What does helmet do?
Adds security HTTP headers: X-Frame-Options (clickjacking), Strict-Transport-Security (force HTTPS), Content-Security-Policy basics, and more. Set and forget; it protects against several common attacks with no behavior change.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Popular Express Middlewares You Should Use
express.json, express.urlencoded, cors, helmet, morgan or pino-http, express-rate-limit, cookie-parser, compression, express-mongo-sanitize, xss-clean, hpp, plus your own auth, validation, and error handler middlewares.
Limits requests per IP. Add a global limiter (100 req per 15 min) and stricter limiters on auth routes (5 attempts per 15 min). Prevents abuse and brute-force attacks.
Strips $ and . from user input to prevent NoSQL injection. Without it, a user can send { $gt: '' } as a query and bypass auth. Add it after body parser so all bodies are sanitized.
Still have questions?
Browse all our FAQs or reach out to our support team
