This review focuses on secure implementation patterns when using the Fastify web framework in TypeScript:

Prevent Prototype Pollution Attacks: Avoid direct property access on untrusted objects. Instead, use Object.prototype methods to safely access object properties:

// Vulnerable approach
fastify.get('/route', (req, reply) => {
  console.log(req.params.hasOwnProperty('name')); // Potential prototype pollution vulnerability
  return { hello: req.params.name };
});

// Secure approach
fastify.get('/route', (req, reply) => {
  console.log(Object.prototype.hasOwnProperty.call(req.params, 'name')); // Safe property access
  return { hello: req.params.name };
}); 

Protect Against Denial-of-Service Attacks: Configure appropriate request timeouts, especially when deploying Fastify without a reverse proxy:

const fastify = Fastify({
  requestTimeout: 120000 // Set a non-zero timeout (e.g., 120 seconds)
});

These security measures help mitigate common web application vulnerabilities when using the Fastify framework.

Add Repository

Private Repository