# helmet *** **1. CSRF Protection** ```js const helmet = require('helmet'); app.use(helmet.csurf()); ``` **2. HTTP Headers Defense** ```js const helmet = require('helmet'); app.use(helmet.contentSecurityPolicy()); ``` **3. XSS Filter** ```js const helmet = require('helmet'); app.use(helmet.xssFilter()); ``` **4. MIME Sniffing Defense** ```js const helmet = require('helmet'); app.use(helmet.noSniff()); ``` **5. HSTS Header** ```js const helmet = require('helmet'); app.use(helmet.hsts({ maxAge: 1008000000, // 11 years in seconds })); ``` **6. XSS Protection with Cookies** ```js const helmet = require('helmet'); const { CookieOptions } = require('cookies'); const cookies = new CookieOptions(); app.use(helmet.xssFilter({ cookies: cookies, })); ``` **7. Frameguard** ```js const helmet = require('helmet'); app.use(helmet.frameguard('deny')); ``` **8. Don't Sniff Mime Type Header** ```js const helmet = require('helmet'); app.use(helmet.dnsPrefetchControl()); ``` **9. Protect Against Mime Type Sniffing** ```js const helmet = require('helmet'); app.use(helmet.referrerPolicy({ policy: 'same-origin' })); ``` **10. IE NoOpen** ```js const helmet = require('helmet'); app.use(helmet.ieNoOpen()); ``` **11. Hide X-Powered-By Header** ```js const helmet = require('helmet'); app.use(helmet.hidePoweredBy()); ``` **12. XSS Cross-Domain Policy** ```js const helmet = require('helmet'); app.use(helmet.crossOriginEmbedderPolicy()); ``` **13. Deny Access from Given Patterns** ```js const helmet = require('helmet'); app.use(helmet.csp({ directives: { 'default-src': ["'self'"], 'script-src': ["'self'", "'unsafe-inline'"], 'style-src': ["'self'", "'unsafe-inline'"], } })); ``` **14. Basic CSP with Font and Script Sources** ```js const helmet = require('helmet'); app.use(helmet.csp({ reportOnly: true })); ``` **15. CSP with Multiple Sources** ```js const helmet = require('helmet'); app.use(helmet.csp({ directives: { 'default-src': ["'self'", 'https://example.example.example/'], 'style-src': ["'self'", 'https://example.example.example/'], 'script-src': ["'self'", 'https://example.example.example/'], 'img-src': ['*', 'data:'] } })); ``` **16. CSP with Nonce** ```js const helmet = require('helmet'); const nonce = crypto.randomBytes(32).toString('base64'); app.use(helmet.csp({ directives: { 'default-src': ["'self'"], 'script-src': ["'self'", `'nonce-${nonce}'`], 'style-src': ["'self'", `'nonce-${nonce}'`], } })); ``` **17. CSP with Hash** ```js const helmet = require('helmet'); const { createHash } = require('crypto'); const hash = createHash('sha256').update('script.js').digest('base64'); app.use(helmet.csp({ directives: { 'default-src': ["'self'"], 'script-src': ["'self'", `'sha256-${hash}'`], 'style-src': ["'self'", `'sha256-${hash}'`], } })); ``` **18. CSP with Script Enforcement** ```js const helmet = require('helmet'); app.use(helmet.csp({ directives: { 'default-src': ["'self'", 'https://example.example.example/'], 'script-src': ["'self'", 'https://example.example.example/'], 'script-src-attr': ['unsafe-inline'] } })); ``` **19. CSP with Mixed Content** ```js const helmet = require('helmet'); app.use(helmet.contentSecurityPolicy({ directives: { 'default-src': ['http:', 'https:'], 'script-src': ['unsafe-inline'] }, useDefaults: false })); ``` **20. CSP with Form Action Restriction** ```js const helmet = require('helmet'); app.use(helmet.contentSecurityPolicy({ directives: { 'default-src': ["'self'"], 'form-action': ['https://example.example.example/'] } })); ``` **21. CSP with Source Map** ```js const helmet = require('helmet'); const csp = helmet.csp({ directives: { 'default-src': ['https:'], 'script-src': ["'self'"], 'script-src-elem': ["'self'"], }, reportOnly: false }); app.use(csp.useDefaults({ contentSecurityPolicy: { directives: { 'script-src': ["'self'", 'https://example.example.example/'], 'report-uri': ['https://example.example.example/cspreport'] } } })); ``` **22. CSP with Dynamic Policy** ```js const helmet = require('helmet'); app.use(helmet.csp({ directives: { 'default-src': ["'self'"], 'script-src': ["'self'"], 'style-src': ["'self'"], 'font-src': ["'self'"], 'img-src': ["'self'"], 'connect-src': ["'self'"], 'media-src': ["'self'"] } })); ``` **23. CSP with Custom Report URI** ```js const helmet = require('helmet'); app.use(helmet.csp({ reportOnly: true, reportUri: 'https://example.example.example/cspreport' })); ``` **24. CSP with Trusted Types** ```js const helmet = require('helmet'); app.use(helmet.csp({ directives: { 'trusted-types': ['example.example.example'] } })); ``` **25. Custom Helmet Middleware** ```js const helmet = require('helmet'); const helmetCustom = helmet.contentSecurityPolicy({ directives: { 'default-src': ["'self'"] } }); app.use(helmetCustom); ```