Skip to Content
HeronJS 3.6 with fully support Typescript 6 is released šŸŽ‰
SecurityHelmet & CORS

helmet and cors are enabled by default in HeronJS applications.

  • helmet helps protect your application by setting common security-related HTTP headers.
  • cors controls which origins are allowed to access your API from a browser.

Customize Helmet and CORS

You can override the default behavior by passing cors and helmet options to app.listen().

const main = async () => {
    const app = await HeronJS.create({ module: AppModule });
 
    await app.listen({
        port: 3000,
        options: {
            cors: {
                origin: '*',
                preflightContinue: false,
                methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
            },
            helmet: {
                referrerPolicy: {
                    policy: 'no-referrer',
                },
            },
        },
    });
};

Use this configuration when you need to relax or tighten cross-origin access, or when you want to customize the default security headers generated by Helmet.

Last updated on
AuthorizationOverview