Helmet

Helmet middleware provides protection against cross-site scripting (XSS) attack, content type sniffing, clickjacking, insecure connection and other code injection attacks.

Installation

  1. go get -u github.com/gofiber/helmet

Signature

  1. helmet.New(config ...Config) func(*Ctx)

Config

PropertyTypeDescriptionDefault
Filterfunc(*fiber.Ctx) boolDefines a function to skip middlewarenil
XSSProtectionstringXSSProtection provides protection against cross-site scripting attack (XSS) by setting the X-XSS-Protection header.1; mode=block”
ContentTypeNosniffstringContentTypeNosniff provides protection against overriding Content-Type header by setting the X-Content-Type-Options header.“nosniff”
XFrameOptionsstringXFrameOptions can be used to indicate whether or not a browser should be allowed to render a page in a , or . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.provides protection against clickjacking. Possible values: SAMEORIGIN, DENY, ALLOW-FROM uri“SAMEORIGIN”
HSTSMaxAgeintHSTSMaxAge sets the Strict-Transport-Security header to indicate how long (in seconds) browsers should remember that this site is only to be accessed using HTTPS. This reduces your exposure to some SSL-stripping man-in-the-middle (MITM) attacks.</td></tr><tr><td>HSTSExcludeSubdomains</td><td><code>bool</code></td><td>HSTSExcludeSubdomains won't include subdomains tag in the <code>Strict Transport Security</code> header, excluding all subdomains from security policy. It has no effect unless HSTSMaxAge is set to a non-zero value.</td><td>
ContentSecurityPolicystringContentSecurityPolicy sets the Content-Security-Policy header providing security against cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context</td></tr><tr><td>CSPReportOnly</td><td><code>bool</code></td><td></td><td>
HSTSPreloadEnabledbool</td></tr><tr><td>ReferrerPolicy</td><td><code>string</code></td><td></td><td>

Example

  1. package main
  2.  
  3. import (
  4.   "github.com/gofiber/fiber"
  5.   "github.com/gofiber/helmet"
  6. )
  7.  
  8. func main() {
  9.   app := fiber.New()
  10.  
  11.   app.Use(helmet.New())
  12.  
  13.   app.Get("/", func(c *fiber.Ctx) {
  14.     c.Send("Welcome!")
  15.   })
  16.  
  17.   app.Listen(3000)
  18.   // curl -I http://localhost:3000
  19. }