Security header middleware collection for Express/Connect

npm install helmet
288 downloads in the last day
2 235 downloads in the last week
6 950 downloads in the last month


Dependency Status

Helmet is a series of middlewares for Express/Connect apps that implement various security headers to make your app more secure. It's not a silver bullet, but it can help!

Helmet includes the following middlewares:

  • csp (Content Security Policy)
  • hsts (HTTP Strict Transport Security)
  • xframe (X-Frame-Options)
  • iexss (X-XSS-Protection for IE8+)
  • ienoopen (X-Download-Options for IE8+)
  • contentTypeOptions (X-Content-Type-Options)
  • cacheControl (Cache-Control)
  • hidePoweredBy (remove X-Powered-By)


npm install helmet

Basic usage

To use a particular middleware application-wide, just use it:

var helmet = require('helmet')
var app = express() // or connect


If you're using Express 3, make sure these middlewares are listed before app.router.

If you just want to use the default-level policies, all you need to do is:


Don't want all the defaults?

helmet.defaults(app, { xframe: false })

Content Security Policy

Setting an appropriate Content Security Policy can protect your users against a variety of attacks (perhaps the largest of which is XSS). To learn more about CSP, check out the HTML5 Rocks guide.


  'default-src': ["'self'", 'default.com'],
  'script-src': ['scripts.com'],
  'style-src': ['style.com'],
  'img-src': ['img.com'],
  'connect-src': ['connect.com'],
  'font-src': ['font.com'],
  'object-src': ['object.com'],
  'media-src': ['media.com'],
  'frame-src': ['frame.com'],
  'sandbox': ['allow-forms', 'allow-scripts'],
  'report-uri': ['/report-violation'],
  reportOnly: false, // set to true if you only want to report errors
  setAllHeaders: false, // set to true if you want to set all headers
  safari5: false // set to true if you want to force buggy CSP in Safari 5

There are a lot of inconsistencies in how browsers implement CSP. Helmet sniffs the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is found, it will set all the headers with the 1.0 spec.

HTTP Strict Transport Security

This middleware adds the Strict-Transport-Security header to the response. See the spec.

To use the default header of Strict-Transport-Security: maxAge=15768000 (about 6 months):


To adjust other values for maxAge and to include subdomains:

app.use(helmet.hsts(1234567, true))

Note that the max age is in seconds, not milliseconds (as is typical in JavaScript).


X-Frame specifies whether your app can be put in a frame or iframe. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM. If your app does not need to be framed (and most don't) you can use the default DENY.


// These are equivalent:

// Only let me be framed by people of the same origin:

// Allow from a specific host:
app.use(helmet.xframe('allow-from', 'http://example.com'))

Browser Support

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome
  • Firefox 3.6.9 (or earlier with NoScript)


The X-XSS-Protection header is a basic protection against XSS.



This sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0. To force the header on all versions of IE, add the option:

app.use(helmet.iexss({ setOnOldIE: true }))


Sets the X-Download-Options header to noopen to prevent IE users from executing downloads in your site's context. For more, see this MSDN blog post.



The following example sets the X-Content-Type-Options header to its only and default option, nosniff:



The following example sets the Cache-Control header to no-store, no-cache. This is not configurable at this time.


Hide X-Powered-By

This middleware will remove the X-Powered-By header if it is set.


Note: if you're using Express, you can skip Helmet's middleware if you want:

npm loves you