Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: fastify/fastify-helmet
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v12.0.1
Choose a base ref
...
head repository: fastify/fastify-helmet
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 785c99a559e44389f071c500abd5dee0c9e3b27b
Choose a head ref
  • 6 commits
  • 5 files changed
  • 3 contributors

Commits on Sep 23, 2024

  1. Respect route-level contentSecurityPolicy: false setting (#262) 

    * Respect route-level `contentSecurityPolicy: false` configuration

Signed-off-by: Alexander Khoroshikh <32790736+AlexandrHoroshih@users.noreply.github.com>

* Add test to ensure that route contentSecurityPolicy: false setting is respected

---------

Signed-off-by: Alexander Khoroshikh <32790736+AlexandrHoroshih@users.noreply.github.com>
    @AlexandrHoroshih
    AlexandrHoroshih authored Sep 23, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    58362be View commit details

Commits on Sep 30, 2024

  1. build(deps): bump helmet from 7.2.0 to 8.0.0 (#263) 

    Bumps [helmet](https://github.com/helmetjs/helmet) from 7.2.0 to 8.0.0.
- [Changelog](https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md)
- [Commits](helmetjs/helmet@v7.2.0...v8.0.0)

---
updated-dependencies:
- dependency-name: helmet
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Sep 30, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    4dc71c1 View commit details

Commits on Nov 1, 2024

  1. build(deps): bump fastify/workflows from 5.0.0 to 5.0.1 (#264) 

    Bumps [fastify/workflows](https://github.com/fastify/workflows) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/fastify/workflows/releases)
- [Commits](fastify/workflows@v5.0.0...v5.0.1)

---
updated-dependencies:
- dependency-name: fastify/workflows
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Nov 1, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    3493b74 View commit details

  2. ci: use major version of workflows

    @Fdawgs
    Fdawgs committed Nov 1, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    39ee200 View commit details

Commits on Nov 3, 2024

  1. style: remove trailing whitespace (#265)

    @Fdawgs
    Fdawgs authored Nov 3, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    6bf2033 View commit details

Commits on Nov 25, 2024

  1. 13.0.0

    @Fdawgs
    Fdawgs committed Nov 25, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    785c99a View commit details
Showing with 47 additions and 9 deletions.
  1. +1 −1 .github/workflows/ci.yml
  2. +5 −5 README.md
  3. +1 −1 index.js
  4. +2 −2 package.json
  5. +38 −0 test/routes.test.js
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -17,6 +17,6 @@ on:

jobs:
test:
uses: fastify/workflows/.github/workflows/plugins-ci.yml@v5.0.0
uses: fastify/workflows/.github/workflows/plugins-ci.yml@v5
with:
license-check: true
10 changes: 5 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@

![CI](https://github.com/fastify/fastify-helmet/workflows/CI/badge.svg)
[![NPM version](https://img.shields.io/npm/v/@fastify/helmet)](https://www.npmjs.com/package/@fastify/helmet)
[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)
[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)

Important security headers for Fastify. It is a tiny wrapper around
[helmet](https://npm.im/helmet).
@@ -88,15 +88,15 @@ fastify.get('/here-we-use-helmet-reply-decorator', async (request, reply) => {
await reply.helmet({ frameguard: false })
}

return {
return {
message: 'we use the helmet reply decorator to conditionally apply helmet middlewares'
}
})
```

### `helmet` route option

`@fastify/helmet` allows you to enable, disable, and customize helmet for each one of your application hooks by using the
`@fastify/helmet` allows you to enable, disable, and customize helmet for each one of your application hooks by using the
`helmet` shorthand route option when you register your application routes.

If you want to disable helmet for a specific endpoint you must pass `{ helmet: false }` to your route options.
@@ -169,7 +169,7 @@ fastify.register(
fastify.register(
helmet,
// customize content security policy with nonce generation
{
{
enableCSPNonces: true,
contentSecurityPolicy: {
directives: {
@@ -192,7 +192,7 @@ fastify.get('/', function(request, reply) {
```js
fastify.register(
helmet,
{
{
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
2 changes: 1 addition & 1 deletion index.js
View file
Original file line number Diff line number Diff line change
@@ -97,7 +97,7 @@ async function replyDecorators (request, reply, configuration, enableCSP) {
}

async function buildHelmetOnRoutes (request, reply, configuration, enableCSP) {
if (enableCSP === true) {
if (enableCSP === true && configuration.contentSecurityPolicy !== false) {
const cspDirectives = configuration.contentSecurityPolicy
? configuration.contentSecurityPolicy.directives
: helmet.contentSecurityPolicy.getDefaultDirectives()
4 changes: 2 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@fastify/helmet",
"version": "12.0.1",
"version": "13.0.0",
"description": "Important security headers for Fastify",
"main": "index.js",
"type": "commonjs",
@@ -47,7 +47,7 @@
},
"dependencies": {
"fastify-plugin": "^5.0.0",
"helmet": "^7.1.0"
"helmet": "^8.0.0"
},
"tsd": {
"directory": "test/types"
38 changes: 38 additions & 0 deletions test/routes.test.js
View file
Original file line number Diff line number Diff line change
@@ -286,6 +286,44 @@ test('It should not set default directives when route useDefaults is set to `fal
t.assert.deepStrictEqual(actualResponseHeaders, expected)
})

test('It should not set `content-security-policy` header, if route contentSecurityPolicy is false', async (t) => {
t.plan(1)

const fastify = Fastify()

await fastify.register(helmet, {
global: false,
enableCSPNonces: false,
contentSecurityPolicy: {
directives: {}
}
})

fastify.get(
'/',
{
helmet: {
contentSecurityPolicy: false
}
},
(request, reply) => {
reply.send({ hello: 'world' })
}
)

const response = await fastify.inject({ method: 'GET', path: '/' })

const expected = {
'content-security-policy': undefined
}

const actualResponseHeaders = {
'content-security-policy': response.headers['content-security-policy']
}

t.assert.deepStrictEqual(actualResponseHeaders, expected)
})

test('It should be able to conditionally apply the middlewares through the `helmet` reply decorator', async (t) => {
t.plan(10)