Applies best practice security headers to responses. It's a simplified port of HelmetJS

Downloads in past


3,04263.5.08 hours ago3 years agoMinified + gzip package size for @middy/http-security-headers in KB


Middy http-security-headers middleware
Middy logo

HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda

Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.

<img src="https://badge.fury.io/js/%40middy%2Fhttp-security-headers.svg" alt="npm version" style="max-width:100%;">
<img src="https://packagephobia.com/badge?p=@middy/http-security-headers" alt="npm install size" style="max-width:100%;">
<img src="https://github.com/middyjs/middy/actions/workflows/tests.yml/badge.svg?branch=main&event=push" alt="GitHub Actions CI status badge" style="max-width:100%;">

<a href="https://standardjs.com/">
 <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
<img src="https://snyk.io/test/github/middyjs/middy/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/middyjs/middy" style="max-width:100%;">
<img src="https://img.shields.io/lgtm/grade/javascript/g/middyjs/middy.svg?logo=lgtm&logoWidth=18" alt="Language grade: JavaScript" style="max-width:100%;">
<img src="https://bestpractices.coreinfrastructure.org/projects/5280/badge" alt="Core Infrastructure Initiative (CII) Best Practices"  style="max-width:100%;">

<img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter" style="max-width:100%;">
<img src="https://img.shields.io/badge/StackOverflow-[middy]-yellow" alt="Ask questions on StackOverflow" style="max-width:100%;">

You can read the documentation at: https://middy.js.org/docs/middlewares//http-security-headers

Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.


To install this middleware you can use NPM:
npm install --save @middy/http-security-headers


Setting an option to false to cause that rule to be ignored.

All Responses

  • originAgentCluster: Default to {} to include
  • referrerPolicy: Default to { policy: 'no-referrer' }
  • strictTransportSecurity: Default to { maxAge: 15552000, includeSubDomains: true, preload: true }
  • X-dnsPrefetchControl: Default to { allow: false }
  • X-downloadOptions: Default to { action: 'noopen' }
  • X-poweredBy: Default to { server: '' } to remove Server and X-Powered-By
  • X-contentTypeOptions: Default to { action: 'nosniff' }

HTML Responses

  • contentSecurityPolicy: Default to { 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }
  • crossOriginEmbedderPolicy: Default to { policy: 'require-corp' }
  • crossOriginOpenerPolicy: Default to { policy: 'same-origin' }
  • crossOriginResourcePolicy: Default to { policy: 'same-origin' }
  • permissionsPolicy: Default to { *:'', ... } where all allowed values are set to disable
  • reportTo: Defaults to { maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' } which won't report by default, needs setting
  • X-frameOptions: Default to { action: 'deny' }
  • X-xssProtection: Defaults to { reportUri: '' }'

Sample usage

import middy from '@middy/core'
import httpSecurityHeaders from '@middy/http-security-headers'

const handler = middy((event, context) => {
  return {}


Middy documentation and examples

For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.


Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.


Licensed under MIT License. Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the Middy team.
FOSSA Status