HTTP security headers middleware for Go(lang) inspired by HelmetJS.
Helmet helps you secure your Golang web applications by setting various HTTP security headers. It's not a silver bullet, but it can help!
Project is under active maintenance - even if there are no recent commits! Please submit an issue / bug request if you the library needs updating for any reason!
You can see more in the documentation.
go get github.com/goddtriffin/helmet
package main
import (
"fmt"
"log"
"net/http"
"github.com/goddtriffin/helmet"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "I love HelmetJS, I just wish there was a Go(lang) equivalent...")
})
helmet := helmet.Default()
http.Handle("/", helmet.Secure(handler))
log.Fatal(http.ListenAndServe(":8080", nil))
}This code sample can be found in /examples/01-quick-start/.
Helmet is a collection of 12 smaller middleware functions that set HTTP security response headers. Initializing via helmet.Default() will not include all of these middleware functions by default.
| Module | Default |
|---|---|
| Content-Security-Policy | |
| X-Content-Type-Options | nosniff |
| X-DNS-Prefetch-Control | off |
| X-Download-Options | noopen |
| Expect-CT | |
| Feature-Policy | |
| X-Frame-Options | SAMEORIGIN |
| X-Permitted-Cross-Domain-Policies | |
| X-Powered-By | Removes the X-Powered-By header |
| Referrer-Policy | |
| Strict-Transport-Security | max-age=5184000; includeSubDomains (60 days) |
| X-XSS-Protection | 1; mode=block |
Made with 🤬 and 🥲 by Todd Everett Griffin
Helmet is open source under the MIT License.
Gopher image by Renee French, licensed under CC 3.0 license.
Helmet icon by Hand-Drawn Goods, licensed under CC 3.0 license.
Gopher + Helmet remix by Emily Wilson, licensed under CC 3.0 license.