`koa-helmet`

Sets a collection of security-related HTTP response headers (CSP, HSTS, X-Frame-Options, etc.) by wrapping the `helmet` package for Koa.

Since Koa 2 Spec ↗

Syntax

import helmet from 'koa-helmet';
app.use(helmet([options]));

Parameters

Name	Type	Required	Description
`options`	`object`	No	Passed directly to `helmet()`. Use sub-keys to configure individual headers: `contentSecurityPolicy`, `hsts`, `frameguard`, `noSniff`, etc. Set a key to `false` to disable that specific header.

Returns

function — Koa middleware that sets security headers on every response.

Examples

import Koa from 'koa';
import helmet from 'koa-helmet';

const app = new Koa();

app.use(helmet());

app.use(async (ctx) => {
  ctx.body = 'Secured!';
});

app.listen(3000);

Output

Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff

// Custom CSP
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", 'cdn.example.com'],
    },
  },
}));

Output

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com

Notes

Mount `koa-helmet` as early as possible in the middleware stack to ensure all responses are secured. `koa-helmet` is a thin Koa-compatible wrapper around the Express `helmet` package; options are identical. Review each header's default in a browser DevTools before deploying to production.