"You might not need Helmet"

EvanHahn · EvanHahn · commit bf116c5b7659 · 2023-07-02T17:01:10.000-05:00
diff --git a/content/faq/_index.md b/content/faq/_index.md
@@ -5,6 +5,7 @@ title: "Frequently asked questions (FAQ)"
 - [How do I conditionally skip a header?]({{< ref "faq/conditional-skip" >}})
 - [How do I conditionally set header options?]({{< ref "faq/conditional-options" >}})
 - [What modules are similar to Helmet?]({{< ref "faq/see-also" >}})
+- [What if I don't want to install Helmet?]({{< ref "faq/you-might-not-need-helmet" >}})
 - [How do I use Helmet without Express?]({{< ref "faq/use-without-express" >}})
 - [How do I upgrade from Helmet 3 to Helmet 4?]({{< ref "faq/helmet-4-upgrade" >}})
 - [How do I set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` headers?](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560)
diff --git a/content/faq/see-also.md b/content/faq/see-also.md
@@ -34,3 +34,5 @@ There are also other modules like Helmet for Node if you don't like us:
 
 * [hood](https://github.com/seanmonstar/hood)
 * [lusca](https://github.com/krakenjs/lusca)
+
+And finally, if you would rather not use Helmet, see [this guide]({{< ref "faq/you-might-not-need-helmet" >}}) which shows how to accomplish what Helmet does without installing anything new.
diff --git a/content/faq/you-might-not-need-helmet.md b/content/faq/you-might-not-need-helmet.md
@@ -0,0 +1,46 @@
+---
+title: "You might not need Helmet"
+---
+
+Helmet is designed to be easy to use and integrate, but if you want to avoid a dependency and get a slight performance boost, here's how.
+
+By default, Helmet adds 12 HTTP response headers and removes one.
+
+To add Helmet's default response headers, define an object that contains the headers you want to set, then add them in a single middleware. For example:
+
+```js
+const HEADERS = {
+  "Content-Security-Policy":
+    "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "Cross-Origin-Resource-Policy": "same-origin",
+  "Origin-Agent-Cluster": "?1",
+  "Referrer-Policy": "no-referrer",
+  "Strict-Transport-Security": "max-age=15552000; includeSubDomains",
+  "X-Content-Type-Options": "nosniff",
+  "X-DNS-Prefetch-Control": "off",
+  "X-Download-Options": "noopen",
+  "X-Frame-Options": "SAMEORIGIN",
+  "X-Permitted-Cross-Domain-Policies": "none",
+  "X-XSS-Protection": "0",
+};
+
+app.use((req, res, next) => {
+  res.set(HEADERS);
+  next();
+});
+```
+
+Feel free to tweak this object as you wish. It doesn't just have to be for Helmet-related headers; if there's a header you always want to set, you can do so here.
+
+Express sets the `X-Powered-By` header [by default](https://expressjs.com/en/4x/api.html#app.settings.table), which Helmet removes. You can override this Express default like this:
+
+```js
+app.disable("x-powered-by");
+```
+
+(This should be done at the top level; no need to do this inside of middleware or anything.)
+
+In my testing, this was about 5%–10% faster than using Helmet, but your performance may vary.
+
+You may still wish to use Helmet as it tries to make things easy to use, but now you can see that you don't have to!
