Skip to main content
Version: v2.x

Helmet

Helmet middleware helps secure your apps by setting various HTTP headers.

Signatures

func New(config ...Config) fiber.Handler

Examples

package main

import (
  "github.com/gofiber/fiber/v2"
  "github.com/gofiber/fiber/v2/middleware/helmet"
)

func main() {
  app := fiber.New()

  app.Use(helmet.New())

  app.Get("/", func(c *fiber.Ctx) error {
    return c.SendString("Welcome!")
  })

  app.Listen(":3000")
}

Test:

curl -I http://localhost:3000

Config

PropertyTypeDescriptionDefault
Nextfunc(*fiber.Ctx) boolNext defines a function to skip middleware.nil
XSSProtectionstringXSSProtection"0"
ContentTypeNosniffstringContentTypeNosniff"nosniff"
XFrameOptionsstringXFrameOptions"SAMEORIGIN"
HSTSMaxAgeintHSTSMaxAge0
HSTSExcludeSubdomainsboolHSTSExcludeSubdomainsfalse
ContentSecurityPolicystringContentSecurityPolicy""
CSPReportOnlyboolCSPReportOnlyfalse
HSTSPreloadEnabledboolHSTSPreloadEnabledfalse
ReferrerPolicystringReferrerPolicy"ReferrerPolicy"
PermissionPolicystringPermissions-Policy""
CrossOriginEmbedderPolicystringCross-Origin-Embedder-Policy"require-corp"
CrossOriginOpenerPolicystringCross-Origin-Opener-Policy"same-origin"
CrossOriginResourcePolicystringCross-Origin-Resource-Policy"same-origin"
OriginAgentClusterstringOrigin-Agent-Cluster"?1"
XDNSPrefetchControlstringX-DNS-Prefetch-Control"off"
XDownloadOptionsstringX-Download-Options"noopen"
XPermittedCrossDomainstringX-Permitted-Cross-Domain-Policies"none"

Default Config

var ConfigDefault = Config{
	XSSProtection:             "0",
	ContentTypeNosniff:        "nosniff",
	XFrameOptions:             "SAMEORIGIN",
	ReferrerPolicy:            "no-referrer",
	CrossOriginEmbedderPolicy: "require-corp",
	CrossOriginOpenerPolicy:   "same-origin",
	CrossOriginResourcePolicy: "same-origin",
	OriginAgentCluster:        "?1",
	XDNSPrefetchControl:       "off",
	XDownloadOptions:          "noopen",
	XPermittedCrossDomain:     "none",
}
Last updated on