Helmet (https://www.npmjs.com/package/helmet) is not a security silver bullet (do Helmet's authors think we're trying to protect against vampires?). Instead it is a toolkit for setting various security headers and taking other protective measures.
In the notes
directory, install the package like so:
$ npm install helmet --save
Then add this to notes/app.mjs
:
import helmet from 'helmet'; ... const app = express(); export default app; app.use(helmet());
That's enough for most applications. Using Helmet out-of-the-box provides a reasonable set of default security options. We could be done with this section right now, except that it's useful to examine closely what Helmet does, and its options.
Helmet is actually a cluster of 12 modules for applying several security techniques. Each of the techniques can be individually enabled or disabled, and many have configuration settings to make.