Need help with fastify-helmet?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

fastify
203 Stars 25 Forks Other 152 Commits 0 Opened issues

Description

Important security headers for Fastify

Services available

!
?

Need anything else?

Contributors list

fastify-helmet

CI NPM version Known Vulnerabilities Coverage Status js-standard-style

Important security headers for Fastify. It is a tiny wrapper around helmet.

Install

npm i fastify-helmet

Usage

Simply require this plugin, and the basic security headers will be set.

const fastify = require('fastify')()
const helmet = require('fastify-helmet')

fastify.register( helmet, // Example disables the contentSecurityPolicy middleware but keeps the rest. { contentSecurityPolicy: false } )

fastify.listen(3000, err => { if (err) throw err })

Content-Security-Policy Nonce

fastify-helmet
provide a simple way for
csp nonces generation
. You can enable this behavior by passing
{ enableCSPNonces: true }
into the options. Then, you can retrieve the
nonces
through
reply.cspNonce
.

Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.

Example - Generate by options

fastify.register(
  helmet,
  // enable csp nonces generation with default content-security-policy option
  { enableCSPNonces: true }
)

fastify.register( helmet, // customize content security policy with nonce generation { enableCSPNonces: true, contentSecurityPolicy: { directives: { ... } } } )

fastify.get('/', function(request, reply) { // retrieve script nonce reply.cspNonce.script // retrieve style nonce reply.cspNonce.style })

Example - Generate by helmet

fastify.register(
  helmet,
  { 
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.scriptNonce = crypto.randomBytes(16).toString('hex')
          }
        ],
        styleSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.styleNonce = crypto.randomBytes(16).toString('hex')
          }
        ]
      }
    }
  }
)

fastify.get('/', function(request, reply) { // you can access the generated nonce by "reply.raw" reply.raw.scriptNonce reply.raw.styleNonce })

How it works

fastify-helmet
is just a tiny wrapper around helmet that adds an
'onRequest'
hook. It accepts the same options of Helmet, and you can see more in the helmet documentation.

License

MIT

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.