# Security Headers in Express.js

- ID: javascript-express-security-headers
- Severity: HIGH
- CWE: Protection Mechanism Failure (CWE-693)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify

## Description

Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing.

## Detection Message

Application lacks security headers middleware (helmet, CSP, HSTS, X-Frame-Options, etc.).
Without these headers, the app is vulnerable to XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.


## Remediation

Install and configure helmet middleware:

1. Install: npm install helmet
2. Import: const helmet = require('helmet');
3. Enable: app.use(helmet());

Example:
  const express = require('express');
  const helmet = require('helmet');
  const app = express();
  app.use(helmet());

## Documentation

[object Object]

## Related Rules

- **Missing Healthcheck Configuration** [LOW]: 
- **Chi Missing Security Headers** [MEDIUM]: 
- **Echo Missing Security Headers** [MEDIUM]: 
- **Fiber Missing Security Headers** [MEDIUM]: 
- **Gin Missing Security Headers** [MEDIUM]: