Security

Helmet

Secure your app with HTTP headers (CSP, HSTS, XSS Protection).

Helmet

@bklarjs/helmet helps secure your application by setting various HTTP headers. It mitigates common attacks like Cross-Site Scripting (XSS) and Clickjacking.

Installation

bun add @bklarjs/helmet
npm install @bklarjs/helmet

Usage

Applying helmet() with default settings is a great starting point for security.

import { Bklar } from "bklar";
import { helmet } from "@bklarjs/helmet";

const app = Bklar();

// Sets secure defaults (HSTS, No-Sniff, Frame-Options, etc.)
app.use(helmet());

app.listen(3000);

Configuration

You can enable/disable specific headers or configure Content Security Policy (CSP).

app.use(
  helmet({
    // Enable CSP
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'", "'unsafe-inline'"],
        styleSrc: ["'self'", "https://fonts.googleapis.com"],
      },
    },

    // Disable specific headers if needed
    xFrameOptions: false,
  })
);

Default Headers

HeaderValuePurpose
X-DNS-Prefetch-ControloffPrivacy
X-Frame-OptionsSAMEORIGINAnti-Clickjacking
Strict-Transport-Securitymax-age=15552000; includeSubDomainsForce HTTPS
X-Download-OptionsnoopenIE8 Security
X-Content-Type-OptionsnosniffPrevent MIME Sniffing
Referrer-Policyno-referrerPrivacy

CORS

Cross-Origin Resource Sharing middleware.

JWT Authentication

Secure routes with JSON Web Tokens.

On this page

HelmetInstallationUsageConfigurationDefault Headers