Helmet
Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Generally, Helmet is just a collection of 14 smaller middleware functions that set security-related HTTP headers (read more).
info Hint Note that applying
helmetas global or registering it must come before other calls toapp.use()or setup functions that may callapp.use()). This is due to the way the underlying platform (i.e., Express or Fastify) works, where the order that middleware/routes are defined matters. If you use middleware likehelmetorcorsafter you define a route, then that middleware will not apply to that route, it will only apply to middleware defined after the route.
Use with Express (default)#
Start by installing the required package.
Once the installation is complete, apply it as a global middleware.
info Hint If you are getting the
This expression is not callableerror while trying to importHelmet, you very likely have theallowSyntheticDefaultImportsandesModuleInteropoptions set totruein your project'stsconfig.jsonfile. If that's the case, change the import statement to:import helmet from 'helmet'instead.
Use with Fastify#
If you are using the FastifyAdapter, install the fastify-helmet package:
fastify-helmet should not be used as a middleware, but as a Fastify plugin, i.e., by using app.register():
warning Warning When using
apollo-server-fastifyandfastify-helmet, there may be a problem with CSP on the GraphQL playground, to solve this collision, configure the CSP as shown below: