Skip to main content

HTTP Header: DNS Prefetch Control

The attack​

When you visit a URL, your browser has to look up the domain’s IP address. For example, it has to resolve to This process is called DNS.

Browsers can start these DNS requests before the user even clicks a link or loads a resource from somewhere. This improves performance when the user clicks the link, but has privacy implications for users. It can appear as if a user is visiting things they aren’t visiting.

The header​

The X-DNS-Prefetch-Control header tells browsers whether they should do DNS prefetching. Turning it on may not work—not all browsers support it in all situations—but turning it off should disable it on all supported browsers.

To disable DNS prefetching, set the X-DNS-Prefetch-Control header to off. To attempt to enable it, set the value to on.

Most browsers don’t do DNS prefetching so most browsers can ignore this header.

The code​

This middleware lets you disable browsers’ DNS prefetching by setting the X-DNS-Prefetch-Control header.

const helmet = require('helmet')

// Sets "X-DNS-Prefetch-Control: off".

// Sets "X-DNS-Prefetch-Control: off".
app.use(helmet.dnsPrefetchControl({ allow: false }))

// Sets "X-DNS-Prefetch-Control: on".
app.use(helmet.dnsPrefetchControl({ allow: true }))