Update "Use helmet" section (#1790)

expressjs · Feb 15, 2025 · 2067442 · 2067442
1 parent f669c5f
commit 2067442
Showing 1 changed file with 18 additions and 8 deletions.
diff --git a/en/advanced/best-practice-security.md b/en/advanced/best-practice-security.md
@@ -80,18 +80,28 @@ app.use((req, res) => {
 
 [Helmet][helmet] can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.
 
-Helmet is a collection of several smaller middleware functions that set security-related HTTP response headers. Some examples include:
-
-* `helmet.contentSecurityPolicy` which sets the `Content-Security-Policy` header. This helps prevent cross-site scripting attacks among many other things.
-* `helmet.hsts` which sets the `Strict-Transport-Security` header. This helps enforce secure (HTTPS) connections to the server.
-* `helmet.frameguard` which sets the `X-Frame-Options` header. This provides [clickjacking](https://www.owasp.org/index.php/Clickjacking) protection.
-
-Helmet includes several other middleware functions which you can read about [at its documentation website][helmet].
+Helmet is a middleware function that sets security-related HTTP response headers. Helmet sets the following headers by default:
+
+- `Content-Security-Policy`: A powerful allow-list of what can happen on your page which mitigates many attacks
+- `Cross-Origin-Opener-Policy`: Helps process-isolate your page
+- `Cross-Origin-Resource-Policy`: Blocks others from loading your resources cross-origin
+- `Origin-Agent-Cluster`: Changes process isolation to be origin-based
+- `Referrer-Policy`: Controls the [`Referer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header
+- `Strict-Transport-Security`: Tells browsers to prefer HTTPS
+- `X-Content-Type-Options`: Avoids [MIME sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing)
+- `X-DNS-Prefetch-Control`: Controls DNS prefetching
+- `X-Download-Options`: Forces downloads to be saved (Internet Explorer only)
+- `X-Frame-Options`: Legacy header that mitigates [Clickjacking](https://en.wikipedia.org/wiki/Clickjacking) attacks
+- `X-Permitted-Cross-Domain-Policies`: Controls cross-domain behavior for Adobe products, like Acrobat
+- `X-Powered-By`: Info about the web server. Removed because it could be used in simple attacks
+- `X-XSS-Protection`: Legacy header that tries to mitigate [XSS attacks](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting), but makes things worse, so Helmet disables it
+
+Each header can be configured or disabled. To read more about it please go to [its documentation website][helmet].
 
 Install Helmet like any other module:
 
 ```bash
-$ npm install --save helmet
+$ npm install helmet
 ```
 
 Then to use it in your code: