Helmet Middleware
Write common HTTP security response headers
middleware/helmet writes common security headers to reduce risks such as MIME sniffing, clickjacking, and weak referrer leakage. It does not replace authentication, authorization, CSRF protection, or input validation; it is a baseline response-layer defense.
Install
go get github.com/duxweb/runa/middleware
Basic usage
import "github.com/duxweb/runa/middleware/helmet"
route.Default().Use(helmet.New())
Default headers
| Header | Default | Purpose |
|---|---|---|
X-Content-Type-Options |
nosniff |
Prevent browser MIME sniffing |
X-Frame-Options |
SAMEORIGIN |
Reduce clickjacking risk |
Referrer-Policy |
no-referrer-when-downgrade |
Control Referer leakage |
X-XSS-Protection |
0 |
Disable old browser XSS Auditor |
Cross-Origin-Opener-Policy |
same-origin |
Isolate top-level browsing context |
Custom headers
route.Default().Use(helmet.New(helmet.Config{
ReferrerPolicy: "strict-origin-when-cross-origin",
Custom: map[string]string{
"Permissions-Policy": "geolocation=(), camera=()",
},
}))
Allow embedding by a specified page
If the page only needs same-origin iframe embedding, default SAMEORIGIN can stay. If another domain must embed it, adjust explicitly:
route.Default().Use(helmet.New(helmet.Config{
FrameOptions: "",
Custom: map[string]string{
"Content-Security-Policy": "frame-ancestors https://portal.example.com",
},
}))
When a field is set to an empty string, middleware does not write that header.
Config fields
| Field | Type | Default | Description |
|---|---|---|---|
Next |
func(*route.Context) bool |
nil |
Skip when true |
ContentTypeNosniff |
string |
nosniff |
X-Content-Type-Options |
FrameOptions |
string |
SAMEORIGIN |
X-Frame-Options |
ReferrerPolicy |
string |
no-referrer-when-downgrade |
Referrer-Policy |
XSSProtection |
string |
0 |
X-XSS-Protection |
CrossOriginOpenerPolicy |
string |
same-origin |
Cross-Origin-Opener-Policy |
Custom |
map[string]string |
nil |
Extra headers |
Relationship with security
security.New(...) includes helmet by default. If you need custom helmet config, disable helmet in security and mount helmet yourself:
route.Default().Use(security.New(
security.Production(),
security.Disable("helmet"),
))
route.Default().Use(helmet.New(helmet.Config{
ReferrerPolicy: "strict-origin-when-cross-origin",
}))
Common problems
- Helmet does not set CORS. Use CORS Middleware for CORS.
- Helmet does not set a complex CSP automatically. Use
Customfor project-specific CSP. - Static assets, HTML pages, and APIs can all use Helmet, but iframe, download, and cross-origin isolation scenarios need explicit header review.