goddtriffin/helmet
HTTP security middleware for Go(lang) inspired by HelmetJS.
Helmet
HTTP security headers middleware for Go(lang) inspired by HelmetJS.
Helmet helps you secure your Golang web applications by setting various HTTP security headers. It's not a silver bullet, but it can help!
Project is under active maintenance - even if there are no recent commits! Please submit an issue / bug request if you the library needs updating for any reason!
Quick Start
You can see more in the documentation.
go get github.com/goddtriffin/helmet
package main
import (
"fmt"
"log"
"net/http"
"github.com/goddtriffin/helmet"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "I love HelmetJS, I just wish there was a Go(lang) equivalent...")
})
helmet := helmet.Default()
http.Handle("/", helmet.Secure(handler))
log.Fatal(http.ListenAndServe(":8080", nil))
}This code sample can be found in /examples/01-quick-start/.
How It Works
Helmet is a collection of 12 smaller middleware functions that set HTTP security response headers. Initializing via helmet.Default() will not include all of these middleware functions by default.
| Module | Default |
|---|---|
| Content-Security-Policy | |
| X-Content-Type-Options | nosniff |
| X-DNS-Prefetch-Control | off |
| X-Download-Options | noopen |
| Expect-CT | |
| Feature-Policy | |
| X-Frame-Options | SAMEORIGIN |
| X-Permitted-Cross-Domain-Policies | |
| X-Powered-By | Removes the X-Powered-By header |
| Referrer-Policy | |
| Strict-Transport-Security | max-age=5184000; includeSubDomains (60 days) |
| X-XSS-Protection | 1; mode=block |
Credits
Made with 🤬 and 🥲 by Todd Everett Griffin
Helmet is open source under the MIT License.
Gopher image by Renee French, licensed under CC 3.0 license.
Helmet icon by Hand-Drawn Goods, licensed under CC 3.0 license.
Gopher + Helmet remix by Emily Wilson, licensed under CC 3.0 license.