Bird
Raised Fist0
Expressframework~20 mins

Helmet for security headers in Express - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Helmet Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the effect of using Helmet's default configuration in an Express app?

Consider an Express app that uses app.use(helmet()) with no options. What does this do?

Express
const express = require('express');
const helmet = require('helmet');
const app = express();
app.use(helmet());
app.get('/', (req, res) => res.send('Hello'));
app.listen(3000);
AIt sets a collection of common security headers with default safe values.
BIt automatically redirects all HTTP requests to HTTPS.
CIt only sets the Content-Security-Policy header with a strict policy.
DIt disables all HTTP headers to improve performance.
Attempts:
2 left
💡 Hint

Think about what Helmet does by default without extra options.

📝 Syntax
intermediate
2:00remaining
Which Helmet middleware usage is syntactically correct to disable the Content Security Policy?

You want to disable the Content Security Policy (CSP) middleware in Helmet. Which code snippet is correct?

Aapp.use(helmet({ contentSecurityPolicy: false }));
Bapp.use(helmet.disable('contentSecurityPolicy'));
Capp.use(helmet({ disable: ['contentSecurityPolicy'] }));
Dapp.use(helmet().contentSecurityPolicy(false));
Attempts:
2 left
💡 Hint

Check Helmet's option object syntax for disabling specific middleware.

🔧 Debug
advanced
2:00remaining
Why does this Helmet setup cause a runtime error?

Review this code snippet and identify why it throws an error when starting the server.

Express
const express = require('express');
const helmet = require('helmet');
const app = express();
app.use(helmet.contentSecurityPolicy());
app.listen(3000);
Ahelmet middleware must be used after app.listen, not before.
Bhelmet.contentSecurityPolicy requires options and cannot be called without arguments.
Chelmet.contentSecurityPolicy is not a function; it must be called from helmet() or imported separately.
Dhelmet.contentSecurityPolicy is deprecated and removed in latest versions.
Attempts:
2 left
💡 Hint

Check how Helmet middleware functions are accessed.

state_output
advanced
2:00remaining
What headers are set after this Helmet configuration?

Given this Express app code, which security header will NOT be set?

Express
const express = require('express');
const helmet = require('helmet');
const app = express();
app.use(helmet({
  frameguard: false,
  dnsPrefetchControl: false
}));
app.get('/', (req, res) => res.send('OK'));
app.listen(3000);
AStrict-Transport-Security header is NOT set.
BAll default Helmet headers are set.
CContent-Security-Policy header is NOT set.
DX-Frame-Options and X-DNS-Prefetch-Control headers are NOT set.
Attempts:
2 left
💡 Hint

Look at which middleware are disabled explicitly.

🧠 Conceptual
expert
3:00remaining
Why is it important to configure Helmet's Content Security Policy carefully in a React app?

In a React single-page app served by Express with Helmet, why must the Content Security Policy (CSP) be configured carefully?

ABecause Helmet disables React's rendering lifecycle when CSP is enabled.
BBecause a strict CSP can block inline scripts and styles React relies on, causing the app to break.
CBecause CSP automatically disables React's state management if misconfigured.
DBecause CSP only affects server-side code and has no impact on React apps.
Attempts:
2 left
💡 Hint

Think about what CSP blocks and how React uses scripts and styles.

Practice

(1/5)
1. What is the main purpose of using helmet in an Express app?
easy
A. To add security headers that protect the app from common web attacks
B. To handle database connections securely
C. To improve the app's performance by caching
D. To manage user authentication and sessions

Solution

  1. Step 1: Understand Helmet's role

    Helmet is a middleware that adds HTTP headers to improve security.

  2. Step 2: Identify the main benefit

    These headers help protect against attacks like cross-site scripting and clickjacking.

  3. Final Answer:

    To add security headers that protect the app from common web attacks -> Option A

  4. Quick Check:

    Helmet adds security headers = D [OK]
Hint: Helmet = security headers for Express apps [OK]
Common Mistakes:
  • Confusing Helmet with authentication middleware
  • Thinking Helmet manages database or caching
  • Assuming Helmet improves app speed
2. Which of the following is the correct way to use Helmet in an Express app?
easy
A. import helmet from 'helmet'; app.use(helmet());
B. const helmet = require('helmet'); app.use(helmet());
C. const helmet = require('helmet'); app.use(helmet);
D. import helmet from 'helmet'; app.use(helmet);

Solution

  1. Step 1: Check import syntax

    In CommonJS, use const helmet = require('helmet');. In ES modules, use import helmet from 'helmet';.

  2. Step 2: Use helmet as middleware function

    Helmet must be called as a function: helmet(), then passed to app.use().

  3. Final Answer:

    const helmet = require('helmet'); app.use(helmet()); -> Option B

  4. Quick Check:

    Require + call helmet() = A [OK]
Hint: Require helmet and call it as a function in app.use() [OK]
Common Mistakes:
  • Forgetting to call helmet() as a function
  • Using require with ES module import style
  • Passing helmet without parentheses to app.use
3. Given this Express code snippet, what HTTP header will be set by Helmet by default? 
import express from 'express';
import helmet from 'helmet';
const app = express();
app.use(helmet());
app.get('/', (req, res) => res.send('Hello'));
app.listen(3000);
medium
A. Content-Security-Policy
B. X-Powered-By
C. Access-Control-Allow-Origin
D. X-DNS-Prefetch-Control

Solution

  1. Step 1: Recall Helmet default headers

    Helmet sets several headers by default, including X-DNS-Prefetch-Control to control DNS prefetching.

  2. Step 2: Identify headers not set by default

    Content-Security-Policy is not set by default; X-Powered-By is removed by Helmet; Access-Control-Allow-Origin is for CORS, not Helmet.

  3. Final Answer:

    X-DNS-Prefetch-Control -> Option D

  4. Quick Check:

    Helmet default header = X-DNS-Prefetch-Control [OK]
Hint: Helmet sets X-DNS-Prefetch-Control by default [OK]
Common Mistakes:
  • Assuming Content-Security-Policy is set by default
  • Thinking Helmet adds CORS headers
  • Confusing X-Powered-By removal with setting
4. What is wrong with this code snippet using Helmet? 
import express from 'express';
import helmet from 'helmet';
const app = express();
app.use(helmet);
app.listen(3000);
medium
A. Helmet middleware is not called as a function
B. Helmet is not imported correctly
C. Express app is not created properly
D. app.listen is missing a callback

Solution

  1. Step 1: Check Helmet usage

    The code uses app.use(helmet); but Helmet must be called as a function: helmet().

  2. Step 2: Verify other parts

    Helmet import is valid; Express app creation is valid; app.listen callback is optional.

  3. Final Answer:

    Helmet middleware is not called as a function -> Option A

  4. Quick Check:

    Use helmet() in app.use() [OK]
Hint: Always call helmet() before app.use() [OK]
Common Mistakes:
  • Passing helmet without parentheses to app.use
  • Confusing import styles
  • Thinking app.listen needs a callback
5. You want to disable the Content-Security-Policy header in Helmet but keep all other default headers. Which code correctly achieves this?
hard
A. app.use(helmet({ disable: ['contentSecurityPolicy'] }));
B. app.use(helmet.disable('contentSecurityPolicy'));
C. app.use(helmet({ contentSecurityPolicy: false }));
D. app.use(helmet().disable('contentSecurityPolicy'));

Solution

  1. Step 1: Understand Helmet options

    Helmet allows disabling specific headers by passing options with the header name set to false.

  2. Step 2: Identify correct syntax

    The correct way is helmet({ contentSecurityPolicy: false }). Other options shown are invalid methods or syntax.

  3. Final Answer:

    app.use(helmet({ contentSecurityPolicy: false })); -> Option C

  4. Quick Check:

    Disable header via option false = A [OK]
Hint: Disable headers by setting option to false in helmet() [OK]
Common Mistakes:
  • Trying to call disable() method on helmet
  • Passing disable array option (not supported)
  • Calling disable on helmet() instance