3

I have an Express server running on port 8080 using webpack. I installed helmet as described in the package docs 

const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())

Yet when I npm start I still see the x-powered-by:Express header in localhost and none of the dns-prefetch, xss or other headers that Helmet is supposed to enable. I restarted the server several times, deleted my build folder so it is not cached, and am lost as to why it's not working. Any thoughts or pointers will be greatly appreciated!

Locokiter
  • 37
  • 2
  • 7
  • 1
    Something must not be installed properly or you're not running the file you think you are because all it takes for me to see the proper effects (like the `x-powered-by` header being removed) is `app.use(helmet())`. So, the code you are showing us is correct. Something else is amiss in your project. – jfriend00 Jan 17 '20 at 01:37

1 Answers1

1

You need to explicitly invoke the middleware like so.
const hidePoweredBy = require('hide-powered-by') app.use(hidePoweredBy())

https://expressjs.com/en/advanced/best-practice-security.html

Can also try

app.disable('x-powered-by')

KrishnaSingh
  • 696
  • 1
  • 7
  • 12
  • 1
    Thanks! But isn't this line invoking the middleware `app.use(helmet())`? Where in that docs link do you see `require('hide-powered-by')` ? Also, my problem isnt just the x-powered-by, I dont see any of the headers Helmet is supposed to add... it's like Helmet is not enabled at all. – Locokiter Jan 17 '20 at 01:22
  • Once you click over the link I have shared , once navigated to the page , search for helmet usage then you will find all the middleware which helmet brings in but looks like you need to configure them explicitly. Thanks – KrishnaSingh Jan 17 '20 at 01:34
  • 4
    You can see right on this page https://www.npmjs.com/package/helmet#how-it-works that `hidePoweredBy` is enabled by default (as are many others). It's not working for the OP for other reasons, not because of this. – jfriend00 Jan 17 '20 at 01:41
  • Agree as per te doc it should work, try app.use(helmet.noCache()) – KrishnaSingh Jan 17 '20 at 01:45
  • 1
    You can also try using express without webpack and check if the things work maybe webpack config issue. Thanks – KrishnaSingh Jan 17 '20 at 01:54
  • @KrishnaSingh I ran express without webpack like you suggested and then Helmet worked out of the box! x-powered-by header was gone and all other headers showed up. Now I'm off to chase down why... but your answer was a huge help. Thank you!! – Locokiter Jan 17 '20 at 16:35