fastify-floc-off

fastify-floc-off

Fastify plugin to opt-out of Google's Topics advertising-surveillance API

Overview

The fastify-floc-off plugin adds the "interest-cohort=()" directive to the Permissions-Policy response header to opt-out of Google's Topics advertising-surveillance API. It will create a new header if one does not already exist.

This was originally created to opt-out of Google's FLoC (Federated Learning of Cohorts), which has since been replaced with their Topics API, though it has the same privacy issues.

More information about the issues surrounding Google's FLoC can be found on EFF and Plausible Analytics.

Helmet and fastify-helmet do not support the Permissions-Policy response header setting yet, so this plugin was created out of a need for an easy way to disable/opt-out of Google's Topics API. This ensures users accessing web applications are not subject to Google's unsolicited tracking.

Installation

Install using npm:

npm i fastify-floc-off

Compatibility

Plugin version	Fastify version
>=3.x	^5.x
>=2.x <3.x	^4.x
>=1.x <2.x	^3.x

Please note that if a Fastify version is out of support, then so are the corresponding versions of this plugin in the table above. See Fastify's LTS policy for more details.

Example usage

const Fastify = require("fastify");
const flocOff = require("fastify-floc-off");

const server = Fastify();
server.register(flocOff);

server.get("/", (_req, res) => {
	res.send("ok");
});

server.listen(3000, (err) => {
	if (err) throw err;
	console.log("Server listening on 3000");
});

Contributing

Contributions are welcome, and any help is greatly appreciated!

See the contributing guide for details on how to get started. Please adhere to this project's Code of Conduct when contributing.

Acknowledgements

• Aras Abbasi - TypeScript support

License

fastify-floc-off is licensed under the MIT license.

Changelog

4.0.0 (2025-10-09)

⚠ BREAKING CHANGES

• index: switch to callback style to remove Promise overhead (#286)

Continuous integration

• cd: only scope package if it is not already (#282) (c32806a)
• cd: protect against cache poisoning (#302) (0cea731)
• cd: use oicd for publishing to npm (#285) (2f495ef)
• ci: add typecheck to lint job (#303) (71aab89)
• ci: check dependabot prs originate from repo (#300) (e55a2b4)
• ci: ignore dependabot prs in coverage updates (#308) (7372ebb)
• dependabot: add eslint config to eslint group (#280) (eb82a90)
• deps: bump actions/checkout from 4 to 5 (#294) (6169d7c)
• deps: bump actions/dependency-review-action from 4.7.1 to 4.7.3 (#295) (29fae63)
• deps: bump actions/dependency-review-action from 4.7.3 to 4.8.0 (#304) (9f95645)
• deps: bump actions/setup-node from 4 to 5 (#298) (6a1b7cb)
• deps: bump googleapis/release-please-action from 4.2.0 to 4.3.0 (#293) (870ddd1)
• link-check: retry on 429 response (#284) (7221db9)
• tidy conditional checks (#301) (c798c3f)
• use .nvmrc for node-version (#307) (284dd4d)

Dependencies

• dependabot: add cooldowns (#297) (e27d2f5)
• deps-dev: bump the commitlint group with 2 updates (#305) (c685d68)
• deps: bump dependencies (#309) (3ba2374)

Improvements

• index: cache header name const (#291) (7733093)
• index: hoist setFlocPermissionsHeader to module scope (#289) (fb6eb2c)
• index: switch to callback style to remove Promise overhead (#286) (080df94)
• index: use imperative over func loop to avoid closure overhead (#292) (18506fb)

Miscellaneous

• .devcontainer: add devcontainer (#306) (97d9945)
• .npmrc: ignore scripts (#299) (cf2ddde)
• add .nvmrc file (#296) (0d08df2)
• index: use done over next for callback name (#290) (f45abb5)
• index: use options over opts for param name (#288) (02e9fdd)

Tests

• index: add testcontext jsdoc to satisfy ts2775 on assertions (#287) (f75da54)