{"id":13472770,"url":"https://github.com/fastify/fastify-helmet","last_synced_at":"2025-04-10T03:49:21.159Z","repository":{"id":39887833,"uuid":"95896768","full_name":"fastify/fastify-helmet","owner":"fastify","description":"Important security headers for Fastify","archived":false,"fork":false,"pushed_at":"2024-09-30T05:46:53.000Z","size":224,"stargazers_count":408,"open_issues_count":0,"forks_count":46,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-10-29T14:46:40.980Z","etag":null,"topics":["fastify","fastify-plugin"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fastify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"fastify","open_collective":"fastify"}},"created_at":"2017-06-30T14:36:27.000Z","updated_at":"2024-10-23T02:10:24.000Z","dependencies_parsed_at":"2023-09-29T00:22:49.143Z","dependency_job_id":"a01a7481-358f-4744-96da-a83aa4c37521","html_url":"https://github.com/fastify/fastify-helmet","commit_stats":{"total_commits":226,"total_committers":47,"mean_commits":4.808510638297872,"dds":0.7389380530973451,"last_synced_commit":"58362bebb0b6adb4ce80f3bbfb1fce48de214906"},"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Ffastify-helmet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Ffastify-helmet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Ffastify-helmet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Ffastify-helmet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fastify","download_url":"https://codeload.github.com/fastify/fastify-helmet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247284912,"owners_count":20913691,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fastify","fastify-plugin"],"created_at":"2024-07-31T16:00:57.840Z","updated_at":"2025-04-10T03:49:20.938Z","avatar_url":"https://github.com/fastify.png","language":"JavaScript","readme":"# @fastify/helmet\n\n[![CI](https://github.com/fastify/fastify-helmet/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/fastify/fastify-helmet/actions/workflows/ci.yml)\n[![NPM version](https://img.shields.io/npm/v/@fastify/helmet)](https://www.npmjs.com/package/@fastify/helmet)\n[![neostandard javascript style](https://img.shields.io/badge/code_style-neostandard-brightgreen?style=flat)](https://github.com/neostandard/neostandard)\n\nImportant security headers for Fastify. It is a tiny wrapper around\n[helmet](https://npm.im/helmet).\n\n## Install\n```\nnpm i @fastify/helmet\n```\n\n### Compatibility\n\n| Plugin version | Fastify version |\n| ---------------|-----------------|\n| `^12.x`        | `^5.x`          |\n| `^9.x`         | `^4.x`          |\n| `^7.x`         | `^3.x`          |\n| `^1.x`         | `^2.x`          |\n| `^1.x`         | `^1.x`          |\n\n\nPlease note that if a Fastify version is out of support, then so are the corresponding versions of this plugin\nin the table above.\nSee [Fastify's LTS policy](https://github.com/fastify/fastify/blob/main/docs/Reference/LTS.md) for more details.\n\n## Usage\n\nSimply require this plugin and the basic security headers will be set.\n\n```js\nconst fastify = require('fastify')()\nconst helmet = require('@fastify/helmet')\n\nfastify.register(\n  helmet,\n  // Example disables the `contentSecurityPolicy` middleware but keeps the rest.\n  { contentSecurityPolicy: false }\n)\n\nfastify.listen({ port: 3000 }, err =\u003e {\n  if (err) throw err\n})\n```\n\n## How it works\n\n`@fastify/helmet` is a tiny wrapper around helmet that adds an `'onRequest'` hook\nand a `reply.helmet` decorator.\n\nIt accepts the same options as helmet, and you can see more in [the helmet documentation](https://helmetjs.github.io/).\n\n### Apply Helmet to all your application routes\n\nBy passing `{ global: true }` into the options, `@fastify/helmet` allows you to register Helmet for all your application\nroutes by default. If you want a more granular control on how to apply Helmet to your application you can choose to\ndisable it on a global scope by passing `{ global: false }` to the options. By default, this option is set to `true`.\n\n#### Example - enable `@fastify/helmet` globally\n\n```js\nfastify.register(helmet)\n// or\nfastify.register(helmet, { global: true })\n```\n\n#### Example - disable `@fastify/helmet` globally\n\n```js\n// register the package with the `{ global: false }` option\nfastify.register(helmet, { global: false })\n\nfastify.get('/route-with-disabled-helmet', async (request, reply) =\u003e {\n  return { message: 'helmet is not enabled here' }\n})\n\nfastify.get('/route-with-enabled-helmet', {\n  // We enable and configure helmet for this route only\n  helmet: {\n    dnsPrefetchControl: {\n      allow: true\n    },\n    frameguard: {\n      action: 'foo'\n    },\n    referrerPolicy: false\n  }\n}, async (request, reply) =\u003e {\n  return { message: 'helmet is enabled here' }\n})\n\n// helmet is disabled on this route but we have access to `reply.helmet` decorator\n// that allows us to apply helmet conditionally\nfastify.get('/here-we-use-helmet-reply-decorator', async (request, reply) =\u003e {\n  if (condition) {\n    // we apply the default options\n    await reply.helmet()\n  } else {\n    // we apply customized options\n    await reply.helmet({ frameguard: false })\n  }\n\n  return {\n    message: 'we use the helmet reply decorator to conditionally apply helmet middlewares'\n  }\n})\n```\n\n### `helmet` route option\n\n`@fastify/helmet` allows you to enable, disable, and customize helmet for each one of your application hooks by using the\n`helmet` shorthand route option when you register your application routes.\n\nIf you want to disable helmet for a specific endpoint you must pass `{ helmet: false }` to your route options.\n\nIf you want to enable or customize helmet for a specific endpoint you must pass a helmet configuration object to your\nroute options. E.g.: `{ helmet: { frameguard: false } }`.\n\n#### Example - `@fastify/helmet` configuration using the `helmet` shorthand route option\n\n```js\n// register the package with the `{ global: true }` option\nfastify.register(helmet, { global: true })\n\nfastify.get('/route-with-disabled-helmet', { helmet: false }, async (request, reply) =\u003e {\n  return { message: 'helmet is not enabled here' }\n})\n\nfastify.get('/route-with-enabled-helmet', async (request, reply) =\u003e {\n  return { message: 'helmet is enabled by default here' }\n})\n\nfastify.get('/route-with-custom-helmet-configuration', {\n  // We change the helmet configuration for this route only\n  helmet: {\n    enableCSPNonces: true,\n    contentSecurityPolicy: {\n      directives: {\n        'directive-1': ['foo', 'bar']\n      },\n      reportOnly: true\n    },\n    dnsPrefetchControl: {\n      allow: true\n    },\n    frameguard: {\n      action: 'foo'\n    },\n    hsts: {\n      maxAge: 1,\n      includeSubDomains: true,\n      preload: true\n    },\n    permittedCrossDomainPolicies: {\n      permittedPolicies: 'foo'\n    },\n    referrerPolicy: false\n  }\n}, async (request, reply) =\u003e {\n  return { message: 'helmet is enabled with a custom configuration on this route' }\n})\n```\n\n### Content-Security-Policy Nonce\n\n`@fastify/helmet` provide a simple way for `csp nonces generation`. You can enable this behavior by passing\n`{ enableCSPNonces: true }` into the options. Then, you can retrieve the `nonces` through `reply.cspNonce`.\n\n\u003e Note: This feature is implemented inside this module. It is not a valid option or supported by helmet.\n\u003e If you need to use helmet feature only for csp nonce you can follow the example [here](#example---generate-by-helmet).\n\n#### Example - Generate by options\n\n```js\nfastify.register(\n  helmet,\n  // enable csp nonces generation with default content-security-policy option\n  { enableCSPNonces: true }\n)\n\nfastify.register(\n  helmet,\n  // customize content security policy with nonce generation\n  {\n    enableCSPNonces: true,\n    contentSecurityPolicy: {\n      directives: {\n        ...\n      }\n    }\n  }\n)\n\nfastify.get('/', function(request, reply) {\n  // retrieve script nonce\n  reply.cspNonce.script\n  // retrieve style nonce\n  reply.cspNonce.style\n})\n```\n\n#### Example - Generate by helmet\n\n```js\nfastify.register(\n  helmet,\n  {\n    contentSecurityPolicy: {\n      directives: {\n        defaultSrc: [\"'self'\"],\n        scriptSrc: [\n          function (req, res) {\n            // \"res\" here is actually \"reply.raw\" in fastify\n            res.scriptNonce = crypto.randomBytes(16).toString('hex')\n            // make sure to return nonce-... directive to helmet, so it can be sent in the headers\n            return `'nonce-${res.scriptNonce}'`\n          }\n        ],\n        styleSrc: [\n          function (req, res) {\n            // \"res\" here is actually \"reply.raw\" in fastify\n            res.styleNonce = crypto.randomBytes(16).toString('hex')\n            // make sure to return nonce-... directive to helmet, so it can be sent in the headers\n            return `'nonce-${res.styleNonce}'`\n          }\n        ]\n      }\n    }\n  }\n)\n\nfastify.get('/', function(request, reply) {\n  // you can access the generated nonce by \"reply.raw\"\n  reply.raw.scriptNonce\n  reply.raw.styleNonce\n})\n\n```\n\n### Disable Default `helmet` Directives\n\nBy default, `helmet` will add [a default set of CSP directives](https://github.com/helmetjs/helmet/tree/main/middlewares/content-security-policy#content-security-policy-middleware) to the response.\nThis behavior can be disabled by setting `useDefaults: false` in the `contentSecurityPolicy` configuration.\n\n```js\nfastify.register(\n  helmet,\n  {\n    contentSecurityPolicy: {\n      useDefaults: false,\n      directives: {\n        'default-src': [\"'self'\"]\n      }\n    }\n  }\n)\n```\n\n## License\n\nLicensed under [MIT](./LICENSE).\n","funding_links":["https://github.com/sponsors/fastify","https://opencollective.com/fastify"],"categories":["JavaScript","Web Framework Hardening","\u003ch2 align=\"center\"\u003eAwesome Fastify\u003c/h2\u003e"],"sub_categories":["\u003ch2 align=\"center\"\u003eEcosystem\u003c/h2\u003e"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Ffastify-helmet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffastify%2Ffastify-helmet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Ffastify-helmet/lists"}