NodeJS

Securing Your Node.js Apps With Helmet

Nishant Rupareliya
Nishant RupareliyaOct 18, 2024
Securing Your Node.js Apps With Helmet

Introduction

It appears that we are living in times of challenging in the field of website development, and applying security measures has therefore become a great worry to developers mostly in the course of developing web applications. Speed has made Node.js one of the preferred frameworks among developers for developing applications, but it comes hand in hand with its security issues. As with all other strong frameworks, greedy developers can exploit the features offered by Node.js, making it even more necessary for the developer to protect the application from security risks. The easiest and most effective way to put the security of your Node.js applications is through Helmet.

Prerequisites

  • NodeJS
  • ExpressJS
  • Middleware
Blog Image

While Node.js is a powerful and versatile runtime environment, it presents specific security concerns that need addressing:

  • Cross-Site Scripting (XSS) Attacks: XSS is defined as an attack in which scripts are injected into an application by malicious users in order to attack user data and privacy.
  • HTTP Security Headers: HTTP Security Headers, when set correctly, can prevent attacks such as clickjacking and XSS.
  • Insecure Dependencies: Vulnerabilities abound in the libraries and third-party modules. Proper package management is key.
  • Sensitive Data Exposure: Protect sensitive data including user credentials and API keys in order to prevent the breaches.
  • Brute Force Attacks: Protecting users from those who try to guess their passwords or gain access to restricted resources easily is paramount

The Role of Helmet Middleware

Helmet is a Node.js middleware with very little overhead to help secure your Express.js-based applications by configuring HTTP response headers. These headers will go a long way in protecting your application from certain well-known web vulnerabilities like cross-site scripting (XSS), clickjacking, and so on.

With just a very simple one-liner call, Helmet sets up a whole bunch of security-related headers for you. That is undoubtedly an amazing convenience and makes Helmet a must-have tool in the web security arsenal.

How to Install and Set Up Helmet

To get started with Helmet, follow these simple steps:

Step 1: Install Helmet via npm:

1npm install helmet

npm install helmet

Step 2: Use Helmet in your Express app by adding it to your middleware stack:

1const express = require('express');
2const helmet = require('helmet');
3
4
5const app = express();
6
7
8// Use Helmet to secure the app
9app.use(helmet());
10


With this simple integration, Helmet applies several security headers by default, securing your app right away.

Understanding Helmet's Default Protections

When you use helmet(), it enables several security headers automatically. Let’s break them down:

  1. Content-Security-Policy (CSP):
    1. The browser does not load content from untrusted sources through an XSS attack, which is further helped by defining which sources are allowed
    2. You can also modify the policy as per the requirement of the app.
  2. X-Frame-Options:
    1. Preventing clickjacking by disallowing your site to be framed within an iframe.
    2. Defaults to its value of SAMEORIGIN, which indicates that the page can either be displayed in an iframe from the same origin or not at all.
  3. X-Content-Type-Options:
    1. Prevent MIME-sniffing away from a declared Content-Type.This helps prevent certain kinds of attacks.
  4. X-DNS-Prefetch-Control:
    1. Controls browser DNS prefetching, which reduces some privacy risks.
  5. Strict-Transport-Security (HSTS):
    1. Enforces the use of HTTPs instead of plain HTTP for upcoming requests made at your site.
    2. This ensures all communication remains encrypted.
  6. Expect-CT:
    1. Helps prevent misissued SSL/TLS certificates for your domain.
  7. Referrer-Policy:
    1. The referrer header contain less information about the URL of the page making the request. This helps protect user privacy.
  8. Feature-Policy (Permissions-Policy in newer versions):

a. Restricts the use of browser features (like geolocation, microphone, etc.), reducing the chance of these being exploited.

Customizing Helmet for Your Needs

  • Content-Security-Policy (CSP):CSP mitigates Cross-Site Scripting (XSS) and other code injection attacks by specifying what content can be loaded on the page. Use it to create an allowlist of trusted sources.Example:
1app.use(helmet.contentSecurityPolicy({
2  directives: {
3    defaultSrc: ["'self'"],
4    scriptSrc: ["'self'", "'trusted-scripts.com'"],
5  },
6}));
7

  • Cross-Origin-Opener-Policy (COOP):This header ensures your page is process-isolated by preventing cross-origin access to shared resources.Example:
1app.use(helmet.crossOriginOpenerPolicy({ policy: 'same-origin' }));
  • Cross-Origin-Resource-Policy (CORP):CORP blocks others from accessing your resources unless they are from the same origin, safeguarding your assets from unauthorized cross-origin requests.Example:
1app.use(helmet.crossOriginResourcePolicy({ policy: 'same-origin' }));
  • Origin-Agent-Cluster (OAC):This header provides an additional layer of security by ensuring process isolation based on the origin.Example:
1app.use(helmet.originAgentCluster());

  • Referrer-Policy:This header is responsible for the information sent in the Referer header, thereby ensuring user privacy by decreasing the amount of information shared while the user is navigating.Example:
1app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
  • Strict-Transport-Security (HSTS):HSTS insures that your application only uses HTTPS for secure communication, thereby preventing downgrade attacks.Example:
1app.use(helmet.hsts({
2  maxAge: 31536000,  // One year
3  includeSubDomains: true,
4  preload: true,
5}));
6

  • X-Content-Type-Options:MIME sniffing done by browsers is avoided with this header, which assures the proper interpretation of content types as they are declared.Example:
1app.use(helmet.noSniff());
2
  • X-DNS-Prefetch-Control:This header allows you to control DNS prefetching, reducing privacy risks.Example:
1app.use(helmet.dnsPrefetchControl({ allow: false }));

  • X-Download-Options:This legacy header is specific to Internet Explorer, ensuring that downloads are always saved rather than executed, which helps prevent certain security risks.Example:
1app.use(helmet.ieNoOpen());
  • X-Frame-Options:Protects against clickjacking by preventing your site from being embedded in an iframe.Example:
1app.use(helmet.frameguard({ action: 'deny' }));
  • X-Permitted-Cross-Domain-Policies:This header controls cross-domain access for Adobe Flash and Acrobat content.Example:
1app.use(helmet.permittedCrossDomainPolicies());
  • X-Powered-By:This header exposes details about your technology stack and can be used in attacks. It's a good practice to remove this header entirely.Example:
1app.use(helmet.hidePoweredBy());
2

  • X-XSS-Protection:While initially used to counteract XSS attacks, this legacy header is now considered futile, being disabled by Helmet by default.

Conclusion

With a host of alternatives for developing web applications, Node.js poses security problems. Helmet takes a broad view of security tightening for Node.js applications by setting appropriate HTTP headers. By following the practical examples and taking a broad approach to security, you can safeguard your Node.js applications against common threats. Make Helmet a central part of your Node.js security strategy, and you’ll be well on your way to building safer, more secure web applications.


© 2026 IGNEK. All rights reserved.

Privacy Policy|
Terms & Conditions|
GDPR Compliance
Ignek on LinkedInIgnek on InstagramIgnek on FacebookIgnek on YouTubeIgnek on X