Skip to main content
Version: v2.x

Helmet

Helmet middleware helps secure your apps by setting various HTTP headers.

Signatures

func New(config ...Config) fiber.Handler

Examples

package main

import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/helmet"
)

func main() {
app := fiber.New()

app.Use(helmet.New())

app.Get("/", func(c *fiber.Ctx) error {
return c.SendString("Welcome!")
})

app.Listen(":3000")
}

Test:

curl -I http://localhost:3000

Config

PropertyTypeDescriptionDefault
Nextfunc(*fiber.Ctx) boolNext defines a function to skip middleware.nil
XSSProtectionstringXSSProtection"0"
ContentTypeNosniffstringContentTypeNosniff"nosniff"
XFrameOptionsstringXFrameOptions"SAMEORIGIN"
HSTSMaxAgeintHSTSMaxAge0
HSTSExcludeSubdomainsboolHSTSExcludeSubdomainsfalse
ContentSecurityPolicystringContentSecurityPolicy""
CSPReportOnlyboolCSPReportOnlyfalse
HSTSPreloadEnabledboolHSTSPreloadEnabledfalse
ReferrerPolicystringReferrerPolicy"ReferrerPolicy"
PermissionPolicystringPermissions-Policy""
CrossOriginEmbedderPolicystringCross-Origin-Embedder-Policy"require-corp"
CrossOriginOpenerPolicystringCross-Origin-Opener-Policy"same-origin"
CrossOriginResourcePolicystringCross-Origin-Resource-Policy"same-origin"
OriginAgentClusterstringOrigin-Agent-Cluster"?1"
XDNSPrefetchControlstringX-DNS-Prefetch-Control"off"
XDownloadOptionsstringX-Download-Options"noopen"
XPermittedCrossDomainstringX-Permitted-Cross-Domain-Policies"none"

Default Config

var ConfigDefault = Config{
XSSProtection: "0",
ContentTypeNosniff: "nosniff",
XFrameOptions: "SAMEORIGIN",
ReferrerPolicy: "no-referrer",
CrossOriginEmbedderPolicy: "require-corp",
CrossOriginOpenerPolicy: "same-origin",
CrossOriginResourcePolicy: "same-origin",
OriginAgentCluster: "?1",
XDNSPrefetchControl: "off",
XDownloadOptions: "noopen",
XPermittedCrossDomain: "none",
}