Node Modules

Keeping in mind with the principles of Avoid DIY Security and Choose third-party software wisely., there are two commonly used node modules that can be used to help secure your node servers - helmet, and lusca by PayPal. Both of these offer similar, but different sets of functionality.


Helmet is a collection of middleware that can be included with your express server to help protect against a few common attack vectors, and consists of.

Helmet out of the box without an extra configuration will make use of most of the above middleware with the exception of

  • contentSecurityPolicy
  • dnsPrefetchControl
  • hpkp
  • noCache

Which require some additional configuration, and/or may not be appropriate in all environments.


lusca is another collection of middleware to protect against some common attacks, and is part of the Kraken framework by PayPal. However, it can be used independently of Kraken, as Kraken is a framework that is built on-top of Express.

While there is some overlap between Lusca and Helmet, the features provided by Lusca include:

For all of the features of Lusca to work, you will also need to use either express-session, or cookie-session.

Lucsa and CSRF

One of the noteworthy features of Lucasa, and their CSRF support, is an Angular specific that will et lusca up to use the default settings for CSRF validation according to the AngularJS docs.