How Does Helmet.js Secure Express Apps

Express simplifies the process of developing applications, by providing a framework with built in features for handing request and response. However, it still comes with the risk of being exploited for different reasons like information leaks through HTTP headers or exposure to compromised third-party resources from questionable sources.

One of the ways to enhance security in an Express application is by using Helmet.js. Helmet.js is a security middleware that protects Express apps against attacks like clickjacking, cross-site scripting, and other web vulnerabilities.

Let’s explore what Helmet.js is about and how it is used to secure Express Applications.

TL; DR:

Helmet.js is an Express.js middleware that secures web applications by setting HTTP headers automatically, to prevent attacks like MIME sniffing, clickjacking, and more. Helmet.js only strengthens HTTP header security, and doesn't handle other security measures like input validation or authentication. It is easy to integrate, can be customized to secure certain routes, but is limited to Node.js/Express applications.

Helmet.js is a security middleware used to secure HTTP headers in Express applications. Securing these HTTP headers is necessary because attackers can use them to get information about the server or exploit vulnerabilities of an application.

Helmet.js prevents or reduces attacks on web applications due to missing or misconfigured HTTP headers, and examples of these attacks include;

• Cross-Site Scripting (XSS): This is a security vulnerability that allows attackers to inject malicious script into websites.

• MIME Sniffing: This occurs when the browser tries to guess the content type of a file instead of relying on MIME type. If the browser misinterprets the file, it can run malicious code.

• Man-in-the-Middle Attacks: This attack happens when an attacker intercepts communication between two parties.

• Clickjacking: This type of attack is carried out by tricking users by placing elements on a webpage that users think are legitimate.

Helmet.js applies security-related HTTP headers automatically, and overrides some default headers. However, there are some headers that still require configuration depending on what your application needs.

Some of the Helmet.js Headers include;

Strict-Transport-Security: This is an HTTP response header that informs the browser to use HTTPS when connecting to the host. By enforcing HTTPS connections, strict-transport-security protects the application against man-in-the-middle attacks.

Referrer Policy: The Referrer-Policy header controls the information sent when a user makes a request or visits multiple pages. It protects users' privacy by limiting how much referrer information is sent with requests.

Expect-CT: This header ensures compliance with Certificate Transparency (CT), an open framework that detects and prevents misused SSL/TLS certificates.

Content-Security-Policy: This is an HTTP header that tells the browser to only load resources, such as scripts or images, from trusted sources. This helps protect the application against XSS (cross-site scripting) attacks, where malicious client-side scripts are injected to steal sensitive information, such as session cookies.

X-Frame-Options: This response header tells the browser whether or not it should display a web page inside a frame, or iframe. It is used to protect web applications against clickjacking attacks.

X-Content-Type-Options: This header helps prevent MIME sniffing. MIME or Media type that indicates the nature of a document file. It forces the browser to trust the media type sent by the server.

X-Permitted-Cross-Domain-Policies: This security header informs web clients, such as Adobe Acrobat, whether they have permission to access a site's resources from another domain.

It is not commonly used due to the deprecation of Adobe Flash Player and Microsoft Silverlight; however, some security tools still support X-permitted-Cross-Domain-Policies: none, as it can mitigate the risk of an overly permissive policy file being added to a site by malicious actors or by accident.

Does Helmet Solve all Express Security Vulnerabilities?

Helmet.js does not address all security vulnerabilities in Express applications; it serves as an extra layer and a first step in hardening the security of a Node.js application, especially when using Express framework.

Helmet.js does not sanitize user input, handle authentication or authorization, or encrypt data. It is used to strengthen applications' HTTP headers to prevent or mitigate client-side attacks like cross-site scripting or clickjacking. It should be used alongside other security measures, including input validation, authentication, and so on.

Easy to Integrate: Helmet is very simple to use; all that's required is adding app.use(helmet()) to your express app, and it automatically sets security headers.

Customization: Helmet.js can be customised, which gives you the option to enable or disable specific security headers or configure them individually.

Prevent Attacks: Helmet.js helps protect Express apps by setting security headers such as content-security-policy, which prevent cross-site scripting (XSS) attacks, X-Frame-Options, which prevents click jacking, and so on.

Active Community: Helmet is a part of the Node.js ecosystem and is actively maintained by a community of developers. There is plenty of support to help developers who may encounter issues.

Limited Scope: Helmet secures HTTP headers only, so it cannot secure areas such as database security, input validation, and some other server-side logic. It is also not a complete security solution because it cannot protect against vulnerabilities like SQL injection or Denial of service attacks.

Limited to Node.js: Helmet is designed for Node.js and Express.js applications. If you are running a polyglot microservice architecture, you have to find separate solutions to handle HTTP header security for services written in other languages.

Application Overhead: When Helmet processes an HTTP request, it sets security headers, which may add minimal overhead. However, in applications handling a very high number of requests, this could cause minor performance issues.

In this example, Helmet.js will be added to an Express app in simple steps.

In the image above, the Express app connects to a MongoDB database. To add helmet.js, it must first be installed using npm.

After installation is complete, helmet.js is added to the Express app as shown in the image below;

Helmet security is activated by adding it as middleware inside the Express app.

The helmet function runs inside app.use because middleware executes when there is a request and response. This ensures that Helmet.js runs first for every request that comes into the app.

To confirm that the express app is using Helmet.js, open DevTools and go to the Network tab. Click on the request made, for example, the app is running on localhost. In the Headers, you'll see that Helmet has automatically set security headers as shown in the image above.

Helmet.js is an Express.js middleware that helps secure applications by automatically setting HTTP headers to protect against vulnerabilities like clickjacking, cross-site scripting (XSS), and MIME sniffing. These headers can also be customized to secure specific routes.

However, Helmet.js only secures the HTTP header, which means additional security measures are required to protect other parts of an application from vulnerabilities that are not HTTP related.