Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Generally, Helmet is just a collection of 14 smaller middleware functions that set security-related HTTP headers (read more).

info Hint Note that applying helmet as global or registering it must come before other calls to app.use() or setup functions that may call app.use()). This is due to the way the underlying platform (i.e., Express or Fastify) works, where the order that middleware/routes are defined matters. If you use middleware like helmet or cors after you define a route, then that middleware will not apply to that route, it will only apply to middleware defined after the route.

Use with Express (default)#

Start by installing the required package.

$ npm i --save helmet

Once the installation is complete, apply it as a global middleware.

import * as helmet from 'helmet';
// somewhere in your initialization file

Use with Fastify#

If you are using the FastifyAdapter, install the fastify-helmet package:

$ npm i --save fastify-helmet

fastify-helmet should not be used as a middleware, but as a Fastify plugin, i.e., by using app.register():

import * as helmet from 'fastify-helmet';
// somewhere in your initialization file