Avoid disabling core Helmet protections | Critiq Docs

#Metadata

Rule ID: ts.security.insecure-helmet-hardening-options
Severity: medium
Confidence: 0.86
Languages: javascript, typescript
Presets: security, strict
Stability: stable
Applies to: block
Tags: express, headers, rules-catalog, security

#Why it matters

Turning off individual Helmet middlewares removes baseline HTTP hardening that is a high-signal misconfiguration risk.

#Remediation

Remove false overrides for nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy unless a documented compensating control applies.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml.

Back to directory Open rule in repository