Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@types/helmet

helmetjs1.1mMITdeprecated4.0.0

This is a stub types definition. helmet provides its own type definitions, so you do not need this installed.

Stub TypeScript definitions entry for helmet, which provides its own types definitions

readme

changelog

Changelog

8.1.0 - 2025-03-17

Changed

  • Content-Security-Policy gives a better error when a directive value, like self, should be quoted. See #482

8.0.0 - 2024-09-28

Changed

  • Breaking: Strict-Transport-Security now has a max-age of 365 days, up from 180
  • Breaking: Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
  • Breaking: Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
  • Breaking: Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

Removed

  • Breaking: Drop support for Node 16 and 17. Node 18+ is now required

7.2.0 - 2024-09-28

Changed

  • Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #454

7.1.0 - 2023-11-07

Added

  • helmet.crossOriginEmbedderPolicy now supports the unsafe-none directive. See #477

7.0.0 - 2023-05-06

Changed

  • Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #411

Removed

  • Breaking: Drop support for Node 14 and 15. Node 16+ is now required
  • Breaking: Expect-CT is no longer part of Helmet. If you still need it, you can use the expect-ct package. See #378

6.2.0 - 2023-05-06

  • Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
  • Rework documentation

6.1.5 - 2023-04-11

Fixed

  • Fixed yet another issue with TypeScript exports. See #420

6.1.4 - 2023-04-10

Fixed

  • Fix another issue with TypeScript default exports. See #418

6.1.3 - 2023-04-10

Fixed

  • Fix issue with TypeScript default exports. See #417

6.1.2 - 2023-04-09

Fixed

  • Retored main to package to help with some build tools

6.1.1 - 2023-04-08

Fixed

  • Fixed missing package metadata

6.1.0 - 2023-04-08

Changed

  • Improve support for various TypeScript setups, including "nodenext". See #405

6.0.1 - 2022-11-29

Fixed

  • crossOriginEmbedderPolicy did not accept options at the top level. See #390

6.0.0 - 2022-08-26

Changed

  • Breaking: helmet.contentSecurityPolicy no longer sets block-all-mixed-content directive by default
  • Breaking: helmet.expectCt is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #310
  • Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #369
  • helmet.frameguard no longer offers a specific error when trying to use ALLOW-FROM; it just says that it is unsupported. Only the error message has changed

Removed

  • Breaking: Dropped support for Node 12 and 13. Node 14+ is now required

5.1.1 - 2022-07-23

Changed

  • Fix TypeScript bug with some TypeScript configurations. See #375 and #359

5.1.0 - 2022-05-17

Added

  • Cross-Origin-Embedder-Policy: support credentialless policy. See #365
  • Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only

Changed

  • Cleaned up some documentation around Origin-Agent-Cluster

5.0.2 - 2022-01-22

Changed

  • Improve imports for CommonJS and ECMAScript modules. See #345
  • Fixed some documentation

5.0.1 - 2022-01-03

Changed

  • Fixed some documentation

Removed

  • Removed some unused internal code

5.0.0 - 2022-01-02

Added

  • ECMAScript module imports (i.e., import helmet from "helmet" and import { frameguard } from "helmet"). See #320

Changed

  • Breaking: helmet.contentSecurityPolicy: useDefaults option now defaults to true
  • Breaking: helmet.contentSecurityPolicy: form-action directive is now set to 'self' by default
  • Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
  • Breaking: helmet.crossOriginOpenerPolicy is enabled by default
  • Breaking: helmet.crossOriginResourcePolicy is enabled by default
  • Breaking: helmet.originAgentCluster is enabled by default
  • helmet.frameguard: add TypeScript editor autocomplete. See #322
  • Top-level helmet() function is slightly faster

Removed

  • Breaking: Drop support for Node 10 and 11. Node 12+ is now required

4.6.0 - 2021-05-01

Added

  • helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
  • Explicitly define TypeScript types in package.json. See #303

4.5.0 - 2021-04-17

Added

  • helmet.crossOriginEmbedderPolicy: a new middleware for the Cross-Origin-Embedder-Policy header, disabled by default
  • helmet.crossOriginOpenerPolicy: a new middleware for the Cross-Origin-Opener-Policy header, disabled by default
  • helmet.crossOriginResourcePolicy: a new middleware for the Cross-Origin-Resource-Policy header, disabled by default

Changed

  • true enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
  • Log a warning when passing options to originAgentCluster at the top level

Fixed

  • Incorrect documentation

4.4.1 - 2021-01-18

Changed

  • Shrink the published package by about 2.5 kB

4.4.0 - 2021-01-17

Added

  • helmet.originAgentCluster: a new middleware for the Origin-Agent-Cluster header, disabled by default

4.3.1 - 2020-12-27

Fixed

  • helmet.contentSecurityPolicy: broken TypeScript types. See #283

4.3.0 - 2020-12-27

Added

  • helmet.contentSecurityPolicy: setting the default-src to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc disables it

Changed

  • helmet.frameguard: slightly improved error messages for non-strings

4.2.0 - 2020-11-01

Added

  • helmet.contentSecurityPolicy: get the default directives with contentSecurityPolicy.getDefaultDirectives()

Changed

  • helmet() now supports objects that don't have Object.prototype in their chain, such as Object.create(null), as options
  • helmet.expectCt: max-age is now first. See #264

4.1.1 - 2020-09-10

Changed

  • Fixed a few errors in the README

4.1.0 - 2020-08-15

Added

  • helmet.contentSecurityPolicy:
    • Directive values can now include functions, as they could in Helmet 3. See #243

Changed

  • Helmet should now play more nicely with TypeScript

Removed

  • The HelmetOptions interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment

4.0.0 - 2020-08-02

See the Helmet 4 upgrade guide for help upgrading from Helmet 3.

Added

  • helmet.contentSecurityPolicy:
    • If no default-src directive is supplied, an error is thrown
    • Directive lists can be any iterable, not just arrays

Changed

  • This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
  • helmet.contentSecurityPolicy:
    • There is now a default set of directives if none are supplied
    • Duplicate keys now throw an error. See helmetjs/csp#73
    • This middleware is more lenient, allowing more directive names or values
  • helmet.xssFilter now disables the buggy XSS filter by default. See #230

Removed

  • Dropped support for old Node versions. Node 10+ is now required
  • helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
  • helmet.hpkp. If you still need it, use the hpkp package on npm.
  • helmet.noCache. If you still need it, use the nocache package on npm.
  • helmet.contentSecurityPolicy:
    • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See helmetjs/csp#97
    • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
    • Removed a lot of checks—you should be checking your CSP with a different tool
    • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
    • Removed the loose option
    • Removed support for functions as directive values. You must supply an iterable of strings
  • helmet.frameguard:
  • helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.
  • helmet.hsts:
  • helmet.xssFilter no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report directive with X-XSS-Protection" if you need the legacy behavior.

3.23.3 - 2020-06-26

Changed

  • helmet.expectCt is no longer a separate package. This should have no effect on end users.
  • helmet.frameguard is no longer a separate package. This should have no effect on end users.

3.23.2 - 2020-06-23

Changed

  • helmet.dnsPrefetchControl is no longer a separate package. This should have no effect on end users.

3.23.1 - 2020-06-16

Changed

  • helmet.ieNoOpen is no longer a separate package. This should have no effect on end users.

3.23.0 - 2020-06-12

Deprecated

  • helmet.featurePolicy is deprecated. Use the feature-policy module instead.

3.22.1 - 2020-06-10

Changed

  • Rewrote internals in TypeScript. This should have no effect on end users.

3.22.0 - 2020-03-24

Changed

  • Updated helmet-csp to v2.10.0
    • Add support for the allow-downloads sandbox directive. See helmet-csp#103

Deprecated

  • helmet.noCache is deprecated. Use the nocache module instead. See #215

3.21.3 - 2020-02-24

Changed

  • Updated helmet-csp to v2.9.5
    • Updated bowser subdependency from 2.7.0 to 2.9.0
    • Fixed an issue some people were having when importing the bowser subdependency. See helmet-csp#96 and #101

3.21.2 - 2019-10-21

Changed

  • Updated helmet-csp to v2.9.4
    • Updated bowser subdependency from 2.6.1 to 2.7.0. See helmet-csp#94

3.21.1 - 2019-09-20

Fixed

  • Updated helmet-csp to v2.9.2
    • Fixed a bug where a request from Firefox 4 could delete default-src from future responses
    • Fixed tablet PC detection by updating bowser subdependency to latest version

3.21.0 - 2019-09-04

Added

  • Updated x-xss-protection to v1.3.0
    • Added mode: null to disable mode=block

Changed

  • Updated helmet-csp to v2.9.1
    • Updated bowser subdependency from 2.5.3 to 2.5.4. See helmet-csp#88

3.20.1 - 2019-08-28

Changed

  • Updated helmet-csp to v2.9.0

3.20.0 - 2019-07-24

Changed

  • Updated helmet-csp to v2.8.0

3.19.0 - 2019-07-17

Changed

  • Updated dns-prefetch-control to v0.2.0
  • Updated dont-sniff-mimetype to v1.1.0
  • Updated helmet-crossdomain to v0.4.0
  • Updated hide-powered-by to v1.1.0
  • Updated x-xss-protection to v1.2.0

3.18.0 - 2019-05-05

Added

  • featurePolicy has 19 new features: ambientLightSensor, documentDomain, documentWrite, encryptedMedia, fontDisplayLateSwap, layoutAnimations, legacyImageFormats, loadingFrameDefaultEager, oversizedImages, pictureInPicture, serial, syncScript, unoptimizedImages, unoptimizedLosslessImages, unoptimizedLossyImages, unsizedMedia, verticalScroll, wakeLock, and xr

Changed

  • Updated expect-ct to v0.2.0
  • Updated feature-policy to v0.3.0
  • Updated frameguard to v3.1.0
  • Updated nocache to v2.1.0

3.17.0 - 2019-05-03

Added

  • referrerPolicy now supports multiple values

Changed

  • Updated referrerPolicy to v1.2.0

3.16.0 - 2019-03-10

Added

  • Add email to bugs field in package.json

Changed

  • Updated hsts to v2.2.0
  • Updated ienoopen to v1.1.0
  • Changelog is now in the Keep A Changelog format
  • Dropped support for Node <4. See the commit for more information
  • Updated Adam Baldwin's contact information

Deprecated

  • helmet.hsts's setIf option has been deprecated and will be removed in hsts@3. See helmetjs/hsts#22 for more

  • The includeSubdomains option (with a lowercase d) has been deprecated and will be removed in hsts@3. Use the uppercase-D includeSubDomains option instead. See helmetjs/hsts#21 for more

3.15.1 - 2019-02-10

Deprecated

  • The hpkp middleware has been deprecated. If you still need to use this module, install the standalone hpkp module from npm. See #180 for more.

3.15.0 - 2018-11-07

Added

  • helmet.featurePolicy now supports four new features

3.14.0 - 2018-10-09

Added

  • helmet.featurePolicy middleware

3.13.0 - 2018-07-22

Added

  • helmet.permittedCrossDomainPolicies middleware

3.12.2 - 2018-07-20

Fixed

  • Removed lodash.reduce dependency from csp

3.12.1 - 2018-05-16

Fixed

  • expectCt should use comma instead of semicolon as delimiter

3.12.0 - 2018-03-02

Added

  • xssFilter now supports reportUri option

3.11.0 - 2018-02-09

Added

  • Main Helmet middleware is now named to help with debugging

3.10.0 - 2018-01-23

Added

  • csp now supports prefix-src directive

Fixed

  • csp no longer loads JSON files internally, helping some module bundlers
  • false should be able to disable a CSP directive

3.9.0 - 2017-10-13

Added

  • csp now supports strict-dynamic value
  • csp now supports require-sri-for directive

Changed

  • Removed connect dependency

3.8.2 - 2017-09-27

Changed

  • Updated connect dependency to latest

3.8.1 - 2017-07-28

Fixed

  • csp does not automatically set report-to when setting report-uri

3.8.0 - 2017-07-21

Changed

  • hsts no longer cares whether it's HTTPS and always sets the header

3.7.0 - 2017-07-21

Added

  • csp now supports report-to directive

Changed

  • Throw an error when used incorrectly
  • Add a few documentation files to npmignore

3.6.1 - 2017-05-21

Changed

  • Bump connect version

3.6.0 - 2017-05-04

Added

  • expectCt middleware for setting the Expect-CT header

3.5.0 - 2017-03-06

Added

  • csp now supports the worker-src directive

3.4.1 - 2017-02-24

Changed

  • Bump connect version

3.4.0 - 2017-01-13

Added

  • csp now supports more sandbox directives

3.3.0 - 2016-12-31

Added

  • referrerPolicy allows strict-origin and strict-origin-when-cross-origin directives

Changed

  • Bump connect version

3.2.0 - 2016-12-22

Added

  • csp now allows manifest-src directive

3.1.0 - 2016-11-03

Added

  • csp now allows frame-src directive

3.0.0 - 2016-10-28

Changed

  • csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
  • Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
  • false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
  • In CSP, reportOnly: true no longer requires a report-uri to be set.
  • hsts's maxAge now defaults to 180 days (instead of 1 day)
  • hsts's maxAge parameter is seconds, not milliseconds
  • hsts includes subdomains by default
  • domain parameter in frameguard cannot be empty

Removed

  • noEtag option no longer present in noCache
  • iOS Chrome connect-src workaround in CSP module

2.3.0 - 2016-09-30

Added

  • hpkp middleware now supports the includeSubDomains property with a capital D

Fixed

  • hpkp was setting includeSubdomains instead of includeSubDomains

2.2.0 - 2016-09-16

Added

  • referrerPolicy middleware

2.1.3 - 2016-09-07

Changed

  • Top-level aliases (like helmet.xssFilter) are no longer dynamically required

2.1.2 - 2016-07-27

Deprecated

  • nocache's noEtag option is now deprecated

Fixed

  • csp now better handles Firefox on mobile

2.1.1 - 2016-06-10

Changed

  • Remove several dependencies from helmet-csp

Fixed

  • frameguard had a documentation error about its default value
  • frameguard docs in main Helmet readme said frameguard, not helmet.frameguard

2.1.0 - 2016-05-18

Added

  • csp lets you dynamically set reportOnly

2.0.0 - 2016-04-29

Added

  • Pass configuration to enable/disable default middlewares

Changed

  • dnsPrefetchControl middleware is now enabled by default

Removed

  • No more module aliases. There is now just one way to include each middleware
  • frameguard can no longer be initialized with strings; you must use an object

Fixed

  • Make hpkp lowercase in documentation
  • Update hpkp spec URL in readmes
  • Update frameguard header name in readme

1.3.0 - 2016-03-01

Added

  • hpkp has a setIf option to conditionally set the header

1.2.0 - 2016-02-29

Added

  • csp now has a browserSniff option to disable all user-agent sniffing

Changed

  • frameguard can now be initialized with options
  • Add npmignore file to speed up installs slightly

1.1.0 - 2016-01-12

Added

  • Code of conduct
  • dnsPrefetchControl middleware

Fixed

  • csp readme had syntax errors

1.0.2 - 2016-01-08

Fixed

  • csp wouldn't recognize IE Mobile browsers
  • csp had some errors in its readme
  • Main readme had a syntax error

1.0.1 - 2015-12-19

Fixed

  • csp with no User Agent would cause errors

1.0.0 - 2015-12-18

Added

  • csp module supports dynamically-generated values

Changed

  • csp directives are now under the directives key
  • hpkp's Report-Only header is now opt-in, not opt-out
  • Tweak readmes of every sub-repo

Removed

  • crossdomain middleware
  • csp no longer throws errors when some directives aren't quoted ('self', for example)
  • maxage option in the hpkp middleware
  • safari5 option from csp module

Fixed

  • Old Firefox Content-Security-Policy behavior for unsafe-inline and unsafe-eval
  • Dynamic csp policies is no longer recursive

0.15.0 - 2015-11-26

Changed

  • hpkp allows a report-uri without the Report-Only header

0.14.0 - 2015-11-01

Added

  • nocache now sends the Surrogate-Control header

Changed

  • nocache no longer contains the private directive in the Cache-Control header

0.13.0 - 2015-10-23

Added

  • xssFilter now has a function name
  • Added new CSP docs to readme

Changed

  • HSTS option renamed from includeSubdomains to includeSubDomains

0.11.0 - 2015-09-18

Added

  • csp now supports Microsoft Edge
  • CSP Level 2 support

Changed

  • Updated connect to 3.4.0
  • Updated depd to 1.1.0

Fixed

  • Added license key to csp's package.json
  • Empty csp directives now support every directive, not just sandbox

0.10.0 - 2015-07-08

Added

  • Add "Handling CSP violations" to csp readme
  • Add license to package.json

Changed

  • hpkp had a link to the wrong place in its readme
  • hpkp requires 2 or more pins

Fixed

  • hpkp might have miscalculated maxAge slightly wrong

0.9.0 - 2015-04-24

Changed

  • nocache adds private to its Cache-Control directive
  • Added a description to package.json

0.8.0 - 2015-04-21

Changed

  • Removed hefty Lodash dependency from HSTS and CSP
  • Updated string detection module in Frameguard
  • Changed readme slightly to better reflect project's focus

Deprecated

  • Deprecated crossdomain middleware

Removed

  • crossdomain is no longer a default middleware

0.7.1 - 2015-03-23

Changed

  • Updated all outdated dependencies (insofar as possible)
  • HSTS now uses Lodash like all the rest of the libraries

0.7.0 - 2015-03-05

Added

  • hpkp middleware

Changed

  • Travis CI should test 0.10 and 0.12
  • Minor code cleanup

0.6.2 - 2015-03-01

Changed

  • Improved xssFilter performance
  • Updated Lodash versions

0.6.1 - 2015-02-13

Added

  • "Other recommended modules" in README

Changed

  • Updated Lodash version

Fixed

  • frameguard middleware exported a function called xframe

0.6.0 - 2015-01-21

Added

  • You can disable csp for Android

Fixed

  • csp on Chrome Mobile on Android and iOS

0.5.4 - 2014-12-21

Changed

  • nocache should force revalidation

0.5.3 - 2014-12-08

Changed

  • platform version in CSP and X-XSS-Protection

Fixed

  • Updated bad wording in frameguard docs

0.5.2 - 2014-11-16

Changed

  • Updated Connect version

Fixed

  • Fixed minor csp bugfixes

0.5.1 - 2014-11-09

Changed

  • Updated URLs in package.json for new URL

Fixed

  • CSP would set all headers forever after receiving an unknown user agent

0.5.0 - 2014-10-28

Added

  • Most middlewares have some aliases now

Changed

  • xframe now called frameguard (though xframe still works)
  • frameguard chooses sameorigin by default
  • frameguard understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
  • nocache removed from default middleware stack
  • Middleware split out into their own modules
  • Documentation
  • Updated supported Node version to at least 0.10.0
  • Bumped Connect version

Removed

  • Deprecation warnings

Fixed

  • Readme link was broken

0.4.2 - 2014-10-16

Added

  • Support preload in HSTS header

0.4.1 - 2014-08-24

Added

0.4.0 - 2014-07-17

Added

  • nocache now sets the Expires and Pragma headers
  • nocache now allows you to crush ETags

Changed

  • Improved the docs for nosniff
  • Reverted HSTS behavior of requiring a specified max-age

Fixed

  • Allow HSTS to have a max-age of 0

0.3.2 - 2014-06-30

Added

  • All middleware functions are named
  • Throw error with non-positive HSTS max-age

Changed

  • Added semicolons in README
  • Make some Errors more specific

Removed

  • Removed all comment headers; refer to the readme

Fixed

  • helmet() was having issues
  • Fixed Syntax errors in README

This changelog was created after the release of 0.3.1.