A quick guide on how to secure a NodeJs express API with Helmet
In this guide we will show how we can secure our NodeJs API using Helmet. Helmet is an open source library that can be downloaded from npmjs. What helmet is doing, is basically adding HTTP response headers. We can also configure each header to suite our needs, and also choose to disable those we don't want.
Example
To use helmet, we can download it using npm
npm i helmet
And then in our API, we use it like this:
const express = require("express"); const helmet = require("helmet"); const PORT = 8089; const app = express(); app.use(helmet()); app.get("/ping", (req, res) => { res.send("pong"); }); app.listen(PORT, () => { console.log(`Server is running on port ${PORT}`); });
And that's it. So it basically takes two lines of code to secure our API. And if we want to remove some of the headers, e.g contet-security-policy, it can be done like this:
app.use( helmet({ contentSecurityPolicy: false, }) );
Example of allowing scripts to be loaded through helmet
Or if we want to customize some header, it can be done as well. Example below will allow scripts to be loaded from some trusted sources.
app.use( helmet({ contentSecurityPolicy: { useDefaults: true, directives: { scriptSrc: ["'self'", "some.external.script.we.trust"], }, }, }) );
Outro
That's helmet ladies and gentlemen. I hope you enjoyed this guide. Express apps are insecure by default, since there are no security headers present. That's why tools like helmet is great, since it is super easy to get the security foundation up and running with just a couple of lines of code.
Thanks for reading, and have a great day!
Tue May 16 2023
How to create and decode QR codes in NodeJsIn this tutorial, we will show how we can create QR codes using NodeJs and also how to decode already created QR codes.
Introduction to web scraping with PuppeteerA guide on how to scrape a website using Puppeteer. We will see how we can retrieve the content of https://react.dev and print in the console.
Build a full stack application with React and NodeJsA tutorial on how to build a simple full stack application with React in the client side and NodeJs in the backend.
How to convert a text file and its content to a JSON file with correct structureA guide on how to create a JSON file from a txt file in NodeJs. We will also make sure that the content is formatted in correct JSON format.
How to send email in NodeJs with Gmail - using nodemailerA guide on how to use Gmail and Google OAuth 2.0 to send emails with NodeJs and nodemailer.
How to send email in NodeJs with a Yahoo mail using nodemailerA tutorial on how to send emails in NodeJs using nodemailer. Our sender email will be a Yahoo address and we will cover how to authenticate using app passwords.
Hash passwords in NodeJs using bcryptA tutorial on how to use bcrypt in NodeJs to hash passwords and compare them afterwards.
Setup puppeteer with DockerIn this guide we will show how to setup a puppeteer service in NodeJs with Docker.
Introduction to caching in a NodeJs APIIn this guide we will show how we can set up a simple cache in NodeJs. We will use node-cache library from npmjs.com in this article.
How to parse XML data to JSON in NodeJsIn this tutorial, we will show how we can parse XML in NodeJs in to a JSON object. We will use fast-xml-parser library in this guide.