@davaux/helmet

Sets a collection of security-related HTTP response headers that protect your application from common web vulnerabilities. Works by applying sensible defaults, all of which can be overridden or disabled individually.

Installation

npm install @davaux/helmet

Basic usage

// davaux.config.ts
import { defineConfig } from 'davaux/config'
import { helmet } from '@davaux/helmet'

export default defineConfig({
  middleware: [helmet()],
})

With no arguments, helmet() applies all default headers described below.

Headers set by default

Content-Security-Policy

Controls which resources the browser is allowed to load:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'

Strict-Transport-Security (HSTS)

Instructs browsers to only connect via HTTPS for the next year:

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options

Prevents clickjacking by disabling framing of your pages:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Prevents MIME-type sniffing:

X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much referrer information is sent with requests:

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Disables access to sensitive browser APIs by default:

Permissions-Policy: camera=(), microphone=(), geolocation=()

X-XSS-Protection

Disables the legacy browser XSS filter (modern browsers use CSP instead):

X-XSS-Protection: 0

Cross-Origin-Opener-Policy

Cross-Origin-Opener-Policy: same-origin

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy: same-origin

Customizing headers

Pass an options object to override individual headers:

helmet({
  contentSecurityPolicy: {
    directives: {
      'default-src': ["'self'"],
      'script-src': ["'self'", 'https://cdn.example.com'],
      'style-src': ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
      'img-src': ["'self'", 'data:', 'https://images.example.com'],
      'font-src': ["'self'", 'https://fonts.gstatic.com'],
    },
  },
  hsts: {
    maxAge: 63072000,   // 2 years
    includeSubDomains: true,
    preload: true,
  },
  frameOptions: 'DENY',  // or 'SAMEORIGIN'
  referrerPolicy: 'no-referrer',
})

Disabling individual headers

Set any header option to false to skip it:

helmet({
  hsts: false,          // disable during local development (no HTTPS)
  frameOptions: false,  // disable if you embed your app in iframes
})

Development tip

HSTS and CSP can interfere with development workflows (HTTP localhost, inline scripts, etc.). Consider applying helmet only in production:

import { defineConfig } from 'davaux/config'
import { helmet } from '@davaux/helmet'

export default defineConfig({
  middleware: [
    ...(process.env.NODE_ENV === 'production'
      ? [helmet()]
      : []),
  ],
})

Or loosen specific directives for development:

const isProd = process.env.NODE_ENV === 'production'

export default defineConfig({
  middleware: [
    helmet({
      hsts: isProd ? undefined : false,
      contentSecurityPolicy: isProd ? undefined : false,
    }),
  ],
})