Important security headers for Fastify
Clone or download
Latest commit 08c07ae Nov 16, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
benchmarks Bumped v1.0.0. Jul 1, 2017
.gitignore Initial commit Jun 30, 2017
.travis.yml Updated deps and added node 11 to .travis.yml Nov 16, 2018
LICENSE Initial import. Jul 1, 2017 add feature-policy Nov 12, 2018
config.json Initial import. Jul 1, 2017
example.js Initial import. Jul 1, 2017
index.d.ts add feature types Nov 15, 2018
index.js fix: crossdomain name Nov 15, 2018
package.json Bumped v3.0.0 Nov 16, 2018
test.js fix: crossdomain name Nov 15, 2018
tsconfig.json test(index): add tests for type definitions Aug 23, 2018
types.test.ts add feature types Nov 15, 2018


js-standard-style Build Status Greenkeeper badge

Important security headers for Fastify. It is a port from express of helmet


npm i fastify-helmet --save


Simply require this plugin, and the basic security headers will be set.

const fastify = require('fastify')()
const helmet = require('fastify-helmet')

  // Example of passing an option to x-powered-by middleware
  { hidePoweredBy: { setTo: 'PHP 4.2.0' } }

fastify.listen(3000, err => {
  if (err) throw err
  console.log('Server listenting on localhost:', fastify.server.address().port)

How it works

fastify-helmet is a collection of 12 smaller middleware functions that set HTTP headers. Running fastify.register(helmet) will not include all of these middleware functions by default.

Module Default?
contentSecurityPolicy for setting Content Security Policy
crossdomain for handling Adobe products’ crossdomain requests
expectCt for handling Certificate Transparency
dnsPrefetchControl controls browser DNS prefetching
featurePolicy to limit your site’s features
frameguard to prevent clickjacking
hidePoweredBy to remove the X-Powered-By header
hpkp for HTTP Public Key Pinning
hsts for HTTP Strict Transport Security
ieNoOpen sets X-Download-Options for IE8+
noCache to disable client-side caching
noSniff to keep clients from sniffing the MIME type
referrerPolicy to hide the Referer header
xssFilter adds some small XSS protections

fastify-helmet accept the same options of Helmet, and you can see more in the helmet documentation.