Need help with fastify-helmet?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

203 Stars 25 Forks Other 152 Commits 0 Opened issues


Important security headers for Fastify

Services available


Need anything else?

Contributors list


CI NPM version Known Vulnerabilities Coverage Status js-standard-style

Important security headers for Fastify. It is a tiny wrapper around helmet.


npm i fastify-helmet


Simply require this plugin, and the basic security headers will be set.

const fastify = require('fastify')()
const helmet = require('fastify-helmet')

fastify.register( helmet, // Example disables the contentSecurityPolicy middleware but keeps the rest. { contentSecurityPolicy: false } )

fastify.listen(3000, err => { if (err) throw err })

Content-Security-Policy Nonce

provide a simple way for
csp nonces generation
. You can enable this behavior by passing
{ enableCSPNonces: true }
into the options. Then, you can retrieve the

Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.

Example - Generate by options

  // enable csp nonces generation with default content-security-policy option
  { enableCSPNonces: true }

fastify.register( helmet, // customize content security policy with nonce generation { enableCSPNonces: true, contentSecurityPolicy: { directives: { ... } } } )

fastify.get('/', function(request, reply) { // retrieve script nonce reply.cspNonce.script // retrieve style nonce })

Example - Generate by helmet

    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.scriptNonce = crypto.randomBytes(16).toString('hex')
        styleSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.styleNonce = crypto.randomBytes(16).toString('hex')

fastify.get('/', function(request, reply) { // you can access the generated nonce by "reply.raw" reply.raw.scriptNonce reply.raw.styleNonce })

How it works

is just a tiny wrapper around helmet that adds an
hook. It accepts the same options of Helmet, and you can see more in the helmet documentation.



We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.