helmet function

Middleware helmet({
  1. HelmetOptions options = const HelmetOptions(),
})

Helmet middleware for Dart. This middleware sets various HTTP headers to help secure your app.

import 'package:shelf_helmet/shelf_helmet.dart'

.addMiddleware(helmet());

This middleware sets the following headers:

Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

If you want to set the headers manually or only use some of the included middlewares, check out the documentation for the individual middlewares

Implementation

Middleware helmet({
  HelmetOptions options = const HelmetOptions(),
}) {
  final List<Middleware> middlewares = [
    if (options.enableContentSecurityPolicy)
      contentSecurityPolicy(options: options.cspOptions),
    if (options.enableCrossOriginEmbedderPolicy)
      crossOriginEmbedderPolicy(policy: options.coepOptions),
    if (options.enableCrossOriginOpenerPolicy)
      crossOriginOpenerPolicy(policy: options.coopOptions),
    if (options.enableCrossOriginResourcePolicy)
      crossOriginResourcePolicy(policy: options.corpOptions),
    if (options.enableOriginAgentCluster) originAgentCluster(),
    if (options.enableReferrerPolicy)
      referrerPolicy(policies: options.referrerPolicyTokens),
    if (options.enableStrictTransportSecurity)
      strictTransportSecurity(options: options.strictTransportSecurityOptions),
    if (options.enableXContentTypeOptions) xContentTypeOptions(),
    if (options.enableXDnsPrefetchControl)
      xDnsPrefetchControl(allow: options.allowXDnsPrefetchControl),
    if (options.enableXDownloadOptions) xDownloadOptions(),
    if (options.enableXFrameOptions)
      xFrameOptions(xFrameOption: options.xFrameOptionsToken),
    if (options.enableXPermittedCrossDomainPolicies)
      xPermittedCrossDomainPolicies(
        permittedPolicy: options.xPermittedPoliciesToken,
      ),
    if (options.enableXXssProtection) xXssProtection(),
  ];
  Pipeline pipeline = const Pipeline();
  if (middlewares.isEmpty) {
    throw ArgumentError(
      'No middlewares were provided, consider removing helmet()',
    );
  }
  for (final middleware in middlewares) {
    pipeline = pipeline.addMiddleware(middleware);
  }
  return (innerHandler) => pipeline.addHandler(innerHandler);
}