Middleware is code that runs around every route handler — for cross-cutting behavior like sessions, CSRF, security headers, static files, CORS, and auth. Use this section when something belongs around a handler rather than inside it. Chirp middleware is just a function that matches a Protocol: no base class, no inheritance.
New here? Start with Built-in Middleware to wire the secure-by-default stack (sessions, CSRF, and security headers). Reach for Custom Middleware when you need your own.
How Chirp's protocol-based middleware works — the function shape, the pipeline order, and how to short-circuit
The middleware Chirp ships — CORS, static files, sessions, auth, CSRF, security headers, rate limiting, and host validation — plus the secure-by-default stack and the order to wire it.
Writing your own middleware with functions and classes
Inspect rendering decisions from middleware for analytics, caching, and debugging
Speed up first paint with HTTP 103 Early Hints via the Link/preload header convention