fastify-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Fastify Security Audit
Audit Fastify HTTP servers. Fastify's schema-first design provides strong defaults if used correctly.
## When this skill applies
- Reviewing Fastify route definitions and schemas
- Auditing plugin chain and encapsulation
- Reviewing hooks (onRequest, preHandler, preValidation, onResponse)
- Checking security plugin configuration
## Workflow
Follow `../_shared/audit-workflow.md`. Companion: `nodejs-express-security` for cross-cutting Node concerns.
### Phase 1: Stack detection
```bash
grep -E '"fastify":|"@fastify/' package.json
```
### Phase 2: Inventory
```bash
# Route definitions
grep -rn 'fastify\.\(get\|post\|put\|delete\|patch\|register\)' src/ | head -50
# Schemas
grep -rnE 'schema:\s*{' src/ | head -20
# Hooks
grep -rn '\.addHook\(\|preHandler:\|preValidation:\|onRequest:' src/
# Security plugins
grep -nE '@fastify/(helmet|cors|rate-limit|jwt|cookie|session|multipart|csrf-protection)' package.json
```
### Phase 3: Detection — the checks
#### Schema validation
Fastify validates inputs against JSON Schema on every request — if you provide one.
- **FST-SCH-1** Every route has a schema for `body`, `params`, `querystring`. Missing schema = no validation.
- **FST-SCH-2** Schema uses strict types and ranges:
```ts
fastify.post('/users', {
schema: {
body: {
type: 'object',
required: ['email', 'password'],
additionalProperties: false, // ← strips/rejects extras
properties: {
emai