The latest articles on DEV Community by Matt Rosenlund (@mrosenlund). https://dev.to/mrosenlund https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3889726%2Fff9e701d-4ed6-423d-b0a1-73e577a1bee1.png https://dev.to/mrosenlund en Matt Rosenlund Tue, 21 Apr 2026 06:15:57 +0000 https://dev.to/mrosenlund/introducing-hapi-aegis-helmet-style-security-headers-for-hapijs-5g2k https://dev.to/mrosenlund/introducing-hapi-aegis-helmet-style-security-headers-for-hapijs-5g2k <p>If you build APIs or apps with <strong>hapi</strong>, you've probably googled some variation of "hapi security headers" and landed on a mix of:</p> <ul> <li> <code>server.ext('onPreResponse', ...)</code> snippets that set headers manually</li> <li> <a href="https://github.com/nlf/blankie" rel="noopener noreferrer">blankie</a> for CSP</li> <li>README gists for HSTS, frameguard, referrer-policy, and the rest</li> <li>Silent hope that nothing's been missed</li> </ul> <p>Express has <a href="https://helmetjs.github.io" rel="noopener noreferrer">Helmet</a>. One <code>app.use(helmet())</code> and you get a sensible stack of security headers. Hapi has never had a direct equivalent — until now.</p> <h2> Meet hapi-aegis </h2> <p><strong><a href="https://www.npmjs.com/package/hapi-aegis" rel="noopener noreferrer">hapi-aegis</a></strong> is a single plugin that applies sensible security-header defaults to every response your hapi server sends — including Boom error responses. It's Helmet, rebuilt natively for hapi.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Hapi</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@hapi/hapi</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">Aegis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">hapi-aegis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">Hapi</span><span class="p">.</span><span class="nf">server</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3000</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">Aegis</span><span class="p">);</span> <span class="c1">// That's it — every response now has a solid security-header baseline.</span> </code></pre> </div> <p><code>curl -I</code> the server and you'll see:</p> <ul> <li><code>Content-Security-Policy</code></li> <li> <code>Strict-Transport-Security</code> (HSTS)</li> <li><code>X-Frame-Options</code></li> <li><code>X-Content-Type-Options: nosniff</code></li> <li><code>Referrer-Policy</code></li> <li> <code>Cross-Origin-Embedder-Policy</code>, <code>-Opener-Policy</code>, <code>-Resource-Policy</code> </li> <li><code>X-DNS-Prefetch-Control</code></li> <li><code>Origin-Agent-Cluster</code></li> <li><code>X-Permitted-Cross-Domain-Policies</code></li> <li> <code>X-XSS-Protection: 0</code> (the safe-by-default value)</li> <li><code>X-Download-Options: noopen</code></li> <li> <code>Expect-CT</code> (deprecated but included for legacy)</li> <li> <code>X-Powered-By</code> and <code>Server</code> removed</li> </ul> <p>15 middlewares total, each configurable or disableable independently.</p> <h2> Configuring what you need </h2> <p>Each middleware takes an options object. Here's HSTS with preload, a strict CSP, and the legacy XSS filter turned off entirely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">register</span><span class="p">({</span> <span class="na">plugin</span><span class="p">:</span> <span class="nx">Aegis</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">hsts</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">63072000</span><span class="p">,</span> <span class="c1">// 2 years</span> <span class="na">includeSubDomains</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">preload</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">contentSecurityPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">useDefaults</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">directives</span><span class="p">:</span> <span class="p">{</span> <span class="na">defaultSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">scriptSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">styleSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">imgSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">connectSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">objectSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'none'</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="na">xssFilter</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> Route-level overrides </h2> <p>If one endpoint needs different policy — a JSON-only API route with no CSP, or a public embed that allows framing — configure it on the route, not globally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">server</span><span class="p">.</span><span class="nf">route</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/api/data</span><span class="dl">'</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">{</span> <span class="na">aegis</span><span class="p">:</span> <span class="p">{</span> <span class="na">contentSecurityPolicy</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// skip CSP for this route</span> <span class="na">frameguard</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// but harden framing</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <p>Route config is merged with server-level config; route wins per-middleware.</p> <h2> Boom errors get headers too </h2> <p>A subtle-but-important thing: if your app throws a Boom error (<code>Boom.unauthorized()</code>, <code>Boom.badRequest()</code>, etc.), the response that goes out is assembled by hapi's Boom handler, not your route's <code>handler</code>. A naive <code>onPreResponse</code> extension that only checks <code>response.header()</code> will silently skip error responses — your 401s and 500s ship without security headers.</p> <p>hapi-aegis detects Boom responses (<code>response.isBoom</code>) and writes headers onto <code>response.output.headers</code>. A 400 gets the same CSP as a 200.</p> <h2> Works alongside existing hapi security plugins </h2> <p>If you already use something more specialized for a particular header, hapi-aegis is happy to step out of the way. For CSP specifically, <strong><a href="https://github.com/nlf/blankie" rel="noopener noreferrer">blankie</a></strong> has features hapi-aegis doesn't — per-request nonce generation and dynamic per-request policy support. If you need those, use blankie for CSP and disable aegis's CSP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">register</span><span class="p">({</span> <span class="na">plugin</span><span class="p">:</span> <span class="nx">Aegis</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">contentSecurityPolicy</span><span class="p">:</span> <span class="kc">false</span> <span class="c1">// let blankie handle CSP</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>hapi-aegis still manages the other 14 headers.</p> <h2> TypeScript support </h2> <p>Full type definitions for the plugin and every middleware's options ship in the package (<code>index.d.ts</code>). No separate <code>@types</code> install.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>hapi-aegis </code></pre> </div> <ul> <li> <strong>npm</strong>: <a href="https://www.npmjs.com/package/hapi-aegis" rel="noopener noreferrer">https://www.npmjs.com/package/hapi-aegis</a> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/mrosenlund/hapi-aegis" rel="noopener noreferrer">https://github.com/mrosenlund/hapi-aegis</a> </li> <li> <strong>Docs</strong>: full API reference, CSP deep-dive, and comparison tables in the README.</li> </ul> <p>Feedback, issues, and PRs welcome. If you find a sensible security header I missed, open an issue — there are already a few on the roadmap (Permissions-Policy, Report-To, per-request CSP nonces).</p> <p>Thanks for reading.</p> hapi node security webdev