{"id":13396555,"url":"https://github.com/helmetjs/helmet","last_synced_at":"2025-05-12T16:19:26.186Z","repository":{"id":2365850,"uuid":"3329923","full_name":"helmetjs/helmet","owner":"helmetjs","description":"Help secure Express apps with various HTTP headers","archived":false,"fork":false,"pushed_at":"2025-05-01T12:37:18.000Z","size":2072,"stargazers_count":10385,"open_issues_count":2,"forks_count":378,"subscribers_count":100,"default_branch":"main","last_synced_at":"2025-05-05T14:15:32.758Z","etag":null,"topics":["helmet","http-headers","javascript","middleware","security"],"latest_commit_sha":null,"homepage":"https://helmetjs.github.io/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/helmetjs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2012-02-01T22:54:45.000Z","updated_at":"2025-05-05T14:10:14.000Z","dependencies_parsed_at":"2023-02-13T20:16:21.449Z","dependency_job_id":"e3cc1d20-c913-4f17-942d-5caaedda29cf","html_url":"https://github.com/helmetjs/helmet","commit_stats":{"total_commits":906,"total_committers":52,"mean_commits":"17.423076923076923","dds":"0.14348785871964675","last_synced_commit":"975846274aed85cda854894ae313deb632f599f8"},"previous_names":[],"tags_count":105,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmetjs%2Fhelmet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmetjs%2Fhelmet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmetjs%2Fhelmet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmetjs%2Fhelmet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/helmetjs","download_url":"https://codeload.github.com/helmetjs/helmet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253576267,"owners_count":21930169,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["helmet","http-headers","javascript","middleware","security"],"created_at":"2024-07-30T18:00:56.766Z","updated_at":"2025-05-12T16:19:26.142Z","avatar_url":"https://github.com/helmetjs.png","language":"TypeScript","funding_links":[],"categories":["express","TypeScript","目录","后端开发框架及项目","Libraries","Security","中间件","Framework agnostic packages"],"sub_categories":["安全相关","管理面板","React Components","Node"],"readme":"# Helmet\n\nHelp secure Express apps by setting HTTP response headers.\n\n```javascript\nimport helmet from \"helmet\";\n\nconst app = express();\n\napp.use(helmet());\n```\n\nHelmet sets the following headers by default:\n\n- [`Content-Security-Policy`](#content-security-policy): A powerful allow-list of what can happen on your page which mitigates many attacks\n- [`Cross-Origin-Opener-Policy`](#cross-origin-opener-policy): Helps process-isolate your page\n- [`Cross-Origin-Resource-Policy`](#cross-origin-resource-policy): Blocks others from loading your resources cross-origin\n- [`Origin-Agent-Cluster`](#origin-agent-cluster): Changes process isolation to be origin-based\n- [`Referrer-Policy`](#referrer-policy): Controls the [`Referer`][Referer] header\n- [`Strict-Transport-Security`](#strict-transport-security): Tells browsers to prefer HTTPS\n- [`X-Content-Type-Options`](#x-content-type-options): Avoids [MIME sniffing]\n- [`X-DNS-Prefetch-Control`](#x-dns-prefetch-control): Controls DNS prefetching\n- [`X-Download-Options`](#x-download-options): Forces downloads to be saved (Internet Explorer only)\n- [`X-Frame-Options`](#x-frame-options): Legacy header that mitigates [clickjacking] attacks\n- [`X-Permitted-Cross-Domain-Policies`](#x-permitted-cross-domain-policies): Controls cross-domain behavior for Adobe products, like Acrobat\n- [`X-Powered-By`](#x-powered-by): Info about the web server. Removed because it could be used in simple attacks\n- [`X-XSS-Protection`](#x-xss-protection): Legacy header that tries to mitigate [XSS attacks][XSS], but makes things worse, so Helmet disables it\n\nEach header can be configured. For example, here's how you configure the `Content-Security-Policy` header:\n\n```js\n// Configure the Content-Security-Policy header.\napp.use(\n  helmet({\n    contentSecurityPolicy: {\n      directives: {\n        \"script-src\": [\"'self'\", \"example.com\"],\n      },\n    },\n  }),\n);\n```\n\nHeaders can also be disabled. For example, here's how you disable the `Content-Security-Policy` and `X-Download-Options` headers:\n\n```js\n// Disable the Content-Security-Policy and X-Download-Options headers\napp.use(\n  helmet({\n    contentSecurityPolicy: false,\n    xDownloadOptions: false,\n  }),\n);\n```\n\n## Reference\n\n\u003cdetails id=\"content-security-policy\"\u003e\n\u003csummary\u003e\u003ccode\u003eContent-Security-Policy\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests\n```\n\nThe `Content-Security-Policy` header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).\n\nThis header is powerful but likely requires some configuration for your specific app.\n\nTo configure this header, pass an object with a nested `directives` object. Each key is a directive name in camel case (such as `defaultSrc`) or kebab case (such as `default-src`). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.\n\n```javascript\n// Sets all of the defaults, but overrides `script-src`\n// and disables the default `style-src`.\napp.use(\n  helmet({\n    contentSecurityPolicy: {\n      directives: {\n        \"script-src\": [\"'self'\", \"example.com\"],\n        \"style-src\": null,\n      },\n    },\n  }),\n);\n```\n\n```js\n// Sets the `script-src` directive to\n// \"'self' 'nonce-e33cc...'\"\n// (or similar)\napp.use((req, res, next) =\u003e {\n  res.locals.cspNonce = crypto.randomBytes(32).toString(\"hex\");\n  next();\n});\napp.use(\n  helmet({\n    contentSecurityPolicy: {\n      directives: {\n        scriptSrc: [\"'self'\", (req, res) =\u003e `'nonce-${res.locals.cspNonce}'`],\n      },\n    },\n  }),\n);\n```\n\nThese directives are merged into a default policy, which you can disable by setting `useDefaults` to `false`.\n\n```javascript\n// Sets \"Content-Security-Policy: default-src 'self';\n// script-src 'self' example.com;object-src 'none';\n// upgrade-insecure-requests\"\napp.use(\n  helmet({\n    contentSecurityPolicy: {\n      useDefaults: false,\n      directives: {\n        defaultSrc: [\"'self'\"],\n        scriptSrc: [\"'self'\", \"example.com\"],\n        objectSrc: [\"'none'\"],\n        upgradeInsecureRequests: [],\n      },\n    },\n  }),\n);\n```\n\nYou can get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`. Here is the default policy (formatted for readability):\n\n```\ndefault-src 'self';\nbase-uri 'self';\nfont-src 'self' https: data:;\nform-action 'self';\nframe-ancestors 'self';\nimg-src 'self' data:;\nobject-src 'none';\nscript-src 'self';\nscript-src-attr 'none';\nstyle-src 'self' https: 'unsafe-inline';\nupgrade-insecure-requests\n```\n\nThe `default-src` directive can be explicitly disabled by setting its value to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc`, but this is not recommended.\n\nYou can set the [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) instead:\n\n```javascript\n// Sets the Content-Security-Policy-Report-Only header\napp.use(\n  helmet({\n    contentSecurityPolicy: {\n      directives: {\n        /* ... */\n      },\n      reportOnly: true,\n    },\n  }),\n);\n```\n\nHelmet performs very little validation on your CSP. You should rely on CSP checkers like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) instead.\n\nTo disable the `Content-Security-Policy` header:\n\n```js\napp.use(\n  helmet({\n    contentSecurityPolicy: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.contentSecurityPolicy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"cross-origin-embedder-policy\"\u003e\n\u003csummary\u003e\u003ccode\u003eCross-Origin-Embedder-Policy\u003c/code\u003e\u003c/summary\u003e\n\nThis header is not set by default.\n\nThe `Cross-Origin-Embedder-Policy` header helps control what resources can be loaded cross-origin. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more.\n\n```js\n// Helmet does not set Cross-Origin-Embedder-Policy\n// by default.\napp.use(helmet());\n\n// Sets \"Cross-Origin-Embedder-Policy: require-corp\"\napp.use(helmet({ crossOriginEmbedderPolicy: true }));\n\n// Sets \"Cross-Origin-Embedder-Policy: credentialless\"\napp.use(helmet({ crossOriginEmbedderPolicy: { policy: \"credentialless\" } }));\n```\n\nYou can use this as standalone middleware with `app.use(helmet.crossOriginEmbedderPolicy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"cross-origin-opener-policy\"\u003e\n\u003csummary\u003e\u003ccode\u003eCross-Origin-Opener-Policy\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nCross-Origin-Opener-Policy: same-origin\n```\n\nThe `Cross-Origin-Opener-Policy` header helps process-isolate your page. For more, see [MDN's article on this header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy).\n\n```js\n// Sets \"Cross-Origin-Opener-Policy: same-origin\"\napp.use(helmet());\n\n// Sets \"Cross-Origin-Opener-Policy: same-origin-allow-popups\"\napp.use(\n  helmet({\n    crossOriginOpenerPolicy: { policy: \"same-origin-allow-popups\" },\n  }),\n);\n```\n\nTo disable the `Cross-Origin-Opener-Policy` header:\n\n```js\napp.use(\n  helmet({\n    crossOriginOpenerPolicy: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.crossOriginOpenerPolicy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"cross-origin-resource-policy\"\u003e\n\u003csummary\u003e\u003ccode\u003eCross-Origin-Resource-Policy\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nCross-Origin-Resource-Policy: same-origin\n```\n\nThe `Cross-Origin-Resource-Policy` header blocks others from loading your resources cross-origin in some cases. For more, see [\"Consider deploying Cross-Origin Resource Policy\"](https://resourcepolicy.fyi/) and [MDN's article on this header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy).\n\n```js\n// Sets \"Cross-Origin-Resource-Policy: same-origin\"\napp.use(helmet());\n\n// Sets \"Cross-Origin-Resource-Policy: same-site\"\napp.use(helmet({ crossOriginResourcePolicy: { policy: \"same-site\" } }));\n```\n\nTo disable the `Cross-Origin-Resource-Policy` header:\n\n```js\napp.use(\n  helmet({\n    crossOriginResourcePolicy: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.crossOriginResourcePolicy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"origin-agent-cluster\"\u003e\n\u003csummary\u003e\u003ccode\u003eOrigin-Agent-Cluster\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nOrigin-Agent-Cluster: ?1\n```\n\nThe `Origin-Agent-Cluster` header provides a mechanism to allow web applications to isolate their origins from other processes. Read more about it [in the spec](https://whatpr.org/html/6214/origin.html#origin-keyed-agent-clusters).\n\nThis header takes no options and is set by default.\n\n```js\n// Sets \"Origin-Agent-Cluster: ?1\"\napp.use(helmet());\n```\n\nTo disable the `Origin-Agent-Cluster` header:\n\n```js\napp.use(\n  helmet({\n    originAgentCluster: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.originAgentCluster())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"referrer-policy\"\u003e\n\u003csummary\u003e\u003ccode\u003eReferrer-Policy\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nReferrer-Policy: no-referrer\n```\n\nThe `Referrer-Policy` header which controls what information is set in [the `Referer` request header][Referer]. See [\"Referer header: privacy and security concerns\"](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) and [the header's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) on MDN for more.\n\n```js\n// Sets \"Referrer-Policy: no-referrer\"\napp.use(helmet());\n```\n\n`policy` is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy). It defaults to `no-referrer`.\n\n```js\n// Sets \"Referrer-Policy: no-referrer\"\napp.use(\n  helmet({\n    referrerPolicy: {\n      policy: \"no-referrer\",\n    },\n  }),\n);\n\n// Sets \"Referrer-Policy: origin,unsafe-url\"\napp.use(\n  helmet({\n    referrerPolicy: {\n      policy: [\"origin\", \"unsafe-url\"],\n    },\n  }),\n);\n```\n\nTo disable the `Referrer-Policy` header:\n\n```js\napp.use(\n  helmet({\n    referrerPolicy: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.referrerPolicy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"strict-transport-security\"\u003e\n\u003csummary\u003e\u003ccode\u003eStrict-Transport-Security\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nStrict-Transport-Security: max-age=31536000; includeSubDomains\n```\n\nThe `Strict-Transport-Security` header tells browsers to prefer HTTPS instead of insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more.\n\n```js\n// Sets \"Strict-Transport-Security: max-age=31536000; includeSubDomains\"\napp.use(helmet());\n```\n\n`maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 365 days.\n\n`includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`.\n\n`preload` is a boolean. If true, it adds the `preload` directive, expressing intent to add your HSTS policy to browsers. See [the \"Preloading Strict Transport Security\" section on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for more. It defaults to `false`.\n\n```js\n// Sets \"Strict-Transport-Security: max-age=123456; includeSubDomains\"\napp.use(\n  helmet({\n    strictTransportSecurity: {\n      maxAge: 123456,\n    },\n  }),\n);\n\n// Sets \"Strict-Transport-Security: max-age=123456\"\napp.use(\n  helmet({\n    strictTransportSecurity: {\n      maxAge: 123456,\n      includeSubDomains: false,\n    },\n  }),\n);\n\n// Sets \"Strict-Transport-Security: max-age=123456; includeSubDomains; preload\"\napp.use(\n  helmet({\n    strictTransportSecurity: {\n      maxAge: 63072000,\n      preload: true,\n    },\n  }),\n);\n```\n\nTo disable the `Strict-Transport-Security` header:\n\n```js\napp.use(\n  helmet({\n    strictTransportSecurity: false,\n  }),\n);\n```\n\nYou may wish to disable this header for local development, as it can make your browser force redirects from `http://localhost` to `https://localhost`, which may not be desirable if you develop multiple apps using `localhost`. See [this issue](https://github.com/helmetjs/helmet/issues/451) for more discussion.\n\nYou can use this as standalone middleware with `app.use(helmet.strictTransportSecurity())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-content-type-options\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-Content-Type-Options\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-Content-Type-Options: nosniff\n```\n\nThe `X-Content-Type-Options` mitigates [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing) which can cause security issues. See [documentation for this header on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) for more.\n\nThis header takes no options and is set by default.\n\n```js\n// Sets \"X-Content-Type-Options: nosniff\"\napp.use(helmet());\n```\n\nTo disable the `X-Content-Type-Options` header:\n\n```js\napp.use(\n  helmet({\n    xContentTypeOptions: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xContentTypeOptions())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-dns-prefetch-control\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-DNS-Prefetch-Control\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-DNS-Prefetch-Control: off\n```\n\nThe `X-DNS-Prefetch-Control` header helps control DNS prefetching, which can improve user privacy at the expense of performance. See [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) for more.\n\n```js\n// Sets \"X-DNS-Prefetch-Control: off\"\napp.use(helmet());\n```\n\n`allow` is a boolean dictating whether to enable DNS prefetching. It defaults to `false`.\n\nExamples:\n\n```js\n// Sets \"X-DNS-Prefetch-Control: off\"\napp.use(\n  helmet({\n    xDnsPrefetchControl: { allow: false },\n  }),\n);\n\n// Sets \"X-DNS-Prefetch-Control: on\"\napp.use(\n  helmet({\n    xDnsPrefetchControl: { allow: true },\n  }),\n);\n```\n\nTo disable the `X-DNS-Prefetch-Control` header and use the browser's default value:\n\n```js\napp.use(\n  helmet({\n    xDnsPrefetchControl: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xDnsPrefetchControl())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-download-options\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-Download-Options\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-Download-Options: noopen\n```\n\nThe `X-Download-Options` header is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [this old post on MSDN](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection).\n\nThis header takes no options and is set by default.\n\n```js\n// Sets \"X-Download-Options: noopen\"\napp.use(helmet());\n```\n\nTo disable the `X-Download-Options` header:\n\n```js\napp.use(\n  helmet({\n    xDownloadOptions: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xDownloadOptions())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-frame-options\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-Frame-Options\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-Frame-Options: SAMEORIGIN\n```\n\nThe legacy `X-Frame-Options` header to help you mitigate [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers or if no CSP is used. For more, see [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n\n```js\n// Sets \"X-Frame-Options: SAMEORIGIN\"\napp.use(helmet());\n```\n\n`action` is a string that specifies which directive to use—either `DENY` or `SAMEORIGIN`. (A legacy directive, `ALLOW-FROM`, is not supported by Helmet. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)) It defaults to `SAMEORIGIN`.\n\nExamples:\n\n```js\n// Sets \"X-Frame-Options: DENY\"\napp.use(\n  helmet({\n    xFrameOptions: { action: \"deny\" },\n  }),\n);\n\n// Sets \"X-Frame-Options: SAMEORIGIN\"\napp.use(\n  helmet({\n    xFrameOptions: { action: \"sameorigin\" },\n  }),\n);\n```\n\nTo disable the `X-Frame-Options` header:\n\n```js\napp.use(\n  helmet({\n    xFrameOptions: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xFrameOptions())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-permitted-cross-domain-policies\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-Permitted-Cross-Domain-Policies\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-Permitted-Cross-Domain-Policies: none\n```\n\nThe `X-Permitted-Cross-Domain-Policies` header tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [the description on OWASP](https://owasp.org/www-project-secure-headers/) for more.\n\n```js\n// Sets \"X-Permitted-Cross-Domain-Policies: none\"\napp.use(helmet());\n```\n\n`permittedPolicies` is a string that must be `\"none\"`, `\"master-only\"`, `\"by-content-type\"`, or `\"all\"`. It defaults to `\"none\"`.\n\nExamples:\n\n```js\n// Sets \"X-Permitted-Cross-Domain-Policies: none\"\napp.use(\n  helmet({\n    xPermittedCrossDomainPolicies: {\n      permittedPolicies: \"none\",\n    },\n  }),\n);\n\n// Sets \"X-Permitted-Cross-Domain-Policies: by-content-type\"\napp.use(\n  helmet({\n    xPermittedCrossDomainPolicies: {\n      permittedPolicies: \"by-content-type\",\n    },\n  }),\n);\n```\n\nTo disable the `X-Permitted-Cross-Domain-Policies` header:\n\n```js\napp.use(\n  helmet({\n    xPermittedCrossDomainPolicies: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xPermittedCrossDomainPolicies())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-powered-by\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-Powered-By\u003c/code\u003e\u003c/summary\u003e\n\nDefault: the `X-Powered-By` header, if present, is removed.\n\nHelmet removes the `X-Powered-By` header, which is set by default in Express and some other frameworks. Removing the header offers very limited security benefits (see [this discussion](https://github.com/expressjs/express/pull/2813#issuecomment-159270428)) and is mostly removed to save bandwidth, but may thwart simplistic attackers.\n\nNote: [Express has a built-in way to disable the `X-Powered-By` header](https://stackoverflow.com/a/12484642/804100), which you may wish to use instead.\n\nThe removal of this header takes no options. The header is removed by default.\n\nTo disable this behavior:\n\n```js\n// Not required, but recommended for Express users:\napp.disable(\"x-powered-by\");\n\n// Ask Helmet to ignore the X-Powered-By header.\napp.use(\n  helmet({\n    xPoweredBy: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xPoweredBy())`.\n\n\u003c/details\u003e\n\n\u003cdetails id=\"x-xss-protection\"\u003e\n\u003csummary\u003e\u003ccode\u003eX-XSS-Protection\u003c/code\u003e\u003c/summary\u003e\n\nDefault:\n\n```http\nX-XSS-Protection: 0\n```\n\nHelmet disables browsers' buggy cross-site scripting filter by setting the legacy `X-XSS-Protection` header to `0`. See [discussion about disabling the header here](https://github.com/helmetjs/helmet/issues/230) and [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).\n\nThis header takes no options and is set by default.\n\nTo disable the `X-XSS-Protection` header:\n\n```js\n// This is not recommended.\napp.use(\n  helmet({\n    xXssProtection: false,\n  }),\n);\n```\n\nYou can use this as standalone middleware with `app.use(helmet.xXssProtection())`.\n\n\u003c/details\u003e\n\n[Referer]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer\n[MIME sniffing]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing\n[Clickjacking]: https://en.wikipedia.org/wiki/Clickjacking\n[XSS]: https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhelmetjs%2Fhelmet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhelmetjs%2Fhelmet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhelmetjs%2Fhelmet/lists"}