Helmet Security Middleware

Helmet is a security middleware for Node-dot-js and Express applications that sets HTTP response headers to protect against common web vulnerabilities. Created by Evan Hahn and maintained with over nine thousand stars on GitHub, Helmet configures thirteen security headers by default with a single line of code, requiring no configuration for baseline protection. The headers set by Helmet include Content-Security-Policy for preventing cross-site scripting and data injection attacks, Strict-Transport-Security for enforcing HTTPS connections, X-Frame-Options for preventing clickjacking through iframe embedding, X-Content-Type-Options for preventing MIME type sniffing, Referrer-Policy for controlling referrer information leakage, and Cross-Origin headers including Embedder-Policy, Opener-Policy, and Resource-Policy for isolating web application contexts. Each header can be individually enabled, disabled, or configured with custom directives, providing granular control over the security posture. Helmet can be used with Express through the standard app-dot-use middleware pattern, or as a standalone function in any Node-dot-js HTTP server, including Fastify, Koa, Polka, and raw http servers. The Content-Security-Policy configuration supports specifying allowed sources for scripts, styles, images, fonts, connections, frames, and media, with nonce-based and hash-based script allowlisting for applications that inline scripts.