Cybrove
Platform Guide

How to Add Security Headers to Express.js

Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to Express.js / Node.js. Copy-paste configuration included.

The 6 Essential Security Headers

Content-Security-Policy (CSP)

Controls which sources of scripts, styles, and resources are allowed. Prevents XSS by blocking inline scripts and unauthorized external scripts.

Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS, preventing protocol downgrade attacks and cookie hijacking over HTTP.

X-Frame-Options

Prevents your page from being loaded in an iframe, blocking clickjacking attacks.

X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type, stopping attacks that rely on content type confusion.

Referrer-Policy

Controls how much referrer information is sent with requests, protecting user privacy and preventing information leakage.

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your page can use, reducing attack surface.

Express.js / Node.js Configuration

Add this to Your Express.js application entry point (app.js, server.js, or index.ts). Add before route definitions.:

import express from 'express';
import helmet from 'helmet';

const app = express();

// One line sets 11 security headers
app.use(helmet());

// Customize specific headers
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:'],
    },
  },
  hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
}));

Install with: npm install helmet. Helmet sets 11 headers by default including X-Frame-Options, X-Content-Type-Options, HSTS, and more. Customize CSP directives based on your application's needs.

How to Test Your Headers

curl -I http://localhost:3000

Or use Cybrove's free security check to automatically validate all security headers and get specific fix recommendations.

Complete guide to fixing missing security headers

In-depth blog post covering all headers across all platforms

Frequently Asked Questions

How do I add security headers to Express.js / Node.js?

Add security headers to Express.js / Node.js by modifying Your Express.js application entry point (app.js, server.js, or index.ts). Add before route definitions.. The essential headers are CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. See the configuration example above.

How do I test if my Express.js / Node.js security headers are working?

Run: curl -I http://localhost:3000 and check the response headers. Or use Cybrove's free security check at cybrove.com/scan which automatically validates all security headers and reports which are missing.

Which security headers are most important for Express.js / Node.js?

CSP (prevents XSS), HSTS (forces HTTPS), and X-Frame-Options (prevents clickjacking) are the most critical. X-Content-Type-Options and Referrer-Policy provide additional protection with minimal configuration effort.

Check if your Express.js / Node.js headers are configured correctly

Free security check validates all 6 headers plus SSL, DNS, and email authentication.

Free Security Check