npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@nichtsam/helmet

v0.3.1

Published

Helps secure applications by setting HTTP response headers. Inspired by [`helmet`](https://github.com/helmetjs/helmet) and [`http-helmet`](https://github.com/mcansh/http-helmet).

Downloads

21,312

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nichtsamnichtsam

Keywords

websecurityhelmet

Readme

Helmet Security Headers Library

Helps secure applications by setting HTTP response headers. Inspired by helmet and http-helmet.

Why?

helmet applies security headers globally without considering the specific content type of each response. While this approach works for many cases, it can lead to unnecessary or misapplied headers. For example, Content Security Policy (CSP) should be specific to the response’s content type, and X-Download-Options only matters for document responses, whereas headers like X-Content-Type-Options and Strict-Transport-Security are universally applicable.

To improve clarity and control, I categorized security headers into three groups:

  1. General – Applies to all resources, ensuring broad security coverage.
  2. Content – Applies based on the response’s content type.
  3. Resource Sharing – Related to cross-origin policies.

This approach ensures that security headers are applied in a structured manner, improving maintainability and reducing unnecessary overhead. Additionally, this package is designed to work seamlessly with both the Web Fetch API’s Headers and http.ServerResponse, making it more flexible across different environments.

Overview

This package provides a flexible and modular way for managing security headers in a structured manner.

  • Provides security headers with sensible defaults (inspired by Express Helmet).
  • Content-specific options available as needed.
  • Resource Sharing Security Headers.

Installation

npm install @nichtsam/helmet

Usage

This is the most basic usage, which applies security headers for general purpose, best practices for protecting any type of resource.

import { helmet } from "@nichtsam/helmet";
const headers = new Headers();
helmet(headers);

There are options to enable more detailed security headers, such as for html webpage contents.

helmet(headers, {
  content: { contentSecurityPolicy: {} },
});

If you want to share the resource across origins, you can enable the resourceSharing option.

helmet(headers, { resourceSharing: true });

[!IMPORTANT]
This only sets the headers for enhanced security. You are responsible for setting the correct CORS headers. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_request_headers

For node-http

The package provides a simple wrapper to make it smoother to use on http.ServerResponse. For example in an express app:

import { helmet } from "@nichtsam/helmet/node-http";

const app = express();
app.use((req, res, next) => {
  helmet(res);
  next();
});

Granular Interface

The main helmet function integrates all the security rules, you can find them all individually under @nichtsam/helmet/rules. They're categorized under general, content and resourceSharing, just like the options in the integrated helmet function. This allows for a layered application approach to better suit individual routes.

For example:

import { generalSecurity } from "@nichtsam/helmet/general";
import { contentSecurity } from "@nichtsam/helmet/content";
import { resourceSharingSecurity } from "@nichtsam/helmet/resourceSharing";

const headers = new Headers();
// on root level
generalSecurity(headers);
// after the content-type is set
contentSecurity(headers);
// if you want to share across origins
resourceSharingSecurity(headers, { strategy: "cross-origin" });

[!NOTE]
The generalSecurity function includes resourceSharingSecurity(headers, { strategy: "same-origin" }) by default. So you only need to call resourceSharingSecurity if you want to share resources across origins or customize the strategy.