npm helmet with code examples

As a developer, it is important to prioritize the security of applications and websites. One popular tool for enhancing the security of Node.js applications is npm helmet. Helmet is a middleware that helps to secure your Express.js application by setting various HTTP headers, improved security standards, and by handling common security attacks.

Helmset is a collection of 14 middleware functions that protect your Node applications from various types of attacks. It is lightweight, easy to use and compatible with other middleware like morgan and body-parser. It is an npm package and can be easily installed through Node Package Manager (npm).

Installation and Usage:

To install Helmet, you simply need to enter the following command in the terminal:

$ npm install helmet

Once installed, you can include Helmet in your Express.js projects just like any other middleware.

const express = require('express')
const helmet = require("helmet")

const app = express()
app.use(helmet())

Security Features:

Helmet comes with 14 middleware functions that make it easier for developers to secure their applications. Here are some of the security features:

1. Content Security Policy (CSP): Helmet's helmet.contentSecurityPolicy() middleware helps prevent cross-site scripting (XSS) and other code injection attacks by setting the Content-Security-Policy header.

const helmet = require('helmet')
app.use(helmet.contentSecurityPolicy({
    directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "trusted-cdn.com"]
    }
}))

2. Cross-Site Request Forgery (CSRF): Helmet's helmet.csrf() middleware helps protect against client-side attacks. It generates a unique token for each user and if the token does not match, the request will be rejected.

const helmet = require('helmet')
app.use(helmet.csrf())

3. DNS Prefetching: Helmet's helmet.dnsPrefetchControl() middleware stops the browser from automatically performing DNS lookups, which reduces the risk of attackers using DNS spoofing techniques.

const helmet = require('helmet')
app.use(helmet.dnsPrefetchControl())

4. Expect-CT: Helmet's helmet.expectCt() middleware enhances website security by checking certificates for the Certificate Transparency (CT) process. This helps prevent attackers from using fraudulent SSL/TLS certificates.

const helmet = require('helmet')
app.use(helmet.expectCt())

5. Frameguard: Helmet's helmet.frameguard() middleware helps prevent clickjacking attacks by setting the X-Frame-Options header.

const helmet = require('helmet')
app.use(helmet.frameguard({action: 'deny'}))

6. HPKP: Helmet's helmet.hpkp() middleware helps prevent SSL/TLS certificate fraud by using HTTP Public Key Pinning (HPKP).

const helmet = require('helmet')
app.use(helmet.hpkp({
  maxAge: 5184000,     // 60 days in seconds
  sha256s: ['AbCdEf123=', 'ZyXwVu456='],
  includeSubDomains: true,
  reportUri: 'https://example.com/report-uri'
}))

7. HSTS: Helmet's helmet.hsts() middleware helps protect websites against man-in-the-middle (MITM) attacks by setting the Strict-Transport-Security header.

const helmet = require('helmet')
app.use(helmet.hsts({ maxAge: 31536000 }))

8. IE No Open: Helmet's helmet.ieNoOpen() middleware prevents IE from running in "Open" mode, which can result in XSS attacks.

const helmet = require('helmet')
app.use(helmet.ieNoOpen())

9. NoCache: Helmet's helmet.noCache() middleware prevents browsers from caching responses.

const helmet = require('helmet')
app.use(helmet.noCache())

10. NoSniff: Helmet's helmet.noSniff() middleware ensures that browsers do not cache incorrect MIME types.

const helmet = require('helmet')
app.use(helmet.noSniff())

11. Referrer Policy: Helmet's helmet.referrerPolicy() middleware controls what information is sent in the HTTP header Referer. It can be set to 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin' or 'strict-origin-when-cross-origin'.

const helmet = require('helmet')
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }))

12. XSS Filter: Helmet's helmet.xssFilter() middleware sets the X-XSS-Protection header to reduce the risk of reflected XSS attacks.

const helmet = require('helmet')
app.use(helmet.xssFilter())

Conclusion:

Helmet is a powerful middleware package that helps to secure your Node.js Express applications by automatically setting HTTP headers, improving security standards, and mitigating common security attacks. It's a lightweight and easy-to-use package that provides robust and comprehensive security enhancements. Developers must ensure that their applications incorporate various security measures, the helment middleware helps to achieve that.

To provide more insight on previous topics, let us delve deeper.

1. Content Security Policy (CSP):

Helmet's helmet.contentSecurityPolicy() middleware helps protect against Cross-Site Scripting (XSS) attacks by setting the Content-Security-Policy header. It allows for whitelisting of approved content sources and helps in preventing unauthorized scripts from running on your website.

Here's an example configuration for CSP using Helmet middleware:

const helmet = require('helmet')
app.use(helmet.contentSecurityPolicy({
    directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "trusted-cdn.com"]
    }
}))

In this example, we are allowing scripts to execute only from the trusted CDN and our application's domain.

2. Cross-Site Request Forgery (CSRF):

Helmet's helmet.csrf() middleware adds an anti-CSRF token to all HTML forms generated with a form-tag, and to all POST requests made from an HTML form. It ensures that a malicious website does not make a form POST request on behalf of the user, thereby preventing CSRF attacks.

Here's the code to enable CSRF protection using Helmet middleware:

const helmet = require('helmet')
app.use(helmet.csrf())

Once enabled, all form submissions in the application will automatically include a hidden field with a CSRF token.

3. DNS Prefetching:

Helmet's helmet.dnsPrefetchControl() middleware prevents the browser from automatically resolving DNS lookups, which helps to reduce the risk of attackers using DNS spoofing techniques. This can be achieved by setting the X-DNS-Prefetch-Control header.

Here's an example of using the helmet.dnsPrefetchControl() middleware:

const helmet = require('helmet')
app.use(helmet.dnsPrefetchControl())

Once enabled, the application's X-DNS-Prefetch-Control header will be set to "off", disallowing the browser to perform DNS pre-fetching.

4. Expect-CT:

Helmet's helmet.expectCt() middleware checks if the website is following the Certificate Transparency (CT) process for SSL/TLS certificates. The CT process is designed to prevent attackers from using fraudulent SSL/TLS certificates in phishing attacks or other malicious actions.

Here's an example of using the helmet.expectCt() middleware:

const helmet = require('helmet')
app.use(helmet.expectCt())

Once enabled, the application's Expect-CT header will be set, requiring other services to send reports confirming they follow the CT policy.

5. Frameguard:

Helmet's helmet.frameguard() middleware prevents click-jacking attacks by setting the X-Frame-Options header. Click-jacking is a technique where an attacker trick a user into clicking a link that runs a malicious script disguised as a button.

Here's an example of using the helmet.frameguard() middleware:

const helmet = require('helmet')
app.use(helmet.frameguard({action: 'deny'}))

This code instructs the browser to deny loading any page content in a frame, effectively preventing click-jacking attacks.

6. HPKP:

Helmet's helmet.hpkp() middleware helps to protect websites against SSL/TLS certificate fraud by implementing HTTP Public Key Pinning (HPKP). It allows a site to specify which Certificate Authorities (CAs) are authorized to issue certificates for them.

Here's an example of using the helmet.hpkp() middleware:

const helmet = require('helmet')
app.use(helmet.hpkp({
  maxAge: 5184000,     // 60 days in seconds
  sha256s: ['AbCdEf123=', 'ZyXwVu456='],
  includeSubDomains: true,
  reportUri: 'https://example.com/report-uri'
}))

This code instructs the browser to include strict public key pinning for the specified sha256s, maxAge for the duration of time pins are considered valid, includeSubDomains adds subdomains as well and reportUri specifies a URI to receive pinning violation reports.

7. HSTS:

Helmet's helmet.hsts() middleware helps to protect websites against man-in-the-middle (MITM) attacks by setting the Strict-Transport-Security header. MITM attacks occur when a hacker intercepts communication between two parties to steal data or information.

Here's an example of using the helmet.hsts() middleware:

const helmet = require('helmet')
app.use(helmet.hsts({ maxAge: 31536000 }))

This code instructs the browser to only interact with the website over HTTPS for one year, which helps to protect the user's data from being exposed to hackers.

8. IE No Open:

Helmet's helmet.ieNoOpen() middleware instructs Internet Explorer (IE) not to open untrusted HTML at all, preventing XSS attacks. It sets the X-Download-Options header to noopen.

Here's an example of using the helmet.ieNoOpen() middleware:

const helmet = require('helmet')
app.use(helmet.ieNoOpen())

This code sets the X-Download-Options header, instructing IE not to open untrusted HTML-files.

9. NoCache:

Helmet's helmet.noCache() middleware prevents the browser from caching the response outputs, it sets the Cache-Control and Pragma headers.

Here's an example of using the helmet.noCache() middleware:

const helmet = require('helmet')
app.use(helmet.noCache())

This code sets the Cache-Control and Pragma headers to instruct the browser never to cache the response outputs.

10. NoSniff:

Helmet's helmet.noSniff() middleware ensures that browsers do not incorrectly interpret files with the wrong MIME type. This causes attacks called MIME-Sniffing, which takes advantage of different applications' interpretive abilities for different data types, thereby leading to security vulnerabilities.

Here's an example of using the helmet.noSniff() middleware:

const helmet = require('helmet')
app.use(helmet.noSniff())

This code sets the X-Content-Type-Options header to prevent MIME sniffing by the browser.

11. Referrer Policy:

Helmet's helmet.referrerPolicy() middleware controls information sent in the HTTP header Referer. It can be set to 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin' or 'strict-origin-when-cross-origin'.

Here's an example of using the helmet.referrerPolicy() middleware:

const helmet = require('helmet')
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }))

This code sets the Referrer-Policy header to strict-origin-when-cross-origin, allowing only the domain name and scheme to be shared across domains.

12. XSS Filter:

Helmet's helmet.xssFilter() middleware sets the X-XSS-Protection header to reduce the risk of reflective XSS attacks. Reflective XSS attacks occur when malicious scripts are injected into the page sent by the server and reflect the attack back on a user.

Here's an example of using the helmet.xssFilter() middleware:

const helmet = require('helmet')
app.use(helmet.xssFilter())

This code sets the X-XSS-Protection header, which instructs the browser always to activate the XSS filtering module.

In summary, Helmet middleware is an excellent tool for ensuring that your Node.js Express application is secure. The 14 middleware functions cover a wide range of security vulnerabilities, providing comprehensive protection for your application. By making use of middleware functions such as CSP, CSRF, NoSniff and HSTS, you can confidently add an extra layer of security to your codebase, improving your application security and providing your users with comfort knowing that their data is safe from the ever-growing threat of hackers.

Popular questions

1. What is Helmet Middleware in Node.js?

Helmet is an npm package that provides middleware functions to secure your Express.js application by setting various HTTP headers, improving security standards, and by handling common security attacks.

2. How can you install Helmet Middleware using NPM?

You can install Helmet Middleware in Node.js using the following NPM command:

$ npm install helmet

3. What are some of the security features provided by Helmet Middleware?

Helmet Middleware provides numerous middleware functions that make it easier for developers to secure their applications. Some of these security features include content security policy (CSP), cross-site request forgery (CSRF), frameguard, HSTS, DNS prefetching, and no caching.

4. How can you use Helmet Middleware in a Node.js application?

You can use Helmet Middleware in a Node.js application like any other middleware. You have to require the 'helmet' package with 'require()' and set it up using the 'app.use()' method.

Here is an example:

const express = require('express')
const helmet = require('helmet')
const app = express()

app.use(helmet())

This sets up Helmet Middleware for the Node.js application.

5. How does Helmet Middleware help with security?

Helmet Middleware helps with security by providing middleware functions that set HTTP headers which improve security standards, defend against common security attacks, and handle other security vulnerabilities. These middleware functions help to protect against cross-site scripting (XSS), clickjacking, man-in-the-middle (MITM) attacks, and many more. By utilizing the various middleware functions provided by Helmet Middleware, Node.js developers can help ensure their applications are more secure and less vulnerable to security threats.

Tag

Security.