Step 13
We have allowed cross-domain requests to our API. This is needed; however, it makes our server more vulnerable to various security risks. We can get help from another Node package called helmet
to compensate for this. Helmet can protect our API from some well-known web vulnerabilities by setting HTTP headers appropriately.
To use helmet, stop the API server and install it:
npm install helmet
Next, update the /server/index.js
file by importing helmet:
const helmet = require("helmet");
Next, linking it to express; this must be done before binding any of the route handlers!
app.use(helmet());
That's it! Rerun the server and run any of the API requests in Postman. Make a note of the response header attributes:
It is beyond the scope of this course to get into the details of what these headers mean and what they do. However, if you are interested, a good starting point is this short YouTube video Secure ExpressJS Application With Helmet. I also recommend watching this (longer) YouTube video Information Security with HelmetJS with FreeCodeCamp by Dylan Israel.