Helmet
Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Generally, Helmet is just a collection of 14 smaller middleware functions that set security-related HTTP headers (read more).
Hint Note that applyinghelmet
as global or registering it must come before other calls toapp.use()
or setup functions that may callapp.use()
. This is due to the way the underlying platform (i.e., Express or Fastify) works, where the order that middleware/routes are defined matters. If you use middleware likehelmet
orcors
after you define a route, then that middleware will not apply to that route, it will only apply to middleware defined after the route.
Use with Express (default)#
Start by installing the required package.
$ npm i --save helmet
Once the installation is complete, apply it as a global middleware.
import * as helmet from 'helmet';
// somewhere in your initialization file
app.use(helmet());
Hint If you are getting theThis expression is not callable
error while trying to importHelmet
, you very likely have theallowSyntheticDefaultImports
andesModuleInterop
options set totrue
in your project'stsconfig.json
file. If that's the case, change the import statement to:import helmet from 'helmet'
instead.
Use with Fastify#
If you are using the FastifyAdapter
, install the fastify-helmet package:
$ npm i --save fastify-helmet
fastify-helmet should not be used as a middleware, but as a Fastify plugin, i.e., by using app.register()
:
import { fastifyHelmet } from 'fastify-helmet';
// somewhere in your initialization file
await app.register(fastifyHelmet);
Warning When usingapollo-server-fastify
andfastify-helmet
, there may be a problem with CSP on the GraphQL playground, to solve this collision, configure the CSP as shown below:await app.register(fastifyHelmet, { contentSecurityPolicy: { directives: { defaultSrc: [`'self'`], styleSrc: [`'self'`, `'unsafe-inline'`, 'cdn.jsdelivr.net', 'fonts.googleapis.com'], fontSrc: [`'self'`, 'fonts.gstatic.com'], imgSrc: [`'self'`, 'data:', 'cdn.jsdelivr.net'], scriptSrc: [`'self'`, `https: 'unsafe-inline'`, `cdn.jsdelivr.net`], }, }, }); // If you are not going to use CSP at all, you can use this: await app.register(fastifyHelmet, { contentSecurityPolicy: false, });