Security Plugins
const Fastify = require('fastify');\n\nconst app = Fastify({ logger: true });\n\n// CORS\nawait app.register(require('@fastify/cors'), {\n origin: ['https://yourdomain.com'],\n methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],\n allowedHeaders: ['Content-Type', 'Authorization'],\n credentials: true,\n maxAge: 86400,\n});\n\n// Rate limiting\nawait app.register(require('@fastify/rate-limit'), {\n max: 100,\n timeWindow: '1 minute',\n keyGenerator: (request) => {\n return request.headers['x-forwarded-for'] || request.ip;\n },\n errorResponseBuilder: (request, context) => ({\n statusCode: 429,\n error: 'Too Many Requests',\n message: `Rate limit exceeded. Retry after ${context.after}`,\n retryAfter: context.after,\n }),\n});\n\n// Helmet (security headers)\nawait app.register(require('@fastify/helmet'), {\n contentSecurityPolicy: {\n directives: {\n defaultSrc: ["'self'"],\n scriptSrc: ["'self'", "'unsafe-inline'"],\n },\n },\n});\n\n// CSRF protection\nawait app.register(require('@fastify/csrf-protection'), {\n cookieOpts: {\n sameSite: 'strict',\n httpOnly: true,\n },\n});
Environment Configuration
const app = Fastify({\n logger: {\n level: process.env.LOG_LEVEL || 'info',\n },\n});\n\n// Validate required env vars before starting\nconst required = ['JWT_SECRET', 'DATABASE_URL'];\nfor (const key of required) {\n if (!process.env[key]) {\n app.log.error(`Missing required env var: \${key}`);\n process.exit(1);\n }\n}