`@fastify/helmet`

Sets security-related HTTP headers to harden the application.

Since Fastify 5 Spec ↗

Syntax

app.register(helmet, options?)

Parameters

Name	Type	Required	Description
`options`	`object`	No	Per-header settings, e.g. contentSecurityPolicy and hsts.

Returns

Promise<void> — Resolves when the plugin is registered.

Examples

import Fastify from 'fastify';
import helmet from '@fastify/helmet';

const app = Fastify();

await app.register(helmet, {
  contentSecurityPolicy: {
    directives: { defaultSrc: ["'self'"] },
  },
});

Notes

Wraps the helmet middleware. It sets headers like X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security. Tune the CSP for your app; disable individual headers by passing false.