Security: Helmet
Introduction
Helmet helps you secure your applications by setting various HTTP headers. It's not a silver bullet, but it can help!
Basic usage
Athenna uses the @fastify/helmet
plugin inside HttpKernel
. All
the configurations that @fastify/helmet
supports can be set inside config/http.js
file in the helmet
object:
helmet: {
global: true,
}
warning
We highly recommend opening the config/http.js
file in helmet
configurations to see a little documentation of all it's options.
Set helmet for specific routes
In Athenna you can set specific options of helmet for specific routes. You can also disable the global
option of your
helmet
configuration in config/http.js
and set different rules in your routes:
Route.get('/hello', 'WelcomeController.show').helmet({ contentSecurityPolicy: false })
Usage in route groups
In route groups you can use the helmet
method. This will set the same configuration for all routes inside
the group:
Route.group(() => {
Route.get('/hello', 'WelcomeController.show')
}).helmet({...})
warning
The helmet
method of route groups will never subscribe the already set methods of routes. Use then to create "defaults"
configurations for all routes.
Usage in route resources
In route resources you can use the helmet
method:
// Set the same configurations for all routes of resource
Route.resource('/tests', 'WelcomeController').helmet({...})
// Set configuration only for that specific action of resource
Route.resource('/tests', 'WelcomeController').helmet('index', {...})
Route.resource('/tests', 'WelcomeController').helmet('store', {...})
Disabling helmet
Helmet plugin is registered in your http application by default, but you can remove it setting the noHelmet
as
true
in config/http.js
file:
noHelmet: true