Step 6

We have allowed cross domain requests to our API. This is needed however it makes our server more vulnerable to various security risks. We can get help from another Node package called helmet to compensate for this. Helmet can protect our API from some well-known web vulnerabilities by setting HTTP headers appropriately.

To use helmet, stop the API server and install the it:

npm install helmet

Next, update the index.js file by

  1. Importing helmet

    const helmet = require("helmet");
    
  2. Linking it to express

    app.use(helmet());
    

That's it! Run the server again and run any of the API requests in Postman. Make note of the response header attributes:

It is beyond the scope of this course to get into the details of what these headers mean and what they do. If you are interested, a good starting point is this short YouTube video Secure ExpressJS Application With Helmet. I also recommend watching this (longer) YouTube video Information Security with HelmetJS with FreeCodeCamp by Dylan Israel.