Skip to main content
Version: Next

Helmet

Helmet secures your app by adding common security headers.

Signatures

func New(config ...Config) fiber.Handler

Examples

Once your Fiber app is initialized, add the middleware:

package main

import (
"github.com/gofiber/fiber/v3"
"github.com/gofiber/fiber/v3/middleware/helmet"
)

func main() {
app := fiber.New()

app.Use(helmet.New())

app.Get("/", func(c fiber.Ctx) error {
return c.SendString("Welcome!")
})

app.Listen(":3000")
}

Test

curl -I http://localhost:3000

Config

PropertyTypeDescriptionDefault
Nextfunc(fiber.Ctx) boolSkips the middleware when the function returns true.nil
XSSProtectionstringValue for the X-XSS-Protection header."0"
ContentTypeNosniffstringValue for the X-Content-Type-Options header."nosniff"
XFrameOptionsstringValue for the X-Frame-Options header."SAMEORIGIN"
HSTSMaxAgeintmax-age value for Strict-Transport-Security.0
HSTSExcludeSubdomainsboolDisables HSTS on subdomains when true.false
ContentSecurityPolicystringValue for the Content-Security-Policy header.""
CSPReportOnlyboolEnables report-only mode for CSP.false
HSTSPreloadEnabledboolAdds the preload directive to HSTS.false
ReferrerPolicystringValue for the Referrer-Policy header."no-referrer"
PermissionPolicystringValue for the Permissions-Policy header.""
CrossOriginEmbedderPolicystringValue for the Cross-Origin-Embedder-Policy header."require-corp"
CrossOriginOpenerPolicystringValue for the Cross-Origin-Opener-Policy header."same-origin"
CrossOriginResourcePolicystringValue for the Cross-Origin-Resource-Policy header."same-origin"
OriginAgentClusterstringValue for the Origin-Agent-Cluster header."?1"
XDNSPrefetchControlstringValue for the X-DNS-Prefetch-Control header."off"
XDownloadOptionsstringValue for the X-Download-Options header."noopen"
XPermittedCrossDomainstringValue for the X-Permitted-Cross-Domain-Policies header."none"

Default Config

var ConfigDefault = Config{
XSSProtection: "0",
ContentTypeNosniff: "nosniff",
XFrameOptions: "SAMEORIGIN",
ReferrerPolicy: "no-referrer",
CrossOriginEmbedderPolicy: "require-corp",
CrossOriginOpenerPolicy: "same-origin",
CrossOriginResourcePolicy: "same-origin",
OriginAgentCluster: "?1",
XDNSPrefetchControl: "off",
XDownloadOptions: "noopen",
XPermittedCrossDomain: "none",
}