Express application should use Helmet

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: javascript-express/missing-helmet

Language: JavaScript

Severity: Warning

Category: Security

CWE: 693

Description

Per Express documentation:

Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.

This rule will check whether you’ve set app.use(helmet()) within the file that you’ve called express()

Non-Compliant Code Examples

const express = require("express")

const app = express();

// no `app.use(helmet())` helmet detected in the file

app.get("/foo", (req, res) => res.send("foo"));

app.listen(8000);

Compliant Code Examples

const express = require("express")
const helmet = require("helmet")

const app = express();

app.use(json()); // helmet detected
app.use(helmet()); // helmet detected

app.get("/foo", (req, res) => res.send("foo"));

app.listen(8000);
import express from "express"
import helmet from "helmet"

const app = express();

app.use(helmet()); // helmet detected

app.get("/foo", (req, res) => res.send("foo"));

app.listen(8000);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis