Helmet

Helmet helps you secure your Express apps by setting various HTTP headers

npm install helmet

By default does following:

Module	Notes	Why
frameguard	tells browsers to prevent your webpage from being put in an iframe	to prevent clickjacking
hsts for HTTP Strict Transport Security	won’t tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around	HTTP sucks
ieNoOpen sets X-Download-Options for IE8+	✓
noSniff to keep clients from sniffing the MIME type	they will trust what the server says and block the resource if it’s wrong instead of guessing	if client recieves html(user uploaded data) even with wrong mime, it could run it
xssFilter adds some small XSS protections	✓
dnsPrefetchControl controls browser DNS prefetching	✓