Important security headers for Fastify. It is a port from express of helmet
npm i fastify-helmet --save
Simply require this plugin, and the basic security headers will be set.
const fastify = require('fastify')()
const helmet = require('fastify-helmet')
fastify.register(
helmet,
// Example of passing an option to x-powered-by middleware
{ hidePoweredBy: { setTo: 'PHP 4.2.0' } }
)
fastify.listen(3000, err => {
if (err) throw err
console.log('Server listenting on localhost:', fastify.server.address().port)
})fastify-helmet is a collection of 12 smaller middleware functions that set HTTP headers. Running fastify.register(helmet) will not include all of these middleware functions by default.
| Module | Default? |
|---|---|
| contentSecurityPolicy for setting Content Security Policy | |
| expectCt for handling Certificate Transparency | |
| dnsPrefetchControl controls browser DNS prefetching | ✓ |
| frameguard to prevent clickjacking | ✓ |
| hidePoweredBy to remove the X-Powered-By header | ✓ |
| hpkp for HTTP Public Key Pinning | |
| hsts for HTTP Strict Transport Security | ✓ |
| ieNoOpen sets X-Download-Options for IE8+ | ✓ |
| noCache to disable client-side caching | |
| noSniff to keep clients from sniffing the MIME type | ✓ |
| referrerPolicy to hide the Referer header | |
| xssFilter adds some small XSS protections | ✓ |
fastify-helmet accept the same options of Helmet, and you can see more in the helmet documentation.
MIT