The helmet module is just a set of useful Express middlewares. It provides sane defaults. All of the helmet library's default enabled middleware simply modifies the response header. Now that we're aware of the sane defaults, we can do the same with an HTTP server written entirely with the core HTTP module.
Let's create a folder called http-app and create an index.js file in it.
Let's open index.js in our favorite editor, and write the following:
const http = require('http')
const server = http.createServer((req, res) => {
secureHeaders(res)
switch (req.url) {
case '/': return res.end('hello world')
case '/users': return res.end('oh, some users!')
default: return error('404', res)
}
})
function secureHeaders (res) {
res.setHeader('X-DNS-Prefetch-Control', 'off')
res.setHeader('X-Frame-Options', 'SAMEORIGIN')
res.setHeader('X-Download-Options', 'noopen')
res.setHeader('X-Content-Type-Options', 'nosniff')
res.setHeader('X-XSS-Protection', '1; mode=block')
}
function error(code, res) {
res.statusCode = code
res.end(http.STATUS_CODES[code])
}
server.listen(3000)
Here we emulate the fundamental functionality from our main recipe. The secureHeaders function simply takes the response object and calls setHeader for each of the headers discussed in the main recipe.