Elysia Helmet
Elysia Helmet is a security plugin for the Elysia web framework, designed to protect applications by setting various HTTP response headers. It functions as a direct port of the well-known `helmet` middleware from the Express ecosystem, adapting its battle-tested security configurations to the modern Elysia runtime. The current stable version is 3.1.0. Given its nature as a framework-specific plugin, its release cadence is closely aligned with updates to the Elysia framework itself and the upstream `helmet` project, ensuring continuous compatibility and incorporating the latest web security best practices. Its primary differentiator is providing a familiar and comprehensive suite of HTTP security headers specifically integrated for Elysia, enabling developers to easily apply crucial security measures without manual header management.
Common errors
-
Cannot find module 'elysia-helmet' or its corresponding type declarations.
cause The 'elysia-helmet' package has not been installed, or the import path is incorrect, or TypeScript is not configured to resolve modules correctly.fixInstall the package: `bun add elysia-helmet` (or `npm install elysia-helmet`, `yarn add elysia-helmet`). Verify the import statement: `import { helmet } from 'elysia-helmet';` -
TypeError: app.use is not a function (or similar Elysia method not found)
cause This error typically indicates that the Elysia instance is not correctly initialized or the Elysia framework version is too old to support the plugin's API.fixEnsure you are importing `Elysia` from 'elysia' correctly and that your Elysia version meets the 'elysia-helmet' peer dependency (`>= 1.2.0`). Update Elysia if necessary: `bun add elysia@latest`. -
Property 'contentSecurityPolicy' does not exist on type 'HelmetOptions'.
cause The type definition for `HelmetOptions` might not include the property, or the property is nested differently than expected, or a specific `helmet` middleware is not enabled by default.fixCheck the `elysia-helmet` source code or the upstream `helmet` documentation for the correct structure of configuration options. Ensure you are using the correct version of `elysia-helmet` that supports the desired options.
Warnings
- breaking elysia-helmet has a peer dependency on 'elysia' version '>= 1.2.0'. Using an older version of Elysia may lead to runtime errors or unexpected behavior.
- gotcha While a port of the original 'helmet' for Express, elysia-helmet may not have 100% identical feature parity or configuration options. Always refer to the elysia-helmet documentation or source code for specific Elysia-context configurations.
- gotcha Misconfiguring security headers, especially Content Security Policy (CSP), can inadvertently block legitimate content or scripts, leading to broken website functionality or user experience issues.
Install
-
npm install elysia-helmet -
yarn add elysia-helmet -
pnpm add elysia-helmet
Imports
- helmet
const helmet = require('elysia-helmet').helmet;import { helmet } from 'elysia-helmet'; - helmet
import helmet from 'elysia-helmet';
import { helmet } from 'elysia-helmet'; - HelmetOptions
import type { HelmetOptions } from 'elysia-helmet';
Quickstart
import { Elysia } from 'elysia';
import { helmet } from 'elysia-helmet';
const app = new Elysia()
.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", 'data:'],
},
},
xContentTypeOptions: true,
xFrameOptions: { action: 'deny' },
}))
.get('/', () => 'Hello Elysia with Helmet!')
.listen(3000);
console.log(`Server is running at ${app.server?.hostname}:${app.server?.port}`);