fastify-helmet
Advanced tools
Important security headers for Fastify. It is a tiny wrapper around helmet.
npm i fastify-helmet
Simply require this plugin, and the basic security headers will be set.
const fastify = require('fastify')()
const helmet = require('fastify-helmet')
fastify.register(
helmet,
// Example disables the `contentSecurityPolicy` middleware but keeps the rest.
{ contentSecurityPolicy: false }
)
fastify.listen(3000, err => {
if (err) throw err
})
fastify-helmet provide a simple way for csp nonces generation. You can enable
this behavior by passing { enableCSPNonces: true } into the options. Then, you can
retrieve the nonces through reply.cspNonce.
Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.
fastify.register(
helmet,
// enable csp nonces generation with default content-security-policy option
{ enableCSPNonces: true }
)
fastify.register(
helmet,
// customize content security policy with nonce generation
{
enableCSPNonces: true,
contentSecurityPolicy: {
directives: {
...
}
}
}
)
fastify.get('/', function(request, reply) {
// retrieve script nonce
reply.cspNonce.script
// retrieve style nonce
reply.cspNonce.style
})
fastify.register(
helmet,
{
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
function (req, res) {
// "res" here is actually "reply.raw" in fastify
res.scriptNonce = crypto.randomBytes(16).toString('hex')
}
],
styleSrc: [
function (req, res) {
// "res" here is actually "reply.raw" in fastify
res.styleNonce = crypto.randomBytes(16).toString('hex')
}
]
}
}
}
)
fastify.get('/', function(request, reply) {
// you can access the generated nonce by "reply.raw"
reply.raw.scriptNonce
reply.raw.styleNonce
})
fastify-helmet is just a tiny wrapper around helmet that adds an 'onRequest' hook.
It accepts the same options of Helmet, and you can see more in the helmet documentation.
MIT
FAQs
`fastify-helmet@7.1.0` has been deprecated. Please use `@fastify/helmet@8.0.0` instead.
The npm package fastify-helmet receives a total of 13,636 weekly downloads. As such, fastify-helmet popularity was classified as popular.
We found that fastify-helmet demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 17 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.
Security News
vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.