Let's begin by starting our server, in the app folder we run:
$ npm start
Now in another tab, let's take a look at our Express apps default HTTP headers:
$ curl -I http://localhost:3000
If curl isn't installed in our system, we can achieve the same result with the following:
$ node -e "require('http').get({port: 3000, method: 'head'})
.on('socket', (socket) => socket.pipe(process.stdout))"
The response should look something like the following:
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 170
ETag: W/"aa-SNfgj6aecdqLGkiTQbf9lQ"
Date: Mon, 20 Mar 2017 11:55:42 GMT
Connection: close
Now let's install the http://npm.im/helmet module:
$ npm install --save helmet
In our app.js file we'll require helmet at the end of the included modules, but before we require local files:
var express = require('express')
var path = require('path')
var favicon = require('serve-favicon')
var logger = require('morgan')
var cookieParser = require('cookie-parser')
var bodyParser = require('body-parser')
var helmet = require('helmet')
var index = require('./routes/index')
var users = require('./routes/users')
We can see helmet is required now, just above index and below bodyParser.
Next, we'll include helmet as middleware, at the top of the middleware stack:
app.use(helmet())
app.use(logger('dev'))
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(express.static(path.join(__dirname, 'public')))
OK, let's press Ctrl + C to stop our server, and then start it again:
$ npm start
In another terminal let's make the same HEAD request:
$ curl -I http://localhost:3000
Or the following in the absence of curl:
$ node -e "require('http').get({port: 3000, method: 'head'})
.on('socket', (socket) => socket.pipe(process.stdout))"
We should now see something like the following:
HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 170
ETag: W/"aa-SNfgj6aecdqLGkiTQbf9lQ"
Date: Mon, 20 Mar 2017 12:00:44 GMT
Connection: close
Note the removal of X-Powered-By and the addition of several new X- prefixed headers.