Numerous Pulsating Martians

    fastify-helmet
    TypeScript icon, indicating that this package has built-in type declarations

    5.3.2 • Public • Published

    fastify-helmet

    CI NPM version Known Vulnerabilities Coverage Status js-standard-style

    Important security headers for Fastify. It is a tiny wrapper around helmet.

    Install

    npm i fastify-helmet
    

    Usage

    Simply require this plugin, and the basic security headers will be set.

    const fastify = require('fastify')()
    const helmet = require('fastify-helmet')
    
    fastify.register(
      helmet,
      // Example disables the `contentSecurityPolicy` middleware but keeps the rest.
      { contentSecurityPolicy: false }
    )
    
    fastify.listen(3000, err => {
      if (err) throw err
    })

    Content-Security-Policy Nonce

    fastify-helmet provide a simple way for csp nonces generation. You can enable this behavior by passing { enableCSPNonces: true } into the options. Then, you can retrieve the nonces through reply.cspNonce.

    Note: This feature is implemented inside this module. It is not a valid option or supported by helmet. If you need to use helmet feature only for csp nonce you can follow the example here.

    Example - Generate by options

    fastify.register(
      helmet,
      // enable csp nonces generation with default content-security-policy option
      { enableCSPNonces: true }
    )
    
    fastify.register(
      helmet,
      // customize content security policy with nonce generation
      { 
        enableCSPNonces: true,
        contentSecurityPolicy: {
          directives: {
            ...
          }
        }
      }
    )
    
    fastify.get('/', function(request, reply) {
      // retrieve script nonce
      reply.cspNonce.script
      // retrieve style nonce
      reply.cspNonce.style
    })

    Example - Generate by helmet

    fastify.register(
      helmet,
      { 
        contentSecurityPolicy: {
          directives: {
            defaultSrc: ["'self'"],
            scriptSrc: [
              function (req, res) {
                // "res" here is actually "reply.raw" in fastify
                res.scriptNonce = crypto.randomBytes(16).toString('hex')
              }
            ],
            styleSrc: [
              function (req, res) {
                // "res" here is actually "reply.raw" in fastify
                res.styleNonce = crypto.randomBytes(16).toString('hex')
              }
            ]
          }
        }
      }
    )
    
    fastify.get('/', function(request, reply) {
      // you can access the generated nonce by "reply.raw"
      reply.raw.scriptNonce
      reply.raw.styleNonce
    })

    How it works

    fastify-helmet is just a tiny wrapper around helmet that adds an 'onRequest' hook. It accepts the same options of Helmet, and you can see more in the helmet documentation.

    License

    MIT

    Install

    npm i fastify-helmet

    DownloadsWeekly Downloads

    47,686

    Version

    5.3.2

    License

    MIT

    Unpacked Size

    21.4 kB

    Total Files

    13

    Last publish

    Collaborators

    • zekth
    • starptech
    • delvedor
    • matteo.collina
    • allevo
    • jsumners
    • ethan_arrowood
    • eomm
    • fox1t
    • salmanm
    • davidmarkclements
    • airhorns
    • kibertoad
    • climba03003