Helmet
Helmet helps you secure your Express apps by setting various HTTP headers
By default does following:
Module | Notes | Why |
tells browsers to prevent your webpage from being put in an iframe | to prevent clickjacking | |
hsts for HTTP Strict Transport Security | won’t tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around | HTTP sucks |
ieNoOpen sets X-Download-Options for IE8+ | ✓ | |
noSniff to keep clients from sniffing the MIME type | they will trust what the server says and block the resource if it’s wrong instead of guessing | if client recieves html(user uploaded data) even with wrong mime, it could run it |
xssFilter adds some small XSS protections | ✓ | |
dnsPrefetchControl controls browser DNS prefetching | ✓ |
Last updated