whatisgithub

What is helmet?

helmetjs/helmet — explained in plain English

Analysis updated 2026-06-24

10,677TypeScriptAudience · developerComplexity · 2/5Setup · easy

In one sentence

A one-line Node.js library that automatically adds 13 security headers to every Express response, protecting your web app from attacks like cross-site scripting without any configuration required.

Mindmap

mindmap
  root((Helmet))
    What it does
      Sets HTTP headers
      Blocks common attacks
      13 headers at once
    Tech Stack
      TypeScript
      Node.js
      Express middleware
    Use Cases
      Secure Express apps
      Block XSS attacks
      Custom header config
    Setup
      One line install
      No config needed
      Override any header
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add security headers to an Express app in a single line to protect against cross-site scripting and clickjacking

USE CASE 2

Customize Content-Security-Policy to allow scripts from specific third-party domains while blocking everything else

USE CASE 3

Disable specific headers that conflict with your app setup while keeping all the rest active

USE CASE 4

Harden a new Node.js project as a first security step before deployment

What is it built with?

TypeScriptNode.jsExpress

How does it compare?

helmetjs/helmetakveo/react-native-ui-kittenelie222/inbox-zero
Stars10,67710,67910,685
LanguageTypeScriptTypeScriptTypeScript
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audiencedeveloperdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

Helmet is a small library for Node.js web apps that adds a layer of security by automatically setting certain HTTP response headers. HTTP headers are short pieces of metadata that travel along with every web page response, telling browsers how to behave. Some headers, when set correctly, instruct browsers to block common attacks like cross-site scripting, where malicious code from one site tries to run on another. When you add Helmet to an Express app, a single line of code activates 13 protective headers at once. The defaults are chosen to cover a broad range of common threats without breaking typical sites. For example, the Content-Security-Policy header limits which external scripts and styles a page can load, reducing the risk of injected code. The Strict-Transport-Security header tells browsers to always use a secure HTTPS connection rather than plain HTTP. The Cross-Origin-Resource-Policy header prevents other sites from embedding your resources without permission. Every header Helmet sets can be turned off or adjusted. If your app loads scripts from a third-party domain, you can add that domain to the allowed list for Content-Security-Policy. If a particular header causes problems with your setup, you can disable it by passing false for that setting. The configuration is all done through a plain JavaScript object, so there is no separate config file to manage. Helmet is designed to stay out of the way once it is installed. It does not log anything, does not make network calls, and does not change how your routes or business logic work. It only modifies outgoing response headers. The README acknowledges that Helmet does minimal validation of your Content-Security-Policy settings and recommends checking your policy with an external tool if you want to verify correctness. The library works with Express and also supports standalone Node.js or other compatible frameworks. It is maintained separately from Express itself and is widely used as a first step when securing a new Node.js project.

Copy-paste prompts

Prompt 1
I've added Helmet to my Express app. Help me configure the Content-Security-Policy header to allow Google Fonts and a Stripe payment script.
Prompt 2
My Express app breaks after adding Helmet, help me identify which header is causing the issue and how to disable just that one.
Prompt 3
Show me how to set up Helmet in a standalone Node.js HTTP server without Express, including the correct middleware pattern.
Prompt 4
Help me verify my Helmet Content-Security-Policy is correct by explaining each directive in my config object.

Frequently asked questions

What is helmet?

A one-line Node.js library that automatically adds 13 security headers to every Express response, protecting your web app from attacks like cross-site scripting without any configuration required.

What language is helmet written in?

Mainly TypeScript. The stack also includes TypeScript, Node.js, Express.

How hard is helmet to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is helmet for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.