diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
index c1ff6ca3e39..3a2643d603e 100644
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 5.0
  * @precision high
- * @id javascript/insecure-helmet-configuration
+ * @id js/insecure-helmet-configuration
  * @tags security
  *        cwe-693
  *        cwe-1021
diff --git a/javascript/ql/src/change-notes/2024-06-19-insecure-helmet-config.md b/javascript/ql/src/change-notes/2024-06-19-insecure-helmet-config.md
new file mode 100644
index 00000000000..bee7ccb8fb9
--- /dev/null
+++ b/javascript/ql/src/change-notes/2024-06-19-insecure-helmet-config.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `js/insecure-helmet-configuration`, to detect instances where Helmet middleware is configured with important security features disabled.