Helmet.js
Express.js middleware that sets security-related HTTP headers automatically. Configures Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and 11 other security headers with safe defaults. A one-line app.use(helmet()) adds a significant security baseline to any Express/Node.js HTTP API or web app.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Purpose-built for HTTP security. Adds OWASP-recommended security headers. CSP prevents XSS, HSTS enforces HTTPS, X-Frame-Options prevents clickjacking. Essential for any production Express agent service.
⚡ Reliability
Best When
You're building any Express.js HTTP server or agent API and want to immediately add a baseline of security headers with minimal configuration.
Avoid When
You're not using Express — use @fastify/helmet for Fastify, NestJS's helmet() for NestJS, or set headers manually for other frameworks.
Use Cases
- • Add HTTP security headers to Express-based agent HTTP APIs with a single middleware line
- • Prevent clickjacking, XSS, and MIME-type sniffing attacks on agent web UIs with Helmet defaults
- • Configure Content Security Policy for agent web applications to control which resources can load
- • Enable HSTS for agent HTTPS APIs to enforce secure connections for all future requests
- • Pass security audits (OWASP ZAP, Qualys SSL) for agent web services by adding missing security headers
Not For
- • Frameworks other than Express — Helmet is Express middleware; Fastify has its own @fastify/helmet plugin
- • Frontend-only SPAs — Helmet runs server-side; use meta tags or server-side rendering for CSP in pure SPAs
- • APIs serving machine-to-machine clients only — some Helmet headers are browser-specific; choose relevant headers for pure API services
Interface
Authentication
HTTP header middleware — no authentication required.
Pricing
MIT license. Community-maintained, widely used.
Agent Metadata
Known Gotchas
- ⚠ Helmet 7.x defaults are stricter than earlier versions — CSP default-src 'self' blocks inline scripts and external resources; test thoroughly after upgrading or enabling Helmet for the first time
- ⚠ CSP configuration for agents with React/Vue/Angular requires adding nonces or hashes for inline scripts — eval() and inline event handlers are blocked by default-src 'self'
- ⚠ HSTS once sent cannot be easily reversed by the browser — only enable HSTS (includeSubdomains, preload) when you're committed to HTTPS for all subdomains
- ⚠ Helmet's Content-Security-Policy blocks CDN resources — add trusted CDN hostnames to scriptSrc, styleSrc, and imgSrc directives or agents serving external resources will break
- ⚠ Helmet v7 changed the API from an object with nested directives to contentSecurityPolicy.directives — update configuration code when migrating from v6
- ⚠ Some Helmet headers conflict with CORS headers (access-control-allow-origin and X-Frame-Options) — configure CORS separately with cors npm package and ensure Helmet and CORS middleware don't conflict
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Helmet.js.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-06.