Helmet

Express.js middleware collection that sets security-related HTTP headers. A collection of 15 smaller middlewares bundled together: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin headers, and more. A one-line addition (app.use(helmet())) provides baseline HTTP security hardening against common web vulnerabilities. Works with Express, Fastify, and other Node.js frameworks.

Evaluated Mar 06, 2026 (0d ago) v7.x

Homepage ↗ Repo ↗ Developer Tools security express headers csp hsts xss middleware node http-security

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

100

Auth Strength

100

Scope Granularity

100

Dep. Hygiene

Secret Handling

100

Purpose-built security middleware. Sensible defaults provide immediate security value. Well-maintained with regular updates for new security headers. No credentials or secrets involved.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You're building an Express.js or Node.js HTTP API and want a quick security baseline with sensible defaults for HTTP security headers.

Avoid When

You need fine-grained CSP configuration for complex SPAs — Helmet's CSP defaults may be too strict; use a dedicated CSP tool or configure carefully.

Use Cases

• Add baseline HTTP security headers to Express.js APIs with a single app.use(helmet()) line
• Configure Content Security Policy (CSP) for web applications to prevent XSS attacks with Helmet's CSP middleware
• Enforce HTTPS with HSTS headers to prevent downgrade attacks and cookie hijacking
• Hide server fingerprinting (X-Powered-By: Express) and prevent MIME-type sniffing attacks
• Prevent clickjacking attacks with X-Frame-Options or CSP frame-ancestors directives

Not For

• GraphQL-specific security — Helmet handles HTTP headers; use depth limiting and query complexity analysis for GraphQL security
• Input validation — Helmet hardens HTTP headers only; use express-validator or Zod for request body validation
• Rate limiting — use express-rate-limit separately; Helmet doesn't address request rate abuse

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No authentication — security header middleware.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Helmet's default CSP is strict and may break embedded iframes, inline scripts, and third-party resources — start with contentSecurityPolicy: false and add CSP incrementally
⚠ Helmet must be applied before route handlers to ensure all responses get security headers — app.use(helmet()) before app.use(router)
⚠ HSTS max-age should be set with care — once browsers receive a high max-age HSTS header, they won't connect via HTTP for that duration; start with low values in development
⚠ X-Frame-Options is deprecated in favor of CSP frame-ancestors — Helmet still sets both by default; if you configure CSP frame-ancestors, disable frameguard to avoid conflicts
⚠ Helmet 7.x removed individual package exports — can no longer import { frameguard } from 'helmet'; use the main export and configure options
⚠ crossOriginResourcePolicy: { policy: 'same-origin' } default breaks CDN-served resources and third-party image loading — adjust to 'cross-origin' or 'same-site' as needed

Alternatives

express-rate-limit-api cors-api csurf-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Helmet.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.