explaingit

helmetjs/helmet

10,677TypeScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

A one-line Node.js library that automatically adds 13 security headers to every Express response, protecting your web app from attacks like cross-site scripting without any configuration required.

Mindmap

mindmap
  root((Helmet))
    What it does
      Sets HTTP headers
      Blocks common attacks
      13 headers at once
    Tech Stack
      TypeScript
      Node.js
      Express middleware
    Use Cases
      Secure Express apps
      Block XSS attacks
      Custom header config
    Setup
      One line install
      No config needed
      Override any header
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add security headers to an Express app in a single line to protect against cross-site scripting and clickjacking

USE CASE 2

Customize Content-Security-Policy to allow scripts from specific third-party domains while blocking everything else

USE CASE 3

Disable specific headers that conflict with your app setup while keeping all the rest active

USE CASE 4

Harden a new Node.js project as a first security step before deployment

Tech stack

TypeScriptNode.jsExpress

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

Helmet is a small library for Node.js web apps that adds a layer of security by automatically setting certain HTTP response headers. HTTP headers are short pieces of metadata that travel along with every web page response, telling browsers how to behave. Some headers, when set correctly, instruct browsers to block common attacks like cross-site scripting, where malicious code from one site tries to run on another. When you add Helmet to an Express app, a single line of code activates 13 protective headers at once. The defaults are chosen to cover a broad range of common threats without breaking typical sites. For example, the Content-Security-Policy header limits which external scripts and styles a page can load, reducing the risk of injected code. The Strict-Transport-Security header tells browsers to always use a secure HTTPS connection rather than plain HTTP. The Cross-Origin-Resource-Policy header prevents other sites from embedding your resources without permission. Every header Helmet sets can be turned off or adjusted. If your app loads scripts from a third-party domain, you can add that domain to the allowed list for Content-Security-Policy. If a particular header causes problems with your setup, you can disable it by passing false for that setting. The configuration is all done through a plain JavaScript object, so there is no separate config file to manage. Helmet is designed to stay out of the way once it is installed. It does not log anything, does not make network calls, and does not change how your routes or business logic work. It only modifies outgoing response headers. The README acknowledges that Helmet does minimal validation of your Content-Security-Policy settings and recommends checking your policy with an external tool if you want to verify correctness. The library works with Express and also supports standalone Node.js or other compatible frameworks. It is maintained separately from Express itself and is widely used as a first step when securing a new Node.js project.

Copy-paste prompts

Prompt 1
I've added Helmet to my Express app. Help me configure the Content-Security-Policy header to allow Google Fonts and a Stripe payment script.
Prompt 2
My Express app breaks after adding Helmet, help me identify which header is causing the issue and how to disable just that one.
Prompt 3
Show me how to set up Helmet in a standalone Node.js HTTP server without Express, including the correct middleware pattern.
Prompt 4
Help me verify my Helmet Content-Security-Policy is correct by explaining each directive in my config object.
Open on GitHub → Explain another repo

← helmetjs on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.