DEV Community

Cover image for How to make your express API more secure with helmet
Gabriel Rufino
Gabriel Rufino

Posted on

How to make your express API more secure with helmet

#node #javascript #security #microservices

Security is a serious matter! Are you concerned about the security of your APIs?

When it comes to APIs built with Express.js, one simple step can help you increase the level of security on your system: the Helmet library.

Alt Text

What is the Helmet?

Helmet is a library for Express.js that aggregates 12 simple middleware, responsible for setting some headers in HTTP responses.

Let's do a simple example below:

Simple example 

$ mkdir my-api
$ cd my-api
$ npm init -y
$ npm install express --save
Enter fullscreen mode Exit fullscreen mode

Create a file index.js:

const express = require('express')

const app = express()

app.get('/', (request, response) => {
  return response.json({
    api: 'live'
  })
})

app.listen(3000)
Enter fullscreen mode Exit fullscreen mode

Start the server:

$ node index.js
Enter fullscreen mode Exit fullscreen mode

Notice the headers returned by the request without using the helmet:

Alt Text

We will include the helmet in our API. First, install the package:

$ npm install helmet --save
Enter fullscreen mode Exit fullscreen mode

Import and include in the express app as follows:

const express = require('express')
const helmet = require('helmet')

const app = express()

app.use(helmet())

app.get('/', (request, response) => {
  return response.json({
    api: 'live'
  })
})

app.listen(3000)
Enter fullscreen mode Exit fullscreen mode

Restart the server:

$ node index.js
Enter fullscreen mode Exit fullscreen mode

Discover the new headers defined by the helmet:

Alt Text

These headers add the extra level of security to your API. For example, Strict-Transport-Security, which allows a website to inform browsers that it should be accessed only over HTTPS, instead of using HTTP.

Some middlewares are enabled by default, others are not. Learn more at https://helmetjs.github.io/

See you soon

Top comments (7)

Collapse
 
octaneinteractive profile image
Wayne Smallman

Hi Gabriel, great introduction.

I'm also using Helmet, and have:

app.use(helmet())
app.disable('x-powered-by')
Collapse
 
gabrielrufino profile image
Gabriel Rufino

Did you know that the helmet already deactivates the x-powered-by header? Thank you for your feedback bro :D

Collapse
 
octaneinteractive profile image
Wayne Smallman

It could be that I'm using a version that didn't do it by default.

Collapse
 
hemant profile image
Hemant Joshi

Wow,
Lately I heard of using helmet for Dynamic Title/ tags for react app.
Suerly will try it in express

Collapse
 
gabrielrufino profile image
Gabriel Rufino

Interesting!! Thankss

Collapse
 
rurickdev profile image
Rurick Maqueo Poisot

great article, i just want to know why and how this headers improve the security of my express app?

Collapse
 
gabrielrufino profile image
Gabriel Rufino

You can read about these headers and how each of these increases a security level to your application. Thank you :D

Read next

binaries001 profile image

BUILDING A CYBERSECURITY DETECTION AND MONITORING LAB BY LEVERAGING LOCAL VIRTUAL MACHINES (VMs) AND MICROSOFT AZURE

Adeniran Abdullahi -

chrissiku profile image

Update and delete records on a DWN

Chris Siku -

chrissiku profile image

Connect to Web5 and on a DWN in Web5

Chris Siku -

chrissiku profile image

Query and Read records on a DWN

Chris Siku -