node package manager



js-standard-style Build Status Greenkeeper badge

Important security headers for Fastify. It is a port from express of helmet


npm i fastify-helmet --save


Simply require this plugin, and the basic security headers will be set.

const fastify = require('fastify')()
const helmet = require('fastify-helmet')
  // Example of passing an option to x-powered-by middleware
  { hidePoweredBy: { setTo: 'PHP 4.2.0' } }
fastify.listen(3000, err => {
  if (err) throw err
  console.log('Server listenting on localhost:', fastify.server.address().port)

How it works

fastify-helmet is a collection of 12 smaller middleware functions that set HTTP headers. Running fastify.register(helmet) will not include all of these middleware functions by default.

Module Default?
contentSecurityPolicy for setting Content Security Policy
expectCt for handling Certificate Transparency
dnsPrefetchControl controls browser DNS prefetching
frameguard to prevent clickjacking
hidePoweredBy to remove the X-Powered-By header
hpkp for HTTP Public Key Pinning
hsts for HTTP Strict Transport Security
ieNoOpen sets X-Download-Options for IE8+
noCache to disable client-side caching
noSniff to keep clients from sniffing the MIME type
referrerPolicy to hide the Referer header
xssFilter adds some small XSS protections

fastify-helmet accept the same options of Helmet, and you can see more in the helmet documentation.