🟢 Node.js Intermediate

What is Helmet.js and why should you use it?

Answer

Helmet.js is an Express middleware collection that sets various HTTP security headers to protect your application from common web vulnerabilities. Simply add app.use(helmet()) to your Express app. It sets/configures these headers by default: Content-Security-Policy (prevents XSS by controlling which resources browsers load), X-Frame-Options (prevents clickjacking by disabling iframe embedding), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options: nosniff (prevents MIME type sniffing), X-XSS-Protection (legacy XSS filter), Referrer-Policy (controls referrer information), and removes the X-Powered-By: Express header (hides technology stack). Each middleware can be configured individually or disabled: helmet({ contentSecurityPolicy: false }). Helmet is not a silver bullet — it reduces the attack surface but doesn't replace proper input validation, parameterized queries, and authentication. It's a first-line defense that should be included in every Express production application.