Helmet research Max - daoneandonly/backend-a2 GitHub Wiki
Helmet
What is helmet?
According to helmet themselves, is helmet a connect-style middleware which is compatible with frameworks like express. Connect is a HTTP server framework that glues various middleware together that handle requests. Helmet contains 11 smaller middle-wares within it.
// This
app.use(helmet());
// Is the same as this
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
Helmet helps to make your application more secure and safe for your users. It achieves this by setting various HTTP headers. There is a lot of info in HTTP headers that hackers can use. For example in the header it says "X-Powered-By: Express" that lets everyone know that express is used. By knowing that express is used hackers can look for vulnerabilities that are specific to express.
Using helmet
To use helmet you must first install it via the terminal.
npm install helmet
After that you gotta write the following in your server to make sure it runs.
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
Why use helmet?
Helmet includes 11 security measures for the HTTP header which will make your website more secure and safe for your users.
What do these headers do?
- DNS prefetch control: Browsers go through all the links of your website before a user clicks on the links. By doing this they attach the url to the IP address and that goes at the cost of a user's privacy.
- Frame control: Protects your users against clickjacking attacks, an attack where hackers trick the user into clicking on something different from what the user sees.
- HTTP Strict-Transport-Security(HSTS): Only lets the browser connect to the website using HTTPS and not HTTP.
- ieNoOpen: Is only used for older versions of internet explorer and saves potential unsafe downloads to soften the execution of HTML within the site.
- NoSniff: Changes the header so the browser trusts the types that you give it and it doesn't try to figure that out itself.
- xssFilter: Disables the buggy scripting filter that browsers use.
Sources
- Helmet. (n.d.). Helmet. Retrieved April 1, 2021, from https://helmetjs.github.io
- Strict-Transport-Security - HTTP | MDN. (2021, February 19). Developer Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- Wikipedia contributors. (2021, January 24). Clickjacking. Wikipedia. https://en.wikipedia.org/wiki/Clickjacking
- Referer header: privacy and security concerns - Web security | MDN. (2021, March 2). Developer Mozilla. https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
- Security Best Practices for Express in Production. (n.d.). Expressjs. Retrieved April 1, 2021, from https://expressjs.com/en/advanced/best-practice-security.html#dont-use-deprecated-or-vulnerable-versions-of-express