Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
By Sarah Gooding - Dec 03, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
fastify-helmet
Advanced tools
fastify-helmet
Important security headers for Fastify. It is a tiny wrapper around helmet.
Install
npm i fastify-helmet
Usage
Simply require this plugin, and the basic security headers will be set.
const fastify = require('fastify')()
const helmet = require('fastify-helmet')
fastify.register(
helmet,
// Example disables the `contentSecurityPolicy` middleware but keeps the rest.
{ contentSecurityPolicy: false }
)
fastify.listen(3000, err => {
if (err) throw err
})
Content-Security-Policy Nonce
fastify-helmet provide a simple way for csp nonces generation. You can enable
this behavior by passing { enableCSPNonces: true } into the options. Then, you can
retrieve the nonces through reply.cspNonce.
Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.
Example - Generate by options
fastify.register(
helmet,
// enable csp nonces generation with default content-security-policy option
{ enableCSPNonces: true }
)
fastify.register(
helmet,
// customize content security policy with nonce generation
{
enableCSPNonces: true,
contentSecurityPolicy: {
directives: {
...
}
}
}
)
fastify.get('/', function(request, reply) {
// retrieve script nonce
reply.cspNonce.script
// retrieve style nonce
reply.cspNonce.style
})
Example - Generate by helmet
fastify.register(
helmet,
{
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
function (req, res) {
// "res" here is actually "reply.raw" in fastify
res.scriptNonce = crypto.randomBytes(16).toString('hex')
}
],
styleSrc: [
function (req, res) {
// "res" here is actually "reply.raw" in fastify
res.styleNonce = crypto.randomBytes(16).toString('hex')
}
]
}
}
}
)
fastify.get('/', function(request, reply) {
// you can access the generated nonce by "reply.raw"
reply.raw.scriptNonce
reply.raw.styleNonce
})
How it works
fastify-helmet is just a tiny wrapper around helmet that adds an 'onRequest' hook.
It accepts the same options of Helmet, and you can see more in the helmet documentation.
License
MIT
FAQs
`fastify-helmet@7.1.0` has been deprecated. Please use `@fastify/helmet@8.0.0` instead.
We found that fastify-helmet demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 17 open source maintainers collaborating on the project.
Package last updated on 05 Mar 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024