Hapi plugin to sanitize the request payload
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.eslintignore Add project boilerplate Mar 8, 2016
.node-version feat(hapi): upgrade to hapi 17 (#9) Mar 8, 2018


hapi-sanitize-payload npm version Build Status

A plugin to recursively sanitize or prune values in a request.payload object.

Currently uses the following rules:

  • Removes null characters (ie. \0) from string values
  • Deletes from the payload keys with a value of empty string (ie. ''), or optionally replaces them with a different value
  • Deletes from the payload keys with a value consisting entirely of whitespace (ie. ' \t\n '), or optionally replaces them with a different value
  • Deletes whitespace from ends of string (ie. ' text ' becomes 'text')
  • Optionally deletes/replaces null values

Registering the plugin

const registerPlugins = async (server) => {
  await server.register([
    { plugin: require('hapi-sanitize-payload'), options: { pruneMethod: 'delete' } }


  • enabled - whether or not the plugin is enabled.
  • pruneMethod - the method the sanitizer uses when a value that is to be pruned is encountered. Defaults to 'delete'. The value must be one of:
    • 'delete' - the key will be removed from the payload entirely (ie. { a: '', b: 'b' } ➡️ { b: 'b' }).
    • 'replace' - the key will be preserved, but its value will be replaced with the value of replaceValue.
  • replaceValue - valid only when pruneMethod is set to 'replace', this value will be used as the replacement of any pruned values (ie. if configured as null, then { a: '', b: 'b' } ➡️ { a: null, b: 'b' }).
  • stripNull - a boolean value to signify whether or not null properties should be pruned with the same pruneMethod and replaceValue as above. Defaults to false.

Each of the above options can be configured on a route-by-route basis via the sanitize plugin object.

const registerRoutes = (server) => {
    method: 'POST',
    path: '/users',
    handler: () => {
      // handler logic
    options: {
      plugins: {
        sanitize: { enabled: false }

Setting up the server.

(async () => {
  try {
    const server = new Hapi.Server();

    await registerPlugins(server);

    await server.start();
  } catch (err) {
    // Insert your preferred error handling here...