Helmet allows to protect web server applications against common attacks, such as cross-site scripting (XSS), insecure requests, and clickjacking.

Helmet is a collection of 12 middleware functions that allow you to set specific HTTP headers:

1. Content Security Policy (CSP): This is an effective way to whitelist what kind of external resources are allowed in your web application, such as JavaScript, CSS, and images, for instance.
2. Certificate Transparency: This is a way of providing more transparency for certificates issued for a specific domain or specific domains https://sites.google.com/a/chromium.org/dev/Home/chromium-security/certificate-transparency.
3. DNS Prefetch Control: This tells the browser if it should perform domain name resolution (DNS) on resources that are not yet loaded, such as links.
4. Frameguard: This helps to prevent clickjacking by telling the browser not to allow your web application to be put inside an iframe.
5. Hide Powered-By: This simply hides the X-Powered-By header indicates not to display what technology powers the server. ExpressJS sets this header to "Express" by default.
6. HTTP Public Key Pinning: This helps to prevent man-in-the-middle-attacks by pinning your web application's public keys to the Public-Key-Pinsheader.
7. HTTP Strict Transport Security: This tells the browser to strictly stick to the HTTPs version of your web application.
8. IE No Open: This prevents Internet Explorer from executing untrusted downloads, or HTML files, on the context of your site, thus preventing the injection of malicious scripts.
9. No Cache: This tells the browser to disable browser caching.
10. Don't Sniff Mimetype: This forces the browser to disable mime sniffing or guessing the content type of a served file.

11. Referrer Policy: The referrer headers provide the server with data regarding where the request was originated. It allows developers to disable it, or set a stricter policy for setting a referrer header.
12. XSS Filter: This prevents reflected cross-site scripting (XSS) attacks by setting the X-XSS-Protection header.