✨ Spellblog

Intro on web security with Helmet.js

"Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!", says the developers. It is a middleware (communication software) that deals with HTTP headers and also offers security modules for the Expressopen in new window (Node.js framework) applications.

According to stackshare.ioopen in new window, Express.js is used in more than 1900 companies applications around the world, including Twitter, Accenture, BlaBlaCar and others. Helmet can be also be used with other frameworksopen in new window.

This documentation is based on (and can help you follow) the Information Security with HelmetJSopen in new window course on FreeCodeCamp.

Installing

Run npm install helmet and in your Express application (app.js):

const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());

It is all about headers. Use curl -v <URL> on terminal, to read headers and confirm Helmet.js is working.

Usage

On app.js write app.use(helmet()); to include all manual configurations listed below:

  • app.use(helmet.hidePoweredBy()); removes the X-Powered-By header;
  • app.use(helmet.frameguard({action: 'deny'})); makes your application break when used inside <frame> <iframe> HTML tags. This can help against Clickjacking attacks;
  • app.use(helmet.xssFilter()); sanitizes user input fields, protecting against Cross-Site Scripting (XSS) attacks;
  • app.use(helmet.noSniff()); tells the browser not to use MIME sniffing and read the file as the Content-Type header says.

    MIME sniffing is a technique used in browsers to determine the file type by reading some of its data. This can create vulnerabilities.

  • app.use(helmet.ieNoOpen()); prevents the mighty Internet Explorer to download and execute infected HTML files.
  • app.use(helmet.hsts({maxAge: ninetyDaysInSeconds, force: true})); configures HTTP Strict Transport Security (HSTS), or HTTPS only, avoiding insecure HTTP requests.

    You also gonna need to instantiate a variable with 90 days in seconds ninetyDaysInSeconds = 90*24*60*60 to check certification expiracy.

  • app.use(helmet.dnsPrefetchControl()); disables browser DNS Prefetch.

    To make navigation faster, DNS prefetch resolve domain names before the user tries to click on the link. However, it can cause user data leak, if you serve a malicious website in your application. The attack is the inplantation of this malicious link.

Not included in app.use(helmet());:

  • app.use(helmet.noCache()); prevents your user to use cached versions of your application. This can be good when you just pushed a security update.

  • Content Security Policy:

app.use(helmet.contentSecurityPolicy({
	directives:{
		scriptSrc: ["'self'"],
		styleSrc: ["'self'"]
	}
}))

scriptSrc and styleSrc with "'self'" will restrict the execution of scripts and stylesheets, originated from the same origin as the domain itself. These directives enhance security by mitigating Cross-Site Scripting (XSS) and file injection attacks.

Test repository: https://replit.com/@GuilhermePetry/boilerplate-infosecopen in new window

Last Updated:
Contributors: Guilherme M. Petry