Helmet

Helmet is an Express.js middleware library that sets a comprehensive collection of HTTP security headers to protect web applications from common vulnerabilities like cross-site scripting and clickjacking. At its core, it provides a configurable middleware system for injecting security headers into HTTP responses, with a primary focus on Content Security Policy configuration through custom directives and report-only testing modes.

The library distinguishes itself through a flexible configuration surface that supports method chaining for composing multiple headers in a single expression, as well as object-based configuration for declarative security policy setup. It includes default-safe presets that follow current best practices, while also allowing selective disabling of individual headers by name for granular control. A dedicated report-only mode duplicates the CSP configuration but sets the report-only directive, enabling policy testing without blocking resources.

Beyond CSP, Helmet manages frame embedding restrictions through X-Frame-Options headers to prevent clickjacking, and provides a comprehensive set of HTTP security headers that can be individually enabled or disabled. The middleware intercepts Express responses to inject these headers before the response is sent, with support for custom header values and policy overrides.

Features

Express Middleware Implementations - Provides an Express.js middleware for configuring Content-Security-Policy headers with custom directives.
Security Middleware - Sets HTTP security headers via Express middleware to protect against XSS and clickjacking vulnerabilities.
Security Header Presets - Ships default-safe presets of security headers that follow current best practices out of the box.
Content Security Policies - Configures the Content-Security-Policy header by specifying directives, merging with defaults, or using report-only mode.
HTTP Security Headers - Sets a comprehensive set of HTTP response headers to harden web application security.
Express Middleware Injectors - Intercepts Express HTTP responses via middleware to inject security headers before the response is sent.
Content Security Policy Directive Builders - Builds Content-Security-Policy headers by composing directive objects into a formatted browser-enforced string.
Security Headers - Protects Express web applications from common vulnerabilities by setting secure HTTP response headers.
Clickjacking Prevention Policies - Blocks web pages from being embedded in frames on other sites to prevent clickjacking attacks.
CSP Report-Only Mode Switches - Duplicates CSP configuration in report-only mode to test policies without blocking resources.
CSP Report-Only Testing Modes - Tests Content Security Policy changes safely using report-only mode to monitor violations without enforcement.
Selective Header Disablement - Provides granular control to disable individual security headers when application needs require it.
X-Frame-Options Header Overrides - Sets custom X-Frame-Options header values, including the obsolete ALLOW-FROM directive, via middleware.
Frame Embedding Restriction Policies - Blocks web pages from being embedded in frames on other sites by setting the X-Frame-Options header.
Selective Header Disablement - Allows selective disabling of individual security headers by name for granular control.
CSP Report-Only Middleware Implementations - Ships an Express.js middleware that sets Content-Security-Policy-Report-Only headers for testing policy changes.
Configuration Objects - Accepts a single configuration object mapping header names to settings for declarative security policy setup.
HTTP Header Manipulators - Manages and customizes HTTP response headers for Express applications, including disabling specific headers.
Chainable Security Header Configurations - Provides a fluent method-chaining API for composing multiple security header configurations concisely.

codeigniter4/CodeIgniter4

5,924View on GitHub

CodeIgniter is a PHP web framework built on the Model-View-Controller pattern, designed for building full-stack web applications. It provides a lightweight toolkit with minimal configuration, organizing application logic into controllers, models, and views for clean separation of concerns. The framework includes a fluent query builder for constructing SQL statements programmatically, PSR-4 autoloading with namespace mapping, and a service-based dependency injection container for managing shared class instances. The framework distinguishes itself through its comprehensive set of built-in tools

phanan/htaccess

13,165View on GitHub

This project is a comprehensive library of reusable configuration patterns for the Apache web server. It provides a collection of server-side directives designed to manage security, performance, and request routing through decentralized configuration files. The repository serves as a reference for implementing server-level settings without requiring global restarts. It includes specialized patterns for enforcing secure connections, managing cross-origin resource sharing, and protecting sensitive system files from public exposure. Users can leverage these snippets to implement clickjacking pro

OWASP/CheatSheetSeries

32,298View on GitHub

The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral

helmetjshelmet

Features

Open-source alternatives to Helmet

codeigniter4/CodeIgniter4

phanan/htaccess

OWASP/CheatSheetSeries

requestly/requestly

Star history

Open-source alternatives to Helmet

codeigniter4/CodeIgniter4

phanan/htaccess

OWASP/CheatSheetSeries

requestly/requestly