freeCodeCamp · ShaunSHamilton · Feb 6, 2021 · Feb 4, 2021
diff --git a/...ation-security/information-security-with-helmetjs/install-and-require-helmet.md b/...ation-security/information-security-with-helmetjs/install-and-require-helmet.md
@@ -16,7 +16,7 @@ Helmet helps you secure your Express apps by setting various HTTP headers.
 
 All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
 
-Install Helmet version `3.21.3`, then require it.
+Install Helmet version `3.21.3`, then require it. You can install a specific version of a package with `npm install --save-exact package@version`, or by adding it to your `package.json` directly.
 
 # --hints--
 
@@ -26,8 +26,9 @@ Install Helmet version `3.21.3`, then require it.
 (getUserInput) =>
   $.get(getUserInput('url') + '/_api/package.json').then(
     (data) => {
-      var packJson = JSON.parse(data);
-      assert(packJson.dependencies.helmet === '3.21.3');
+      const packJson = JSON.parse(data);
+      const helmet = packJson.dependencies.helmet;
+      assert(helmet === '3.21.3' || helmet === '^3.21.3');
     },
     (xhr) => {
       throw new Error(xhr.responseText);

diff --git a/...ith-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md b/...ith-helmetjs/set-a-content-security-policy-with-helmet.contentsecuritypolicy.md
@@ -16,13 +16,13 @@ By default, directives are wide open, so it’s important to set the defaultSrc
 
 # --instructions--
 
-In this exercise, use `helmet.contentSecurityPolicy()`, and configure it setting the `defaultSrc directive` to `["self"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Set also the `scriptSrc` directive so that you will allow scripts to be downloaded from your website, and from the domain 'trusted-cdn.com'.
+In this exercise, use `helmet.contentSecurityPolicy()`. Configure it by adding a `directives` object. In the object, set the `defaultSrc` to `["'self'"]` (the list of allowed sources must be in an array), in order to trust only your website address by default. Also set the `scriptSrc` directive so that you only allow scripts to be downloaded from your website (`'self'`), and from the domain `'trusted-cdn.com'`.
 
-Hint: in the `self` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
+Hint: in the `'self'` keyword, the single quotes are part of the keyword itself, so it needs to be enclosed in double quotes to be working.
 
 # --hints--
 
-helmet.csp() middleware should be mounted correctly
+helmet.contentSecurityPolicy() middleware should be mounted correctly
 
 ```js
 (getUserInput) =>