sveltekit-helmet is a wrapper for helmet to work with SvelteKit. It provides important security headers to make your app more secure by default.
npm i sveltekit-helmet
# or:
yarn add sveltekit-helmet
Usage is the same as helmet, see the helmet documentation for more information.
Hot reload is blocked by default, you need to allow scriptSrc's
directive to use it.
Just add the following to your src/hooks.server.ts
import helmet from "sveltekit-helmet";
// With default helmet options
export const handle = helmet();
// With custom helmet options
export const handle = helmet({
contentSecurityPolicy: {
directives: {
scriptSrc: [
"'unsafe-inline'", // Allow SvelteKit hot reload
// Works with other middlewares
import { sequence } from "@sveltejs/kit/hooks";
export const handle = sequence(helmet(), fooMiddleware, barMiddleware);
Currently, only the full helmet middleware is supported, you can just disable unwanted rules in options instead of using the individual middleware.
sveltekit-helmet currently only supports SvleteKit v2.
If you are using SvelteKit v1, you can open an issue and I will consider adding support for it.