gh-jezweb-claude-skills-skills-hono-routing/references/middleware-catalog.md

# Hono Built-in Middleware Catalog

Complete reference for all built-in Hono middleware with usage examples and configuration options.

**Last Updated**: 2025-10-22
**Hono Version**: 4.10.2+

---

## Installation

All built-in middleware are included in the `hono` package. No additional dependencies required.

```bash
npm install hono@4.10.2
```

---

## Request Logging

### logger()

Logs request method, path, status, and response time.

```typescript
import { logger } from 'hono/logger'

app.use('*', logger())
```

**Output**:
```
GET /api/users 200 - 15ms
POST /api/posts 201 - 42ms
```

**Custom logger**:
```typescript
import { logger } from 'hono/logger'

app.use(
  '*',
  logger((message, ...rest) => {
    console.log(`[Custom] ${message}`, ...rest)
  })
)
```

---

## CORS

### cors()

Enables Cross-Origin Resource Sharing.

```typescript
import { cors } from 'hono/cors'

// Simple usage
app.use('*', cors())

// Custom configuration
app.use(
  '/api/*',
  cors({
    origin: ['https://example.com', 'https://app.example.com'],
    allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
    allowHeaders: ['Content-Type', 'Authorization'],
    exposeHeaders: ['X-Request-ID', 'X-Response-Time'],
    maxAge: 600,
    credentials: true,
  })
)

// Dynamic origin
app.use(
  '*',
  cors({
    origin: (origin) => {
      return origin.endsWith('.example.com') ? origin : 'https://example.com'
    },
  })
)
```

**Options**:
- `origin`: String, array, or function
- `allowMethods`: HTTP methods array
- `allowHeaders`: Headers array
- `exposeHeaders`: Headers to expose
- `maxAge`: Preflight cache duration (seconds)
- `credentials`: Allow credentials

---

## Pretty JSON

### prettyJSON()

Formats JSON responses with indentation (development only).

```typescript
import { prettyJSON } from 'hono/pretty-json'

if (process.env.NODE_ENV === 'development') {
  app.use('*', prettyJSON())
}
```

**Options**:
```typescript
app.use(
  '*',
  prettyJSON({
    space: 2, // Indentation spaces (default: 2)
  })
)
```

---

## Compression

### compress()

Compresses responses using gzip or deflate.

```typescript
import { compress } from 'hono/compress'

app.use('*', compress())

// Custom options
app.use(
  '*',
  compress({
    encoding: 'gzip', // 'gzip' | 'deflate'
  })
)
```

**Behavior**:
- Automatically detects `Accept-Encoding` header
- Skips if `Content-Encoding` already set
- Skips if response is already compressed

---

## Caching

### cache()

Sets HTTP cache headers.

```typescript
import { cache } from 'hono/cache'

app.use(
  '/static/*',
  cache({
    cacheName: 'my-app',
    cacheControl: 'max-age=3600', // 1 hour
  })
)

// Conditional caching
app.use(
  '/api/public/*',
  cache({
    cacheName: 'api-cache',
    cacheControl: 'public, max-age=300', // 5 minutes
    wait: true, // Wait for cache to be ready
  })
)
```

**Options**:
- `cacheName`: Cache name
- `cacheControl`: Cache-Control header value
- `wait`: Wait for cache to be ready

---

## ETag

### etag()

Generates and validates ETags for responses.

```typescript
import { etag } from 'hono/etag'

app.use('/api/*', etag())

// Custom options
app.use(
  '/api/*',
  etag({
    weak: true, // Use weak ETags (W/"...")
  })
)
```

**Behavior**:
- Automatically generates ETag from response body
- Returns 304 Not Modified if ETag matches
- Works with `If-None-Match` header

---

## Security Headers

### secureHeaders()

Sets security-related HTTP headers.

```typescript
import { secureHeaders } from 'hono/secure-headers'

app.use('*', secureHeaders())

// Custom configuration
app.use(
  '*',
  secureHeaders({
    contentSecurityPolicy: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:', 'https:'],
    },
    strictTransportSecurity: 'max-age=31536000; includeSubDomains',
    xFrameOptions: 'DENY',
    xContentTypeOptions: 'nosniff',
    referrerPolicy: 'no-referrer',
  })
)
```

**Headers set**:
- `Content-Security-Policy`
- `Strict-Transport-Security`
- `X-Frame-Options`
- `X-Content-Type-Options`
- `Referrer-Policy`
- `X-XSS-Protection` (deprecated but included)

---

## Server Timing

### timing()

Adds Server-Timing header with performance metrics.

```typescript
import { timing } from 'hono/timing'

app.use('*', timing())

// Custom timing
import { setMetric, startTime, endTime } from 'hono/timing'

app.use('*', timing())

app.get('/api/data', async (c) => {
  startTime(c, 'db')
  // Database query
  endTime(c, 'db')

  startTime(c, 'external')
  // External API call
  endTime(c, 'external')

  setMetric(c, 'total', 150)

  return c.json({ data: [] })
})
```

**Output header**:
```
Server-Timing: db;dur=45, external;dur=85, total;dur=150
```

---

## Bearer Auth

### bearerAuth()

Simple bearer token authentication.

```typescript
import { bearerAuth } from 'hono/bearer-auth'

app.use(
  '/admin/*',
  bearerAuth({
    token: 'my-secret-token',
  })
)

// Multiple tokens
app.use(
  '/api/*',
  bearerAuth({
    token: ['token1', 'token2', 'token3'],
  })
)

// Custom error
app.use(
  '/api/*',
  bearerAuth({
    token: 'secret',
    realm: 'My API',
    onError: (c) => {
      return c.json({ error: 'Unauthorized' }, 401)
    },
  })
)
```

---

## Basic Auth

### basicAuth()

HTTP Basic authentication.

```typescript
import { basicAuth } from 'hono/basic-auth'

app.use(
  '/admin/*',
  basicAuth({
    username: 'admin',
    password: 'secret',
  })
)

// Custom validation
app.use(
  '/api/*',
  basicAuth({
    verifyUser: async (username, password, c) => {
      const user = await db.findUser(username)
      if (!user) return false

      return await bcrypt.compare(password, user.passwordHash)
    },
  })
)
```

---

## JWT

### jwt()

JSON Web Token authentication.

```typescript
import { jwt } from 'hono/jwt'

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret-key',
  })
)

// Access JWT payload
app.get('/api/profile', (c) => {
  const payload = c.get('jwtPayload')
  return c.json({ user: payload })
})

// Custom algorithm
app.use(
  '/api/*',
  jwt({
    secret: 'secret',
    alg: 'HS256', // HS256 (default), HS384, HS512
  })
)
```

---

## Request ID

### requestId()

Generates unique request IDs.

```typescript
import { requestId } from 'hono/request-id'

app.use('*', requestId())

app.get('/', (c) => {
  const id = c.get('requestId')
  return c.json({ requestId: id })
})

// Custom generator
app.use(
  '*',
  requestId({
    generator: () => `req-${Date.now()}-${Math.random()}`,
  })
)
```

---

## Combine

### combine()

Combines multiple middleware into one.

```typescript
import { combine } from 'hono/combine'
import { logger } from 'hono/logger'
import { cors } from 'hono/cors'
import { compress } from 'hono/compress'

app.use('*', combine(
  logger(),
  cors(),
  compress()
))
```

---

## Trailing Slash

### trimTrailingSlash()

Removes trailing slashes from URLs.

```typescript
import { trimTrailingSlash } from 'hono/trailing-slash'

app.use('*', trimTrailingSlash())

// /api/users/ → /api/users
```

---

## Serve Static

### serveStatic()

Serves static files (runtime-specific).

**Cloudflare Workers**:
```typescript
import { serveStatic } from 'hono/cloudflare-workers'

app.use('/static/*', serveStatic({ root: './public' }))
```

**Deno**:
```typescript
import { serveStatic } from 'hono/deno'

app.use('/static/*', serveStatic({ root: './public' }))
```

**Bun**:
```typescript
import { serveStatic } from 'hono/bun'

app.use('/static/*', serveStatic({ root: './public' }))
```

---

## Body Limit

### bodyLimit()

Limits request body size.

```typescript
import { bodyLimit } from 'hono/body-limit'

app.use(
  '/api/*',
  bodyLimit({
    maxSize: 1024 * 1024, // 1 MB
    onError: (c) => {
      return c.json({ error: 'Request body too large' }, 413)
    },
  })
)
```

---

## Timeout

### timeout()

Sets timeout for requests.

```typescript
import { timeout } from 'hono/timeout'

app.use(
  '/api/*',
  timeout(5000) // 5 seconds
)

// Custom error
app.use(
  '/api/*',
  timeout(
    3000,
    (c) => c.json({ error: 'Request timeout' }, 504)
  )
)
```

---

## IP Restriction

### ipRestriction()

Restricts access by IP address.

```typescript
import { ipRestriction } from 'hono/ip-restriction'

app.use(
  '/admin/*',
  ipRestriction(
    {
      allowList: ['192.168.1.0/24'],
      denyList: ['10.0.0.0/8'],
    },
    (c) => c.json({ error: 'Forbidden' }, 403)
  )
)
```

---

## Summary

| Middleware | Purpose | Common Use Case |
|------------|---------|-----------------|
| `logger()` | Request logging | Development, debugging |
| `cors()` | CORS handling | API routes |
| `prettyJSON()` | JSON formatting | Development |
| `compress()` | Response compression | All routes |
| `cache()` | HTTP caching | Static assets |
| `etag()` | ETag generation | API responses |
| `secureHeaders()` | Security headers | All routes |
| `timing()` | Performance metrics | Production monitoring |
| `bearerAuth()` | Bearer token auth | API authentication |
| `basicAuth()` | Basic auth | Admin panels |
| `jwt()` | JWT authentication | API authentication |
| `requestId()` | Request IDs | Logging, tracing |
| `combine()` | Combine middleware | Clean code |
| `trimTrailingSlash()` | URL normalization | All routes |
| `serveStatic()` | Static files | Assets |
| `bodyLimit()` | Body size limit | API routes |
| `timeout()` | Request timeout | Long-running operations |
| `ipRestriction()` | IP filtering | Admin panels |

---

**Official Documentation**: https://hono.dev/docs/guides/middleware