Skip to main content

Included Middlewares

Cors

  • Cors options
/**
 * Cross-Origin Resource Sharing (CORS) configuration object.
 *
 * This type allows flexible control over allowed origins, headers, and methods.
 *
 * Defaults (if a field is omitted):
 * - `methods`: `['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT']`
 * - `allowedHeaders`: `['Content-Type', 'Authorization']`
 * - `credentials`: not sent unless explicitly set to `true`
 * - `exposedHeaders`: not set unless provided
 * - `maxAge`: not set unless provided
 */
export type Cors = {
  /**
   * Allowed origin(s). Can be:
   * - a string (exact match)
   * - an string array (any item exact match)
   * - a function that receives the request context and returns a valid origin
   */
  origin: Origin;

  /**
   * Allowed HTTP methods for CORS requests.
   * @default
   * [`DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`]
   */
  methods?: Method[];

  /**
   * Allowed headers for incoming requests.
   * @default
   * ['Content-Type', 'Authorization']
   */
  allowedHeaders?: string[];

  /**
   * Headers that can be exposed to the browser.
   * Default: none
   * @default undefined
   */
  exposedHeaders?: string[];

  /**
   * How long the results of a preflight request can be cached (in seconds).
   * Default: not set
   * @default undefined
   */
  maxAge?: number;

  /**
   * Whether to include `Access-Control-Allow-Credentials: true`.
   * Default: not set (credentials will not be sent)
   */
  credentials?: boolean;

  /**
   * Return and empty response on OPTIONS preflight request with the configured cors headers
   * @default true
   */
  handleOptionsRequest?: boolean;
};
import { cors } from "@crumbjs/core";

app.use(
  cors({
    /** your config */
  })
);

Signals

Middleware that logs request signals such as method, path, status, duration, and IP.

By default, logs with info level, meaning output may be suppressed if the current logger level is higher. If force is true, it logs regardless of the level using print.

This is useful for monitoring internal requests without polluting production logs unless explicitly desired.

@param force - If true, logs are always printed; otherwise, logged as debug. @returns Middleware function to measure and log request signal data.

app.use(signals(true)); // Always log requests signals

Example output on incomming request

2025-08-22T18:13:51.980Z INFO  [default] GET /api/hello/CrumbJS STATUS::200 1.08 ms -- ::1

Secure Headers

Ported from Hono secureHeaders()

Secure Headers Middleware simplifies the setup of security headers. Inspired in part by the capabilities of Helmet, it allows you to control the activation and deactivation of specific security headers.

Hono Secure Headers Documentation