaded cross-origin. See MDN's article on this header for more.

// Helmet does not set Cross-Origin-Embedder-Policy
// by default.
app.use(helmet());

// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet({ crossOriginEmbedderPolicy: true }));

// Sets "Cross-Origin-Embedder-Policy: credentialless"
app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } }));

You can use this as standalone middleware with app.use(helmet.crossOriginEmbedderPolicy()).

Cross-Origin-Opener-Policy

Default:

Cross-Origin-Opener-Policy: same-origin

The Cross-Origin-Opener-Policy header helps process-isolate your page. For more, see MDN's article on this header.

// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet());

// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(
  helmet({
    crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" },
  }),
);

To disable the Cross-Origin-Opener-Policy header:

app.use(
  helmet({
    crossOriginOpenerPolicy: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.crossOriginOpenerPolicy()).

Cross-Origin-Resource-Policy

Default:

Cross-Origin-Resource-Policy: same-origin

The Cross-Origin-Resource-Policy header blocks others from loading your resources cross-origin in some cases. For more, see "Consider deploying Cross-Origin Resource Policy" and MDN's article on this header.

// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet());

// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } }));

To disable the Cross-Origin-Resource-Policy header:

app.use(
  helmet({
    crossOriginResourcePolicy: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.crossOriginResourcePolicy()).

Origin-Agent-Cluster

Default:

Origin-Agent-Cluster: ?1

The Origin-Agent-Cluster header provides a mechanism to allow web applications to isolate their origins from other processes. Read more about it in the spec.

This header takes no options and is set by default.

// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet());

To disable the Origin-Agent-Cluster header:

app.use(
  helmet({
    originAgentCluster: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.originAgentCluster()).

Referrer-Policy

Default:

Referrer-Policy: no-referrer

The Referrer-Policy header which controls what information is set in [the Referer request header][Referer]. See "Referer header: privacy and security concerns" and the header's documentation on MDN for more.

// Sets "Referrer-Policy: no-referrer"
app.use(helmet());

policy is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting a fallback policy. It defaults to no-referrer.

// Sets "Referrer-Policy: no-referrer"
app.use(
  helmet({
    referrerPolicy: {
      policy: "no-referrer",
    },
  }),
);

// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
  helmet({
    referrerPolicy: {
      policy: ["origin", "unsafe-url"],
    },
  }),
);

To disable the Referrer-Policy header:

app.use(
  helmet({
    referrerPolicy: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.referrerPolicy()).

Strict-Transport-Security

Default:

Strict-Transport-Security: max-age=31536000; includeSubDomains

The Strict-Transport-Security header tells browsers to prefer HTTPS instead of insecure HTTP. See the documentation on MDN for more.

// Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains"
app.use(helmet());

maxAge is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 365 days.

includeSubDomains is a boolean which dictates whether to include the includeSubDomains directive, which makes this policy extend to subdomains. It defaults to true.

preload is a boolean. If true, it adds the preload directive, expressing intent to add your HSTS policy to browsers. See the "Preloading Strict Transport Security" section on MDN for more. It defaults to false.

// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
  helmet({
    strictTransportSecurity: {
      maxAge: 123456,
    },
  }),
);

// Sets "Strict-Transport-Security: max-age=123456"
app.use(
  helmet({
    strictTransportSecurity: {
      maxAge: 123456,
      includeSubDomains: false,
    },
  }),
);

// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
  helmet({
    strictTransportSecurity: {
      maxAge: 63072000,
      preload: true,
    },
  }),
);

To disable the Strict-Transport-Security header:

app.use(
  helmet({
    strictTransportSecurity: false,
  }),
);

You may wish to disable this header for local development, as it can make your browser force redirects from http://localhost to https://localhost, which may not be desirable if you develop multiple apps using localhost. See this issue for more discussion.

You can use this as standalone middleware with app.use(helmet.strictTransportSecurity()).

X-Content-Type-Options

Default:

X-Content-Type-Options: nosniff

The X-Content-Type-Options mitigates MIME type sniffing which can cause security issues. See documentation for this header on MDN for more.

This header takes no options and is set by default.

// Sets "X-Content-Type-Options: nosniff"
app.use(helmet());

To disable the X-Content-Type-Options header:

app.use(
  helmet({
    xContentTypeOptions: false,
  }),
);

You can use this as standalone middleware with app.use(helmet.xContentTypeOptions()).

X-DNS-Prefetch-Control

Default:

X-DNS-Prefetch-Control: off

The X-DNS-Prefetch-Control header helps control DNS prefetching, which can improve user privacy at the expense of performance. See documentation on MDN for more.

// Sets "X-DNS-Prefetch-Control: off"
app.use(helmet());

allow is a boolean dictating whether to enable DNS prefetching. It defaults to false.

Examples:

// Sets "X-DNS-Prefetch-Control: off"
app.use(
  helmet({
    xDnsPrefetchControl: { allow: false },
  }),
);

// Sets "X-DNS-Prefetch-Control: on"
app.use(
  helmet({
    xDnsPrefetchControl: { allow: true },
  }),
);

To disable the X-DNS-Prefetch-Control header and use the browser's default value:

```js

Extension points exported contracts — how you extend this code

Helmet (Interface)
(no doc)
index.ts
ReferrerPolicyOptions (Interface)
(no doc)
middlewares/referrer-policy/index.ts
CrossOriginEmbedderPolicyOptions (Interface)
(no doc)
middlewares/cross-origin-embedder-policy/index.ts
XFrameOptionsOptions (Interface)
(no doc)
middlewares/x-frame-options/index.ts
XDnsPrefetchControlOptions (Interface)
(no doc)
middlewares/x-dns-prefetch-control/index.ts
StrictTransportSecurityOptions (Interface)
(no doc)
middlewares/strict-transport-security/index.ts
CrossOriginOpenerPolicyOptions (Interface)
(no doc)
middlewares/cross-origin-opener-policy/index.ts
CrossOriginResourcePolicyOptions (Interface)
(no doc)
middlewares/cross-origin-resource-policy/index.ts

Core symbols most depended-on inside this repo

check
called by 90
test/helpers.ts
strictTransportSecurity
called by 31
middlewares/strict-transport-security/index.ts
contentSecurityPolicy
called by 19
middlewares/content-security-policy/index.ts
xFrameOptions
called by 15
middlewares/x-frame-options/index.ts
referrerPolicy
called by 13
middlewares/referrer-policy/index.ts
crossOriginEmbedderPolicy
called by 8
middlewares/cross-origin-embedder-policy/index.ts
crossOriginOpenerPolicy
called by 8
middlewares/cross-origin-opener-policy/index.ts
crossOriginResourcePolicy
called by 8
middlewares/cross-origin-resource-policy/index.ts

Shape

Function 77
Interface 11

Languages

TypeScript100%

Modules by API surface

middlewares/content-security-policy/index.ts9 symbols
test/project-setups/typescript-nodenext-esm/check.ts5 symbols
test/project-setups/typescript-nodenext-commonjs/check.ts5 symbols
test/project-setups/typescript-esnext/check.ts5 symbols
test/project-setups/typescript-commonjs/check.ts5 symbols
test/project-setups/typescript-commonjs-nodenext-moduleResolution/check.ts5 symbols
test/project-setups/javascript-esm/check.js5 symbols
test/project-setups/javascript-commonjs/check.js4 symbols
test/project-setups/javascript-commonjs-default-member/check.js4 symbols
middlewares/strict-transport-security/index.ts4 symbols
test/source-files.test.ts3 symbols
middlewares/x-permitted-cross-domain-policies/index.ts3 symbols

Dependencies from manifests, versioned

@eslint/js10.0.1 · 1×
@rollup/plugin-typescript12.3.0 · 1×
@types/connect3.4.38 · 1×
@types/node25.5.0 · 1×
@types/node-zopfli2.0.5 · 1×
@types/supertest7.2.0 · 1×
connect3.7.0 · 1×
eslint10.0.3 · 1×
globals17.4.0 · 1×
node-zopfli2.1.4 · 1×
npm-run-all28.0.4 · 1×
prettier3.8.1 · 1×

For agents

$ claude mcp add helmet \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact