# Helmet

[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
[![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
[![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)

Helmet helps you secure your Express apps by setting various HTTP headers. _It's not a silver bullet_, but it can help!

[Looking for a version of Helmet that supports the Koa framework?](https://github.com/venables/koa-helmet)

## Quick start

First, run `npm install helmet --save` for your app. Then, in an Express (or Connect) app:

```js
const express = require("express");
const helmet = require("helmet");

const app = express();

app.use(helmet());

// ...
```

It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.

You can also use its pieces individually:

```js
app.use(helmet.xssFilter());
app.use(helmet.frameguard());
```

You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults.

```js
app.use(
  helmet({
    frameguard: false,
  })
);
```

You can also set options for a middleware. Setting options like this will _always_ include the middleware, whether or not it's a default.

```js
app.use(
  helmet({
    frameguard: {
      action: "deny",
    },
  })
);
```

_If you're using Express 3, make sure these middlewares are listed before `app.router`._

## How it works

Helmet is a collection of 11 smaller middleware functions that set HTTP response headers. Running `app.use(helmet())` will not include all of these middleware functions by default.

| Module                                                                                                        | Default? |
| ------------------------------------------------------------------------------------------------------------- | -------- |
| [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy             |          |
| [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests |          |
| [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching   | ✓        |
| [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency                  |          |
| [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking                             | ✓        |
| [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header            | ✓        |
| [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security                              | ✓        |
| [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+                         | ✓        |
| [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type    | ✓        |
| [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header                  |          |
| [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections                       | ✓        |

You can see more in [the documentation](https://helmetjs.github.io/docs/).