What is Helmet.js and why should you use it?
Why Interviewers Ask This
This tests whether you can apply Node.js knowledge to real-world scenarios. Interviewers are looking for clarity of thought and evidence that you've encountered this in production code.
Answer
Helmet.js is an Express middleware collection that sets various HTTP security headers to protect your application from common web vulnerabilities. Simply add app.use(helmet()) to your Express app. It sets/configures these headers by default: Content-Security-Policy (prevents XSS by controlling which resources browsers load), X-Frame-Options (prevents clickjacking by disabling iframe embedding), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options: nosniff (prevents MIME type sniffing), X-XSS-Protection (legacy XSS filter), Referrer-Policy (controls referrer information), and removes the X-Powered-By: Express header (hides technology stack). Each middleware can be configured individually or disabled: helmet({ contentSecurityPolicy: false }). Helmet is not a silver bullet — it reduces the attack surface but doesn't replace proper input validation, parameterized queries, and authentication. It's a first-line defense that should be included in every Express production application.
Pro Tip
Before answering, structure your response: one-line definition → real-world analogy → concrete example from a project. This makes even complex Node.js answers easy to follow.
Previous
What is PM2 and why is it used in production?
Next
What is dependency injection in Node.js?