helmet

1. CSRF Protection

const helmet = require('helmet');
app.use(helmet.csurf());

2. HTTP Headers Defense

const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy());

3. XSS Filter

const helmet = require('helmet');
app.use(helmet.xssFilter());

4. MIME Sniffing Defense

const helmet = require('helmet');
app.use(helmet.noSniff());

5. HSTS Header

const helmet = require('helmet');
app.use(helmet.hsts({
  maxAge: 1008000000, // 11 years in seconds
}));

6. XSS Protection with Cookies

const helmet = require('helmet');
const { CookieOptions } = require('cookies');
const cookies = new CookieOptions();
app.use(helmet.xssFilter({
  cookies: cookies,
}));

7. Frameguard

const helmet = require('helmet');
app.use(helmet.frameguard('deny'));

8. Don't Sniff Mime Type Header

const helmet = require('helmet');
app.use(helmet.dnsPrefetchControl());

9. Protect Against Mime Type Sniffing

const helmet = require('helmet');
app.use(helmet.referrerPolicy({ policy: 'same-origin' }));

10. IE NoOpen

const helmet = require('helmet');
app.use(helmet.ieNoOpen());

11. Hide X-Powered-By Header

const helmet = require('helmet');
app.use(helmet.hidePoweredBy());

12. XSS Cross-Domain Policy

const helmet = require('helmet');
app.use(helmet.crossOriginEmbedderPolicy());

13. Deny Access from Given Patterns

const helmet = require('helmet');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'"],
    'script-src': ["'self'", "'unsafe-inline'"],
    'style-src': ["'self'", "'unsafe-inline'"],
  }
}));

14. Basic CSP with Font and Script Sources

const helmet = require('helmet');
app.use(helmet.csp({
  reportOnly: true
}));

15. CSP with Multiple Sources

const helmet = require('helmet');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'", 'https://example.example.example/'],
    'style-src': ["'self'", 'https://example.example.example/'],
    'script-src': ["'self'", 'https://example.example.example/'],
    'img-src': ['*', 'data:']
  }
}));

16. CSP with Nonce

const helmet = require('helmet');
const nonce = crypto.randomBytes(32).toString('base64');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'"],
    'script-src': ["'self'", `'nonce-${nonce}'`],
    'style-src': ["'self'", `'nonce-${nonce}'`],
  }
}));

17. CSP with Hash

const helmet = require('helmet');
const { createHash } = require('crypto');
const hash = createHash('sha256').update('script.js').digest('base64');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'"],
    'script-src': ["'self'", `'sha256-${hash}'`],
    'style-src': ["'self'", `'sha256-${hash}'`],
  }
}));

18. CSP with Script Enforcement

const helmet = require('helmet');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'", 'https://example.example.example/'],
    'script-src': ["'self'", 'https://example.example.example/'],
    'script-src-attr': ['unsafe-inline']
  }
}));

19. CSP with Mixed Content

const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
  directives: {
    'default-src': ['http:', 'https:'],
    'script-src': ['unsafe-inline']
  },
  useDefaults: false
}));

20. CSP with Form Action Restriction

const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
  directives: {
    'default-src': ["'self'"],
    'form-action': ['https://example.example.example/']
  }
}));

21. CSP with Source Map

const helmet = require('helmet');
const csp = helmet.csp({
  directives: {
    'default-src': ['https:'],
    'script-src': ["'self'"],
    'script-src-elem': ["'self'"],
  },
  reportOnly: false
});
app.use(csp.useDefaults({
  contentSecurityPolicy: {
    directives: {
      'script-src': ["'self'", 'https://example.example.example/'],
      'report-uri': ['https://example.example.example/cspreport']
    }
  }
}));

22. CSP with Dynamic Policy

const helmet = require('helmet');
app.use(helmet.csp({
  directives: {
    'default-src': ["'self'"],
    'script-src': ["'self'"],
    'style-src': ["'self'"],
    'font-src': ["'self'"],
    'img-src': ["'self'"],
    'connect-src': ["'self'"],
    'media-src': ["'self'"]
  }
}));

23. CSP with Custom Report URI

const helmet = require('helmet');
app.use(helmet.csp({
  reportOnly: true,
  reportUri: 'https://example.example.example/cspreport'
}));

24. CSP with Trusted Types

const helmet = require('helmet');
app.use(helmet.csp({
  directives: {
    'trusted-types': ['example.example.example']
  }
}));

25. Custom Helmet Middleware

const helmet = require('helmet');
const helmetCustom = helmet.contentSecurityPolicy({
  directives: {
    'default-src': ["'self'"]
  }
});
app.use(helmetCustom);

Previousgulp Nextjest