Helmet is actually just a collection of smaller middleware functions that set security-related HTTP response headers: csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections. hidePoweredBy removes the X-Powered-By header.