Only 4 of these are standard HTTP headers.
The Content-Security-Policy and Referrer-Policy are keepers, but if you're serious about them, why not study the possible values they supports, and set them explicitly?
Content-Security-Policy
Referrer-Policy
developer.mozilla.org/en-US/docs/W...
The Strict-Transport-Security header is not necessary -- simply firewall port 80 and serve your website on port 443 with a valid TLS certificate.
Strict-Transport-Security
The Expect-CT header is obsolete as of June 2021 developer.mozilla.org/en-US/docs/W...
Expect-CT
All the rest are non-standard "X-" headers that should be used only when you explictly need them.
My point is that simply adding a call to helmet() will delay your learning of HTTP.
I came here to literally add this - nice job @joehonton !
It's good that Helmet exposes new developers to these headers, but it's up to each developer to:
Don't just "add helmet & done"!
I think I covered this in the very first two quoted lines of this post ;)! Helmet is not a silver bullet indeed.
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Only 4 of these are standard HTTP headers.
The
Content-Security-Policy
andReferrer-Policy
are keepers, but if you're serious about them, why not study the possible values they supports, and set them explicitly?developer.mozilla.org/en-US/docs/W...
developer.mozilla.org/en-US/docs/W...
The
Strict-Transport-Security
header is not necessary -- simply firewall port 80 and serve your website on port 443 with a valid TLS certificate.The
Expect-CT
header is obsolete as of June 2021developer.mozilla.org/en-US/docs/W...
All the rest are non-standard "X-" headers that should be used only when you explictly need them.
My point is that simply adding a call to helmet() will delay your learning of HTTP.
I came here to literally add this - nice job @joehonton !
It's good that Helmet exposes new developers to these headers, but it's up to each developer to:
Don't just "add helmet & done"!
I think I covered this in the very first two quoted lines of this post ;)! Helmet is not a silver bullet indeed.