Fix Missing Security Headers on Express

Last updated: April 2026

Use Helmet to add security headers to Express. Mount it before routes so headers apply to every response.

Scan your Express app for missing headers →

Install and add Helmet

npm install helmet

const express = require('express');
const helmet = require('helmet');

const app = express();
app.use(helmet()); // mount before routes
app.get('/api', handler);

Custom CSP with Helmet

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "https://cdn.example.com"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      frameAncestors: ["'none'"],
      objectSrc: ["'none'"],
    },
  },
}));

Custom HSTS

app.use(helmet({
  strictTransportSecurity: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: false,
  },
}));

Disable specific headers

app.use(helmet({
  contentSecurityPolicy: false, // manage CSP separately
  xDownloadOptions: false,
}));

Verify headers

curl -sI http://localhost:3000 | grep -iE "strict|x-frame|x-content|referrer|content-security"