Security: Helmet
Introduction
Helmet helps you secure your applications by setting various HTTP headers. It's not a silver bullet, but it can help!
Basic usage
Athenna uses the @fastify/helmet plugin inside HttpKernel. All
the configurations that @fastify/helmet supports can be set inside config/http.js file in the helmet object:
helmet: {
global: true,
}
warning
We highly recommend opening the config/http.js file in helmet configurations to see a little documentation of all it's options.
Set helmet for specific routes
In Athenna you can set specific options of helmet for specific routes. You can also disable the global option of your
helmet configuration in config/http.js and set different rules in your routes:
Route.get('/hello', 'WelcomeController.show').helmet({ contentSecurityPolicy: false })
Usage in route groups
In route groups you can use the helmet method. This will set the same configuration for all routes inside
the group:
Route.group(() => {
Route.get('/hello', 'WelcomeController.show')
}).helmet({...})
warning
The helmet method of route groups will never subscribe the already set methods of routes. Use then to create "defaults"
configurations for all routes.
Usage in route resources
In route resources you can use the helmet method:
// Set the same configurations for all routes of resource
Route.resource('/tests', 'WelcomeController').helmet({...})
// Set configuration only for that specific action of resource
Route.resource('/tests', 'WelcomeController').helmet('index', {...})
Route.resource('/tests', 'WelcomeController').helmet('store', {...})
Disabling helmet
Helmet plugin is registered in your http application by default, but you can remove it setting the noHelmet as
true in config/http.js file:
noHelmet: true