Skip to main content
Version: Next

Helmet

Helmet middleware helps secure your apps by setting various HTTP headers.

Signatures

func New(config ...Config) fiber.Handler

Examples

package main

import (
    "github.com/gofiber/fiber/v3"
    "github.com/gofiber/fiber/v3/middleware/helmet"
)

func main() {
    app := fiber.New()

    app.Use(helmet.New())

    app.Get("/", func(c fiber.Ctx) error {
      return c.SendString("Welcome!")
    })

    app.Listen(":3000")
}

Test

curl -I http://localhost:3000

Config

PropertyTypeDescriptionDefault
Nextfunc(fiber.Ctx) boolNext defines a function to skip middleware.nil
XSSProtectionstringXSSProtection"0"
ContentTypeNosniffstringContentTypeNosniff"nosniff"
XFrameOptionsstringXFrameOptions"SAMEORIGIN"
HSTSMaxAgeintHSTSMaxAge0
HSTSExcludeSubdomainsboolHSTSExcludeSubdomainsfalse
ContentSecurityPolicystringContentSecurityPolicy""
CSPReportOnlyboolCSPReportOnlyfalse
HSTSPreloadEnabledboolHSTSPreloadEnabledfalse
ReferrerPolicystringReferrerPolicy"ReferrerPolicy"
PermissionPolicystringPermissions-Policy""
CrossOriginEmbedderPolicystringCross-Origin-Embedder-Policy"require-corp"
CrossOriginOpenerPolicystringCross-Origin-Opener-Policy"same-origin"
CrossOriginResourcePolicystringCross-Origin-Resource-Policy"same-origin"
OriginAgentClusterstringOrigin-Agent-Cluster"?1"
XDNSPrefetchControlstringX-DNS-Prefetch-Control"off"
XDownloadOptionsstringX-Download-Options"noopen"
XPermittedCrossDomainstringX-Permitted-Cross-Domain-Policies"none"

Default Config

var ConfigDefault = Config{
    XSSProtection:             "0",
    ContentTypeNosniff:        "nosniff",
    XFrameOptions:             "SAMEORIGIN",
    ReferrerPolicy:            "no-referrer",
    CrossOriginEmbedderPolicy: "require-corp",
    CrossOriginOpenerPolicy:   "same-origin",
    CrossOriginResourcePolicy: "same-origin",
    OriginAgentCluster:        "?1",
    XDNSPrefetchControl:       "off",
    XDownloadOptions:          "noopen",
    XPermittedCrossDomain:     "none",
}