Step 39: Helmet

We have allowed cross-domain requests to our API. This is needed; however, it makes our server more vulnerable to various security risks. We can get help from another Node package called [helmet](https://www.npmjs.com/package/helmet) to compensate for this. Helmet can protect our API from some well-known web vulnerabilities by setting HTTP headers appropriately.

To use helmet, stop the API server and install it:

yarn add helmet

Next, update the /src/index.js file by importing helmet:

import helmet from "helmet";

Next, linking it to express; this must be done before binding any of the route handlers!

app.use(helmet());

That's it! Rerun the server and run any of the API requests in Postman. Make a note of the response header attributes:

It is beyond the scope of this course to get into the details of what these headers mean and what they do. However, if you are interested, a good starting point is this short YouTube video Secure ExpressJS Application With Helmet. I also recommend watching this (longer) YouTube video Information Security with HelmetJS with FreeCodeCamp by Dylan Israel.