Helmet.js is a useful Node.js module that helps us secure HTTP headers returned by our Express apps. HTTP headers are an important part of the HTTP protocol, but are generally transparent from the end-user perspective. The headers provide important metadata about the HTTP request or response so the client (browser) and server can send additional information in a transaction. We have adopted Express Helmet in Spurtcommerce and this article explains us why.

 

Why do we need HTTP headers?

Since users do not see HTTP headers, developers have a tendency to ignore them. However, HTTP headers can leak sensitive information about the application inadvertently. Thus, it is important to configure and use them in a secure way.

A popular way Express apps leak information is through X-Powered-By header. This header informs the browser which server vendor and version we are using. By default, Express exposes the X-Powered-By header and leaks “Express” (usually without a version number). Hackers typically cross-reference this information with a list of publicly disclosed known vulnerabilities, which makes our Application a prime target for easy exploits -- especially we are running an unpatched version of Express.

 

What is Helmet.js?

We are lucky that Helmet.js makes securing HTTP headers easy for Node.js developers. Helmet.js is a collection of 12 Node modules that interface with Express. Each module provides configuration options for securing different HTTP headers. Here’s a list of the Node modules that are included with Helmet.js:

For some HTTP headers, Helmet.js automatically defaults to the “secure” option. Others, like Content-Security-Policy, require the developer to make an explicit configuration. This is usually because the "best practice" may break functionality or degrade user experience -- so configurations must be tuned accordingly.