Securing Your Node.js Application with Helmet

Introduction

When developing web applications with Node.js, ensuring security is paramount. A great way to bolster the security of your Express applications is by implementing the helmet middleware.

Helmet helps secure your app by setting various HTTP headers, mitigating common web vulnerabilities such as cross-site scripting (XSS), clickjacking, and other attacks.

Installing Helmet

To use Helmet in your Node.js application, first install it using npm:

npm install helmet

Then, integrate it into your Express application like this:

const express = require("express");
const helmet = require("helmet");
const app = express();

// Use Helmet middleware
app.use(helmet());

app.get("/", (req, res) => {
  res.send("Hello, world!");
});

app.listen(3000, () => {
  console.log("Server running on port 3000");
});

By default, Helmet sets multiple security headers to protect your application.

Default Security Headers Set by Helmet

Helmet sets the following headers automatically:

  1. Content-Security-Policy (CSP): Defines a whitelist of allowed content sources to prevent XSS attacks.
  2. Cross-Origin-Opener-Policy (COOP): Helps isolate the page’s process.
  3. Cross-Origin-Resource-Policy (CORP): Prevents other origins from loading resources.
  4. Origin-Agent-Cluster: Enables origin-based process isolation.
  5. Referrer-Policy: Controls the Referer header sent with requests.
  6. Strict-Transport-Security (HSTS): Enforces HTTPS connections.
  7. X-Content-Type-Options: Prevents browsers from MIME-type sniffing.
  8. X-DNS-Prefetch-Control: Disables DNS prefetching.
  9. X-Download-Options: Prevents automatic downloads in Internet Explorer.
  10. X-Frame-Options: Protects against clickjacking attacks.
  11. X-Permitted-Cross-Domain-Policies: Restricts cross-domain behavior for Adobe products.
  12. X-Powered-By: Removed to prevent attackers from identifying the technology used.
  13. X-XSS-Protection: Disabled, as it is outdated and can introduce vulnerabilities.

Configuring Helmet Security Headers

Each header can be customized based on your security requirements. Below are some examples of how to configure them.

1. Configuring Content Security Policy (CSP)

CSP helps prevent cross-site scripting (XSS) by specifying allowed sources for scripts, styles, images, etc.

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        "default-src": ["'self'"],
        "script-src": ["'self'", "example.com"],
        "style-src": ["'self'", "fonts.googleapis.com"],
        "img-src": ["'self'", "data:"],
      },
    },
  })
);

2. Enforcing HTTPS with Strict Transport Security (HSTS)

HSTS forces browsers to use HTTPS instead of HTTP:

app.use(
  helmet.hsts({
    maxAge: 31536000, // 1 year
    includeSubDomains: true,
    preload: true,
  })
);

3. Preventing Clickjacking with X-Frame-Options

To prevent clickjacking attacks, set X-Frame-Options to DENY​:

app.use(
  helmet.frameguard({
    action: "deny",
  })
);

4. Controlling Referrer Policy

Limit the information sent in the Referer​ header:

app.use(
  helmet.referrerPolicy({
    policy: "no-referrer",
  })
);

5. Disabling X-Powered-By Header

By default, Express includes an X-Powered-By​ header revealing that the app is running on Express. This can be disabled:

app.use(helmet.hidePoweredBy());

6. Enabling X-Content-Type-Options

Prevent MIME-type sniffing to avoid security risks:

app.use(helmet.noSniff());

7. Configuring DNS Prefetch Control

Disable DNS prefetching to reduce potential leaks:

app.use(
  helmet.dnsPrefetchControl({
    allow: false,
  })
);

8. Configuring Cross-Origin Resource Policy

Restrict loading of resources from other domains:

app.use(
  helmet.crossOriginResourcePolicy({
    policy: "same-origin",
  })
);

Like this you can disable the unwanted headers and add the security headers in place.

Disabling Specific Helmet Middleware

If you need to disable certain Helmet headers, you can do so explicitly:

app.use(
  helmet({
    contentSecurityPolicy: false, // Disable CSP
    frameguard: false, // Disable X-Frame-Options
  })
);

Conclusion

Helmet serves as a crucial middleware for enhancing the security of your Node.js application. By appropriately setting its headers, you can safeguard your application against prevalent web threats like XSS, clickjacking, and information leaks. Although Helmet comes with sensible defaults, tailoring the headers to fit your application's specific requirements can lead to improved security.

Start using Helmet today to enhance your application's security and make the web a safer place!

You may refer our blog for secure programming and best practices for NodeJS application here.

For our consultancy in your application drop us mail here: [email protected]


in Tech
Securing Your Node.js Application with Helmet
Ram Krishna February 12, 2025
Share this post
Tags
2025 APISecurity Cybersecurity HTTPHeaders HelmetJS OWASP Top 10 SecureCoding WebDevelopment WebSecurity javascript nodejs
Sign in to leave a comment
Best Practices for Securing Node.js Applications in Production