DEV Community

Discussion on: Why do you need Helmet in NodeJs ?

joehonton profile image
Joe Honton

Only 4 of these are standard HTTP headers.

The Content-Security-Policy and Referrer-Policy are keepers, but if you're serious about them, why not study the possible values they supports, and set them explicitly?

The Strict-Transport-Security header is not necessary -- simply firewall port 80 and serve your website on port 443 with a valid TLS certificate.

The Expect-CT header is obsolete as of June 2021

All the rest are non-standard "X-" headers that should be used only when you explictly need them.

My point is that simply adding a call to helmet() will delay your learning of HTTP.

jdrydn profile image
James • Edited on

I came here to literally add this - nice job @joehonton !

It's good that Helmet exposes new developers to these headers, but it's up to each developer to:

  • Research potential impacts of adding specific headers to your responses.
  • Research potential impacts of omitting specific headers from your responses.

Don't just "add helmet & done"!

sid__ profile image
Siddharth Udeniya Author

I think I covered this in the very first two quoted lines of this post ;)! Helmet is not a silver bullet indeed.