The Simple, Secure Framework
Developers Trust
Build
powerful,
scalable applications, with
minimal overhead and full
out-of-the-box functionality -
your code, your way
Get started with hapi
Originally developed to handle Walmart’s
Black Friday scale,
hapi continues to be the proven choice for enterprise-grade backend needs.
hapi continues to be the proven choice for enterprise-grade backend needs.
"At Brave, developing web services with hapi allows
us to focus on the many problems to be solved, not on the details of
the tool being used. hapi provides the right set of core APIs and
extensible plugins to support the requirements of a modern service
- session management, security, connectivity, and testing."
Creator of JavaScript & CEO, Brave
Trusted for Simplicity, Security, and Satisfaction
83% of developers* are concerned with the security of open-source code.
You’re probably among that 83%.
* npm Inc. 2019 Trends in JavaScript report
You’ve got nothing to worry about with hapi.
When you
npm install @hapi/hapi, every single line of code you get has been verified. You
never have to worry about some deep dependency being poorly maintained (or handed over to
someone sketchy). hapi is the only leading node framework without any external code dependencies.
None.
How do we keep hapi secure?
- End-to-end Code Hygiene — hapi requires the most secure settings to manage, control, and distribute code, including 2FA for all contributors.
- Secure Defaults, Updated Regularly — every hapi component comes with the most secure defaults out-of-the-box. Along with protecting server load with payload limits and request timeouts, hapi blocks error messages that could leak information or echo back exploits.
- Integrated Authorization and Authentication Architecture — the most comprehensive authorization and authentication API available in a Node framework.
- Advanced Features — with encrypted and signed cookies, secret or key rotation, and HTTP security headers, there are no excuses for building insecure applications.
- Reliable, Predictable Ownership – when something goes wrong, you know who to contact. Security updates are handled under a strict, well-defined protocol.
- Rich ecosystem – hapi’s extensive set of official plugins means no more blindly trusting some middleware you found for critical functionality just because it has a high count on npm.
- In-house Security Expertise – created by Eran Hammer, the author of the OAuth specifications and other identity protocols.
"We love hapi’s clear structure. In particular, its plugin
system and request lifecycle - they make it easy for us to separate cross-cutting
concerns from our API business logic. It allows us to add features and fix bugs
at a fast pace. The hapi ecosystem provides a consistent and secure building
block to develop HTTP services at scale."
Director of Engineering, Auth0
Recognized for Industry Leading Quality Standards
hapi has been
pushing the envelope on quality from day one. It was the first node framework to
require and achieve 100% code coverage across every dependency – when everyone thought it was
crazy.
When quality and performance are in conflict, most frameworks choose wrongly and sacrifice
quality for performance.
It might save them a millisecond, but it will cost you days. hapi always
chooses readability. Machines keep getting faster and cheaper. Humans only get slower and more
expensive.
On practically every measurable quality metric,
hapi scores at the very top:
- Code Readability — if you cannot open the source code of your framework and understand how it works, sooner or later you are going to be in trouble.
- Coverage and Style — 100% code coverage using strict coverage rules and a coding style optimized to reduce bugs and increase comprehension – always end-to-end.
- Open Issues — hapi and its official plugins are actively kept with only a handful of open issues or pull requests. Few other ecosystems can claim this low level of outstanding issues end-to-end across every single dependency.
“With a well-planned interface
and selection of patterns, hapi has allowed
us to get started on business logic on day one
of each new project, knowing that we have a solid,
yet extendable code base with great test coverage
to build off of.”
Beats Music
Relied on for Friction-Free Development and Intuitive Internals
The question we care most about is,
“Are you happy?”
hapi is developer-first — so you can spend your brainpower on the places that matter.
Every hapi feature is designed to make the platform
easier and more intuitive to use. That means
there’s no need to hack things together, experiment to see what *might* work, or try to figure out
hidden internals.
There is no “magic” – the code does what you expect with easy to follow internal
logic.
hapi's a
clean and easy-to-learn interface doesn’t take up too much space. It is designed for a small
surface area, allowing you to build your applications as you see fit,
using your style and the
technologies of your choosing.
And hapi users certainly are. In survey after survey, hapi scores at the very top for developer
satisfaction.
"hapi allows us to develop loosely coupled capabilities
in a distributed development environment. It is easy to test and has
excellent documentation. hapi is the enterprise grade foundation that
drives our next generation web applications."
Director of Engineering, Vrbo
Keeps Large Distributed Teams on the Same Page
hapi was designed from the group-up to
support large, distributed, and remote teams – allowing
them to effectively work together on common code. No more toe stepping.
Say goodbye to middleware hell
hapi was the first node framework (and in some ways, still the only) to provide
strong guarantees .
The order in which parallel or unrelated components are configured should never produce
unexpected results.
- Plugin dependencies — plugins can safely rely on other plugins, including the order in which they must be execute, no matter the order in which you register them.
- Extension priorities — request lifecycle extensions can specify their relative order so future extensions won’t disrupt the existing balance.
- Namespace protection — caches, plugins, decorators, and server methods are all protected and cannot be implicitly overridden.
- Zero routing conflicts — paths will never conflict, and will always result in the same priority order — no matter what order they’re added in.
"hapi's extensive plugin system allows us to quickly build,
extend, and compose brand-specific features on top of its rock-solid architecture.
It has become our secret weapon for powerful API services."
Principal Engineer, Condé Nast
Provides True Extensibility and Customization,
Safely and Predictably
hapi comes pretty loaded out-of-the-box, but it also has the most
mature and complete set of
extension points at every step — including
authentication,
authorization, and
validation.
Middleware is just another name for bad design.
hapi doesn’t use middleware, because it’s a bad pattern. Instead of a generic, one-size-fits-all
approach taken by almost every other framework, hapi provides a rich, laser-focused extensibility
model that puts
security and predictability first.
Make it Yours.
hapi has always led the way with tools to make the server yours. It was the first to introduce these
(often imitated but poorly executed) features:
- Framework plugins — a truly composable way of breaking your application into logical components with a super-thin abstraction layer.
- Request lifecycle — the exact order in which “stuff happens,” allowing you to choose the specific spot to extend or modify how your application operates.
- Server methods — reusable, cacheable functions accessible throughout the application.
- API Decorations — user-defined API that lives, safely, side-by-side the official API.
Plus, everything is properly namespaced, which makes extensions safe and easy to use. You’ll never
have to worry about your application failing in production because of a runtime conflict between
two extensions or plugins. Everything is validated in load-time so you can easily identify conflicts
during development.