Numerous Pulsating Martians

    npm

    Sign UpSign In

    fastify-helmet
    TypeScript icon, indicating that this package has built-in type declarations

    5.3.2 • Public • Published

    fastify-helmet

    CI NPM version Known Vulnerabilities Coverage Status js-standard-style

    Important security headers for Fastify. It is a tiny wrapper around helmet.

    Install

    npm i fastify-helmet

    Usage

    Simply require this plugin, and the basic security headers will be set.

    const fastify = require('fastify')()
const helmet = require('fastify-helmet')

fastify.register(
  helmet,
  // Example disables the `contentSecurityPolicy` middleware but keeps the rest.
  { contentSecurityPolicy: false }
)

fastify.listen(3000, err => {
  if (err) throw err
})

    Content-Security-Policy Nonce

    fastify-helmet provide a simple way for csp nonces generation. You can enable this behavior by passing { enableCSPNonces: true } into the options. Then, you can retrieve the nonces through reply.cspNonce.

    Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.

    Example - Generate by options

    fastify.register(
  helmet,
  // enable csp nonces generation with default content-security-policy option
  { enableCSPNonces: true }
)

fastify.register(
  helmet,
  // customize content security policy with nonce generation
  { 
    enableCSPNonces: true,
    contentSecurityPolicy: {
      directives: {
        ...
      }
    }
  }
)

fastify.get('/', function(request, reply) {
  // retrieve script nonce
  reply.cspNonce.script
  // retrieve style nonce
  reply.cspNonce.style
})

    Example - Generate by helmet

    fastify.register(
  helmet,
  { 
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.scriptNonce = crypto.randomBytes(16).toString('hex')
          }
        ],
        styleSrc: [
          function (req, res) {
            // "res" here is actually "reply.raw" in fastify
            res.styleNonce = crypto.randomBytes(16).toString('hex')
          }
        ]
      }
    }
  }
)

fastify.get('/', function(request, reply) {
  // you can access the generated nonce by "reply.raw"
  reply.raw.scriptNonce
  reply.raw.styleNonce
})

    How it works

    fastify-helmet is just a tiny wrapper around helmet that adds an 'onRequest' hook. It accepts the same options of Helmet, and you can see more in the helmet documentation.

    License

    MIT

    Keywords

    Install

    npm i fastify-helmet

    Repository

    Gitgithub.com/fastify/fastify-helmet

    Homepage

    github.com/fastify/fastify-helmet#readme

    DownloadsWeekly Downloads

    47,686

    Version

    5.3.2

    License

    MIT

    Unpacked Size

    21.4 kB

    Total Files

    13

    Last publish

    Collaborators

    • zekth
    • starptech
    • delvedor
    • matteo.collina
    • allevo
    • jsumners
    • ethan_arrowood
    • eomm
    • fox1t
    • salmanm
    • davidmarkclements
    • airhorns
    • kibertoad
    • climba03003
    Try on RunKit
    Report malware