DEV Community

Cover image for Js Node (Helmet.js)
Dimitris Chitas
Dimitris Chitas

Posted on • Updated on

Js Node (Helmet.js)

Hello there guys!

As the days going through and summer is near a lot of you, have done with projects,couple of 'em created in node/express.js environment and probably you think this is
the time to force some extra functionalities ,with some external
libraries-packages. :D :D

Today, i will focus in one dependency, is called Helmet.js exist also an open repo
on gitghub,check here helmet-repo which helping us provide some
additions in our express server,those parameters are focused on the security of your app.

You can use npm or yarn i will head with npm so simple we can install it npm install helmet --save and save it globally.

So if you already have an express server running,you can just
simple require the helmet, see bellow :

const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(helmet());

// ...
Enter fullscreen mode Exit fullscreen mode

What is helmet?

Helmet is a function used as middleware and is wrapping 11 smaller middleware's,sets HTTP Headers,origin validations and some other stuff to avoid multiple attacks on your website-webapp.

So the above app.use(helmet()); is equivalent to this

app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
Enter fullscreen mode Exit fullscreen mode

All setting headers to your content, to your loading balances and predifined actions to verify the actions of the clients verifying like this who is who,is a sugar to your application not the core of your security build.

Let's see two examples
1.

  helmet({
    referrerPolicy: { policy: "no-referrer" },
  })
);
//Set custom options for referrer policy
Enter fullscreen mode Exit fullscreen mode

2.

// Sets "X-XSS-Protection: 0"
// Disables browsers buggy cross-site scripting filter by setting //the X-XSS-Protection header to 0


app.use(helmet.xssFilter());



Enter fullscreen mode Exit fullscreen mode
// Sets "X-Content-Type-Options: nosniff"
//Sets the X-Content-Type-Options header to nosniff. This mitigates //MIME type sniffing which can cause security vulnerabilities
app.use(helmet.noSniff());



Enter fullscreen mode Exit fullscreen mode

That's all we have for today for more information check the documentation on github link.

Have a nice workday guys, in case for further explanation do not hesitate to contact me or find me in github or linkedin.
GitHub : https://github.com/feco2019
Linkedin : https://www.linkedin.com/in/dimitris-chitas-930285191/

Discussion (0)