Express app without helmet
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An Express/Fastify server was detected with no helmet dependency or usage, so it sends none of the standard hardening response headers.
Why it matters
Without helmet an Express app returns none of the standard hardening headers, so browsers get no HSTS, no X-Content-Type-Options, no frame protection, and no baseline Content-Security-Policy. That widens the blast radius of any XSS or content-type confusion bug and leaves the app open to clickjacking and protocol downgrade. These headers are cheap defense-in-depth that most reviewers and scanners expect to see.
How to fix it
Install helmet and mount it early: app.use(helmet()). Review the defaults, then tighten the Content-Security-Policy for your app rather than leaving it at the permissive default, and enable HSTS once the site is HTTPS-only. If you use Fastify, use @fastify/helmet instead.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo