# helmetjs/helmet **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/helmetjs-helmet).** 10,692 stars · 408 forks · TypeScript · MIT ## Links - GitHub: https://github.com/helmetjs/helmet - Homepage: https://helmet.js.org/ - awesome-repositories: https://awesome-repositories.com/repository/helmetjs-helmet.md ## Topics `helmet` `http-headers` `javascript` `middleware` `security` ## Description Helmet is an Express.js middleware library that sets a comprehensive collection of HTTP security headers to protect web applications from common vulnerabilities like cross-site scripting and clickjacking. At its core, it provides a configurable middleware system for injecting security headers into HTTP responses, with a primary focus on Content Security Policy configuration through custom directives and report-only testing modes. The library distinguishes itself through a flexible configuration surface that supports method chaining for composing multiple headers in a single expression, as well as object-based configuration for declarative security policy setup. It includes default-safe presets that follow current best practices, while also allowing selective disabling of individual headers by name for granular control. A dedicated report-only mode duplicates the CSP configuration but sets the report-only directive, enabling policy testing without blocking resources. Beyond CSP, Helmet manages frame embedding restrictions through X-Frame-Options headers to prevent clickjacking, and provides a comprehensive set of HTTP security headers that can be individually enabled or disabled. The middleware intercepts Express responses to inject these headers before the response is sent, with support for custom header values and policy overrides. ## Tags ### Security & Cryptography - [Express Middleware Implementations](https://awesome-repositories.com/f/security-cryptography/content-security-policies/express-middleware-implementations.md) — Provides an Express.js middleware for configuring Content-Security-Policy headers with custom directives. - [Content Security Policies](https://awesome-repositories.com/f/security-cryptography/content-security-policies.md) — Configures the Content-Security-Policy header by specifying directives, merging with defaults, or using report-only mode. ([source](https://cdn.jsdelivr.net/gh/helmetjs/helmet@main/README.md)) - [HTTP Security Headers](https://awesome-repositories.com/f/security-cryptography/http-security-headers.md) — Sets a comprehensive set of HTTP response headers to harden web application security. - [Express Middleware Injectors](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/web-security-policies/security-header-injections/express-middleware-injectors.md) — Intercepts Express HTTP responses via middleware to inject security headers before the response is sent. - [Content Security Policy Directive Builders](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control/exclusion-directive-enforcers/content-security-policy-directive-builders.md) — Builds Content-Security-Policy headers by composing directive objects into a formatted browser-enforced string. - [Security Headers](https://awesome-repositories.com/f/security-cryptography/security-headers.md) — Protects Express web applications from common vulnerabilities by setting secure HTTP response headers. - [Selective Header Disablement](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/web-security/security-headers/selective-header-disablement.md) — Provides granular control to disable individual security headers when application needs require it. ([source](https://cdn.jsdelivr.net/gh/helmetjs/helmet@main/README.md)) - [X-Frame-Options Header Overrides](https://awesome-repositories.com/f/security-cryptography/host-header-validations/override-header-bypass-techniques/x-frame-options-header-overrides.md) — Sets custom X-Frame-Options header values, including the obsolete ALLOW-FROM directive, via middleware. ([source](https://helmet.js.org/faq/x-frame-options-allow-from-directive/)) - [Frame Embedding Restriction Policies](https://awesome-repositories.com/f/security-cryptography/host-header-validations/override-header-bypass-techniques/x-frame-options-header-overrides/frame-embedding-restriction-policies.md) — Blocks web pages from being embedded in frames on other sites by setting the X-Frame-Options header. ([source](https://helmet.js.org/faq/x-frame-options-allow-from-directive/)) - [Selective Header Disablement](https://awesome-repositories.com/f/security-cryptography/security-headers/selective-header-disablement.md) — Allows selective disabling of individual security headers by name for granular control. - [CSP Report-Only Middleware Implementations](https://awesome-repositories.com/f/security-cryptography/security/policies/access-control/middleware/csp-report-only-middleware-implementations.md) — Ships an Express.js middleware that sets Content-Security-Policy-Report-Only headers for testing policy changes. ### Part of an Awesome List - [Security Middleware](https://awesome-repositories.com/f/awesome-lists/security/security-middleware.md) — Sets HTTP security headers via Express middleware to protect against XSS and clickjacking vulnerabilities. ### Development Tools & Productivity - [Security Header Presets](https://awesome-repositories.com/f/development-tools-productivity/configuration-defaults/default-permission-presets/default-preset-overrides/security-header-presets.md) — Ships default-safe presets of security headers that follow current best practices out of the box. ### Graphics & Multimedia - [Clickjacking Prevention Policies](https://awesome-repositories.com/f/graphics-multimedia/predictive-frame-drop-prevention/clickjacking-prevention-policies.md) — Blocks web pages from being embedded in frames on other sites to prevent clickjacking attacks. ### Networking & Communication - [CSP Report-Only Mode Switches](https://awesome-repositories.com/f/networking-communication/latency-only-test-modes/csp-report-only-mode-switches.md) — Duplicates CSP configuration in report-only mode to test policies without blocking resources. - [CSP Report-Only Testing Modes](https://awesome-repositories.com/f/networking-communication/latency-only-test-modes/csp-report-only-testing-modes.md) — Tests Content Security Policy changes safely using report-only mode to monitor violations without enforcement. ### Software Engineering & Architecture - [Configuration Objects](https://awesome-repositories.com/f/software-engineering-architecture/configuration-objects.md) — Accepts a single configuration object mapping header names to settings for declarative security policy setup. ### Web Development - [HTTP Header Manipulators](https://awesome-repositories.com/f/web-development/backend-development/request-response-handling/http-utilities/http-header-manipulators.md) — Manages and customizes HTTP response headers for Express applications, including disabling specific headers. - [Chainable Security Header Configurations](https://awesome-repositories.com/f/web-development/middleware-composition-layers/chainable-security-header-configurations.md) — Provides a fluent method-chaining API for composing multiple security header configurations concisely.