Skip to main content
version 1.0.0

Security: Helmet

Introduction

Helmet helps you secure your applications by setting various HTTP headers. It's not a silver bullet, but it can help!

Basic usage

Athenna uses the @fastify/helmet plugin inside HttpKernel. All the configurations that @fastify/helmet supports can be set inside config/http.js file in the helmet object:

helmet: {
global: true,
}
warning

We highly recommend opening the config/http.js file in helmet configurations to see a little documentation of all it's options.

Set helmet for specific routes

In Athenna you can set specific options of helmet for specific routes. You can also disable the global option of your helmet configuration in config/http.js and set different rules in your routes:

Route.get('/hello', 'WelcomeController.show').helmet({ contentSecurityPolicy: false })

Usage in route groups

In route groups you can use the helmet method. This will set the same configuration for all routes inside the group:

Route.group(() => {
Route.get('/hello', 'WelcomeController.show')
}).helmet({...})
warning

The helmet method of route groups will never subscribe the already set methods of routes. Use then to create "defaults" configurations for all routes.

Usage in route resources

In route resources you can use the helmet method:

// Set the same configurations for all routes of resource
Route.resource('/tests', 'WelcomeController').helmet({...})

// Set configuration only for that specific action of resource
Route.resource('/tests', 'WelcomeController').helmet('index', {...})
Route.resource('/tests', 'WelcomeController').helmet('store', {...})

Disabling helmet

Helmet plugin is registered in your http application by default, but you can remove it setting the noHelmet as true in config/http.js file:

noHelmet: true