@anomira/node-sdk 0.2.3 → 0.2.5

package/dist/index.d.cts

@@ -148,11 +148,17 @@ declare const EventName: {
     readonly SQL_ERROR: "db.sql.error";
     readonly FIREWALL_BLOCK: "http.firewall.block";
     readonly FIREWALL_FLAG: "http.firewall.flag";
+    readonly FIREWALL_RATE_LIMIT: "http.firewall.rate_limit";
+    readonly FIREWALL_REDIRECT_HONEYPOT: "http.firewall.redirect_honeypot";
+    readonly FIREWALL_TAG: "http.firewall.tag";
+    readonly FIREWALL_MONITOR: "http.firewall.monitor";
+    readonly FIREWALL_CHALLENGE: "http.firewall.challenge";
+    readonly FIREWALL_TEMP_BLOCK: "http.firewall.temporary_block";
 };
 type EventNameValue = typeof EventName[keyof typeof EventName];
 type FirewallField = "url" | "body" | "header" | "user_agent" | "ip";
 type FirewallOperator = "contains" | "equals" | "starts_with" | "ends_with" | "regex";
-type FirewallAction = "block" | "flag";
+type FirewallAction = "block" | "flag" | "rate_limit" | "challenge" | "redirect_honeypot" | "tag" | "monitor" | "temporary_block";
 interface EndpointDeclaration {
     /** HTTP method, e.g. "GET".  Use "*" to match any method. */
     method: string;
@@ -169,6 +175,8 @@ interface FirewallRule {
     value: string;
     action: FirewallAction;
     attackType: string;
+    redirectTarget?: string | null;
+    tempBlockMins?: number | null;
 }
 
 /**
@@ -228,13 +236,33 @@ declare class AnomiraClient {
     private readonly _origWarn;
     private readonly _origError;
     constructor(config: AnomiraConfig);
+    /**
+     * Extract the real client IP from a request object, reading forwarded headers
+     * in the correct priority order (Cloudflare → XFF → X-Real-IP → socket).
+     *
+     * Use this instead of `req.ip` when tracking events manually. `req.ip` in
+     * Express without `trust proxy` set returns the proxy's address (127.0.0.1
+     * behind Nginx), which breaks geo-detection and IP blocking.
+     *
+     * ```ts
+     * // ✅ Correct — reads X-Forwarded-For / CF-Connecting-IP automatically
+     * sentinel.track(EventName.OTP_FAILED, {
+     *   ip:     sentinel.getClientIp(req),
+     *   userId: req.body.phone,
+     *   meta:   { endpoint: "/api/verify-otp" },
+     * });
+     *
+     * // ❌ Wrong behind a proxy — req.ip is 127.0.0.1 without trust proxy configured
+     * sentinel.track(EventName.OTP_FAILED, { ip: req.ip, ... });
+     * ```
+     */
+    getClientIp(req: unknown): string;
     /**
      * Track a custom security event.
      *
      * ```ts
-     * // Track a failed OTP attempt
      * sentinel.track(EventName.OTP_FAILED, {
-     *   ip:     req.ip,
+     *   ip:     sentinel.getClientIp(req),   // use getClientIp, not req.ip
      *   userId: req.body.phone,
      *   meta:   { endpoint: "/api/verify-otp", attempts: 3 },
      * });

package/dist/index.d.ts

@@ -148,11 +148,17 @@ declare const EventName: {
     readonly SQL_ERROR: "db.sql.error";
     readonly FIREWALL_BLOCK: "http.firewall.block";
     readonly FIREWALL_FLAG: "http.firewall.flag";
+    readonly FIREWALL_RATE_LIMIT: "http.firewall.rate_limit";
+    readonly FIREWALL_REDIRECT_HONEYPOT: "http.firewall.redirect_honeypot";
+    readonly FIREWALL_TAG: "http.firewall.tag";
+    readonly FIREWALL_MONITOR: "http.firewall.monitor";
+    readonly FIREWALL_CHALLENGE: "http.firewall.challenge";
+    readonly FIREWALL_TEMP_BLOCK: "http.firewall.temporary_block";
 };
 type EventNameValue = typeof EventName[keyof typeof EventName];
 type FirewallField = "url" | "body" | "header" | "user_agent" | "ip";
 type FirewallOperator = "contains" | "equals" | "starts_with" | "ends_with" | "regex";
-type FirewallAction = "block" | "flag";
+type FirewallAction = "block" | "flag" | "rate_limit" | "challenge" | "redirect_honeypot" | "tag" | "monitor" | "temporary_block";
 interface EndpointDeclaration {
     /** HTTP method, e.g. "GET".  Use "*" to match any method. */
     method: string;
@@ -169,6 +175,8 @@ interface FirewallRule {
     value: string;
     action: FirewallAction;
     attackType: string;
+    redirectTarget?: string | null;
+    tempBlockMins?: number | null;
 }
 
 /**
@@ -228,13 +236,33 @@ declare class AnomiraClient {
     private readonly _origWarn;
     private readonly _origError;
     constructor(config: AnomiraConfig);
+    /**
+     * Extract the real client IP from a request object, reading forwarded headers
+     * in the correct priority order (Cloudflare → XFF → X-Real-IP → socket).
+     *
+     * Use this instead of `req.ip` when tracking events manually. `req.ip` in
+     * Express without `trust proxy` set returns the proxy's address (127.0.0.1
+     * behind Nginx), which breaks geo-detection and IP blocking.
+     *
+     * ```ts
+     * // ✅ Correct — reads X-Forwarded-For / CF-Connecting-IP automatically
+     * sentinel.track(EventName.OTP_FAILED, {
+     *   ip:     sentinel.getClientIp(req),
+     *   userId: req.body.phone,
+     *   meta:   { endpoint: "/api/verify-otp" },
+     * });
+     *
+     * // ❌ Wrong behind a proxy — req.ip is 127.0.0.1 without trust proxy configured
+     * sentinel.track(EventName.OTP_FAILED, { ip: req.ip, ... });
+     * ```
+     */
+    getClientIp(req: unknown): string;
     /**
      * Track a custom security event.
      *
      * ```ts
-     * // Track a failed OTP attempt
      * sentinel.track(EventName.OTP_FAILED, {
-     *   ip:     req.ip,
+     *   ip:     sentinel.getClientIp(req),   // use getClientIp, not req.ip
      *   userId: req.body.phone,
      *   meta:   { endpoint: "/api/verify-otp", attempts: 3 },
      * });

package/dist/index.js

@@ -400,7 +400,13 @@ var EventName = {
   SQL_ERROR: "db.sql.error",
   // Firewall (emitted when a custom request filtering rule fires)
   FIREWALL_BLOCK: "http.firewall.block",
-  FIREWALL_FLAG: "http.firewall.flag"
+  FIREWALL_FLAG: "http.firewall.flag",
+  FIREWALL_RATE_LIMIT: "http.firewall.rate_limit",
+  FIREWALL_REDIRECT_HONEYPOT: "http.firewall.redirect_honeypot",
+  FIREWALL_TAG: "http.firewall.tag",
+  FIREWALL_MONITOR: "http.firewall.monitor",
+  FIREWALL_CHALLENGE: "http.firewall.challenge",
+  FIREWALL_TEMP_BLOCK: "http.firewall.temporary_block"
 };
 
 // src/agent-detection.ts
@@ -517,6 +523,9 @@ var KNOWN_BOT_UA = [
   [/^Ruby$/i, "Ruby"]
 ];
 var AXIOS_ACCEPT = "application/json, text/plain, */*";
+function isBrowserUa(ua) {
+  return /Mozilla\/5\.0/.test(ua) && /(?:Chrome|Firefox|Safari|OPR|Edg(?:e|HTML)?|Trident)\/[\d.]+/.test(ua);
+}
 function computeBrowserFingerprint(headers, ua) {
   const signals = [];
   let score = 0;
@@ -533,10 +542,15 @@ function computeBrowserFingerprint(headers, ua) {
   }
   const accept = str(headers["accept"]);
   if (!isDefiniteBot && accept === AXIOS_ACCEPT) {
-    isDefiniteBot = true;
-    knownClient = "axios";
-    score = 100;
-    signals.push("known_accept:axios");
+    if (!isBrowserUa(ua)) {
+      isDefiniteBot = true;
+      knownClient = "axios";
+      score = 100;
+      signals.push("known_accept:axios");
+    } else {
+      score += 15;
+      signals.push("browser_axios_accept");
+    }
   }
   if (isDefiniteBot) return { score, signals, isDefiniteBot, knownClient };
   const hasSecFetchSite = "sec-fetch-site" in headers;
@@ -1143,6 +1157,108 @@ var DEFAULT_INGEST_URL = "https://ingest.anomira.io/v1/events";
 var DEFAULT_BATCH_SIZE = 100;
 var DEFAULT_FLUSH_MS = 5e3;
 var DEFAULT_MAX_RETRIES = 3;
+var SENSITIVE_FIELDS = {
+  identity: [
+    "first_name",
+    "last_name",
+    "full_name",
+    "name",
+    "bvn",
+    "nin",
+    "ssn",
+    "national_id",
+    "tin",
+    "passport",
+    "passport_number",
+    "drivers_license",
+    "license_number",
+    "voter_id",
+    "dob",
+    "date_of_birth",
+    "birth_date",
+    "birthdate",
+    "gender",
+    "marital_status",
+    "nationality"
+  ],
+  contact: [
+    "email",
+    "phone",
+    "phone_number",
+    "mobile",
+    "mobile_number",
+    "address",
+    "street",
+    "city",
+    "state",
+    "postal_code",
+    "zip"
+  ],
+  financial: [
+    "card_number",
+    "credit_card",
+    "debit_card",
+    "cvv",
+    "account_number",
+    "bank_account",
+    "routing_number",
+    "sort_code",
+    "iban",
+    "swift",
+    "wallet_id"
+  ],
+  authentication: [
+    "password",
+    "pin",
+    "otp",
+    "secret",
+    "private_key",
+    "api_key",
+    "access_token",
+    "refresh_token",
+    "jwt",
+    "bearer_token",
+    "security_answer",
+    "mother_maiden_name"
+  ],
+  biometric: [
+    "fingerprint",
+    "face_id",
+    "iris",
+    "voiceprint",
+    "biometric"
+  ],
+  health: [
+    "medical_record",
+    "diagnosis",
+    "blood_group",
+    "insurance_id"
+  ],
+  fintech: [
+    "kyc_id",
+    "customer_id",
+    "beneficiary_account",
+    "transaction_pin",
+    "wallet_balance",
+    "bank_verification_number",
+    "virtual_account",
+    "monnify_account",
+    "paystack_customer",
+    "flutterwave_customer"
+  ]
+};
+var FIELD_CATEGORY_MAP = /* @__PURE__ */ new Map();
+for (const [cat, fields] of Object.entries(SENSITIVE_FIELDS)) {
+  for (const f of fields) FIELD_CATEGORY_MAP.set(f, cat);
+}
+var VALUE_PATTERNS = [
+  { name: "email", category: "contact", re: /^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/ },
+  { name: "bvn_nin", category: "identity", re: /^\d{11}$/ },
+  { name: "card_number", category: "financial", re: /^\d{13,19}$/ },
+  { name: "phone_ng", category: "contact", re: /^(?:\+234|0)[789][01]\d{8}$/ },
+  { name: "jwt", category: "authentication", re: /^eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\./ },
+  { name: "iban", category: "financial", re: /^[A-Z]{2}\d{2}[A-Z0-9]{4,30}$/ }
+];
 var AnomiraClient = class {
   constructor(config) {
     this.logBuffer = [];
@@ -1475,13 +1591,35 @@ var AnomiraClient = class {
     }
   }
   // ─── Public API ────────────────────────────────────────────────────────────
+  /**
+   * Extract the real client IP from a request object, reading forwarded headers
+   * in the correct priority order (Cloudflare → XFF → X-Real-IP → socket).
+   *
+   * Use this instead of `req.ip` when tracking events manually. `req.ip` in
+   * Express without `trust proxy` set returns the proxy's address (127.0.0.1
+   * behind Nginx), which breaks geo-detection and IP blocking.
+   *
+   * ```ts
+   * // ✅ Correct — reads X-Forwarded-For / CF-Connecting-IP automatically
+   * sentinel.track(EventName.OTP_FAILED, {
+   *   ip:     sentinel.getClientIp(req),
+   *   userId: req.body.phone,
+   *   meta:   { endpoint: "/api/verify-otp" },
+   * });
+   *
+   * // ❌ Wrong behind a proxy — req.ip is 127.0.0.1 without trust proxy configured
+   * sentinel.track(EventName.OTP_FAILED, { ip: req.ip, ... });
+   * ```
+   */
+  getClientIp(req) {
+    return this.config.getIp(req);
+  }
   /**
    * Track a custom security event.
    *
    * ```ts
-   * // Track a failed OTP attempt
    * sentinel.track(EventName.OTP_FAILED, {
-   *   ip:     req.ip,
+   *   ip:     sentinel.getClientIp(req),   // use getClientIp, not req.ip
    *   userId: req.body.phone,
    *   meta:   { endpoint: "/api/verify-otp", attempts: 3 },
    * });
@@ -1554,6 +1692,11 @@ var AnomiraClient = class {
     if (this.disabled) return;
     const ctx = requestContext.getStore();
     const resolvedIp = data.ip && data.ip !== "0.0.0.0" && data.ip !== "" ? data.ip : ctx?.ip ?? "0.0.0.0";
+    if (this.config.debug && data.ip && isPrivateIp2(data.ip)) {
+      this._origWarn(
+        `[Anomira] Warning: track() received a private/loopback IP "${data.ip}" for event "${eventName}". Behind a reverse proxy, req.ip is the proxy's address \u2014 use sentinel.getClientIp(req) instead.`
+      );
+    }
     const resolvedMeta = ctx?.endpoint && !data.meta?.["endpoint"] ? { endpoint: ctx.endpoint, method: ctx.method, ...data.meta } : data.meta;
     const event = {
       name: eventName,
@@ -1794,6 +1937,9 @@ function normalizeIp(raw) {
   if (raw.startsWith("::ffff:")) return raw.slice(7);
   return raw;
 }
+function isPrivateIp2(ip) {
+  return ip === "127.0.0.1" || ip === "::1" || ip === "0.0.0.0" || ip.startsWith("10.") || ip.startsWith("192.168.") || /^172\.(1[6-9]|2\d|3[01])\./.test(ip);
+}
 function defaultGetIp(req) {
   const r = req;
   const fwd = r["headers"];
@@ -1894,6 +2040,27 @@ function createExpressMiddleware(client) {
     const fingerprint = computeBrowserFingerprint(headers ?? {}, ua);
     const h2settings = extractHttp2Settings(req);
     const upstreamTls = extractUpstreamTls(headers ?? {});
+    const cookieHeader = headers?.["cookie"];
+    const cookieToken = cookieHeader ? cookieHeader.split(";").map((c) => c.trim()).find((c) => c.startsWith("anomira_fp="))?.slice("anomira_fp=".length) ?? "" : "";
+    const browserFpRaw = cookieToken || headers?.["x-anomira-fp"] || "";
+    let browserFp = null;
+    if (browserFpRaw) {
+      try {
+        const raw = JSON.parse(Buffer.from(browserFpRaw, "base64").toString("utf8"));
+        if (typeof raw["v"] === "number" && typeof raw["fp"] === "string") {
+          browserFp = {
+            fp: raw["fp"],
+            bot: raw["bot"] ?? 0,
+            sigs: (raw["sigs"] ?? []).join(","),
+            uid: typeof raw["uid"] === "string" && raw["uid"] ? raw["uid"] : void 0,
+            pst: raw["frm"]?.pst,
+            ttf: raw["frm"]?.ttf,
+            tts: raw["frm"]?.tts
+          };
+        }
+      } catch {
+      }
+    }
     if (client["canaryTokenCache"] && client["canaryTokenCache"].size > 0) {
       const authHeader = (typeof headers?.["authorization"] === "string" ? headers["authorization"] : "") ?? "";
       if (authHeader.startsWith("Bearer ")) {
@@ -1988,11 +2155,39 @@ function createExpressMiddleware(client) {
         userId,
         meta: { url, method, ruleId: fwMatch.rule.id, attackType: fwMatch.rule.attackType }
       });
-      if (fwMatch.rule.action === "block") {
-        const res_ = res;
-        if (typeof res_["status"] === "function") res_["status"](403);
-        else res_["statusCode"] = 403;
-        if (typeof res_["end"] === "function") res_["end"]('{"error":"Blocked by firewall rule"}');
+      const res_ = res;
+      const setStatus = (code) => {
+        if (typeof res_["status"] === "function") res_["status"](code);
+        else res_["statusCode"] = code;
+      };
+      const sendBody = (body) => {
+        if (typeof res_["end"] === "function") res_["end"](body);
+      };
+      const setHeader = (k, v) => {
+        if (typeof res_["setHeader"] === "function") res_["setHeader"](k, v);
+      };
+      const action = fwMatch.rule.action;
+      if (action === "block" || action === "temporary_block") {
+        setStatus(403);
+        sendBody('{"error":"Blocked by firewall rule"}');
+        return;
+      }
+      if (action === "rate_limit") {
+        setStatus(429);
+        setHeader("Retry-After", "60");
+        sendBody('{"error":"Rate limit exceeded","retryAfter":60}');
+        return;
+      }
+      if (action === "redirect_honeypot") {
+        const target = fwMatch.rule.redirectTarget ?? "/.env";
+        setStatus(302);
+        setHeader("Location", target);
+        sendBody("");
+        return;
+      }
+      if (action === "challenge") {
+        setStatus(403);
+        sendBody('{"error":"Request challenge required"}');
         return;
       }
     }
@@ -2006,7 +2201,7 @@ function createExpressMiddleware(client) {
       }
     }
     const onFinish = () => {
-      const lateUserId = client.config.getUserId(req);
+      const lateUserId = client.config.getUserId(req) || browserFp?.uid || "";
       if (!userIdWarnFired && userIdCheckCount < 20) {
         userIdCheckCount++;
         if (!lateUserId) userIdMissCount++;
@@ -2021,6 +2216,30 @@ function createExpressMiddleware(client) {
       const latencyMs = Date.now() - startMs;
       const getHeader = res["getHeader"];
       const bytes = typeof getHeader === "function" ? parseInt(getHeader.call(res, "content-length") ?? "0", 10) || 0 : 0;
+      const rawBody = req["body"];
+      const piiFields = [];
+      const piiPatterns = [];
+      const piiCatSet = /* @__PURE__ */ new Set();
+      if (rawBody != null && typeof rawBody === "object" && !Array.isArray(rawBody)) {
+        const body = rawBody;
+        for (const key of Object.keys(body)) {
+          const cat = FIELD_CATEGORY_MAP.get(key.toLowerCase());
+          if (cat) {
+            piiFields.push(key.toLowerCase());
+            piiCatSet.add(cat);
+          }
+        }
+        for (const val of Object.values(body)) {
+          if (typeof val !== "string" || val.length > 200) continue;
+          for (const { name, category, re } of VALUE_PATTERNS) {
+            if (!piiPatterns.includes(name) && re.test(val)) {
+              piiPatterns.push(name);
+              piiCatSet.add(category);
+            }
+          }
+        }
+      }
+      const piiCategories = piiCatSet.size > 0 ? [...piiCatSet] : void 0;
       client.track(EventName.REQUEST, {
         ip,
         userId: lateUserId,
@@ -2031,9 +2250,20 @@ function createExpressMiddleware(client) {
           latencyMs,
           userAgent: ua,
           bytes,
+          ...piiFields.length > 0 ? { piiFields } : {},
+          ...piiPatterns.length > 0 ? { piiPatterns } : {},
+          ...piiCategories ? { piiCategories } : {},
           _fp: fingerprint.score,
           _fpSig: fingerprint.signals.join(","),
           ...fingerprint.knownClient ? { _fpClient: fingerprint.knownClient } : {},
+          ...browserFp ? {
+            _bfp: browserFp.fp,
+            _bbot: browserFp.bot,
+            _bsigs: browserFp.sigs,
+            ...browserFp.pst !== void 0 ? { _bpaste: browserFp.pst } : {},
+            ...browserFp.ttf !== void 0 && browserFp.ttf >= 0 ? { _bttf: browserFp.ttf } : {},
+            ...browserFp.tts !== void 0 && browserFp.tts >= 0 ? { _btts: browserFp.tts } : {}
+          } : {},
           ...h2settings ? {
             _h2Window: h2settings.initialWindowSize,
             _h2HdrTable: h2settings.headerTableSize,
@@ -2161,14 +2391,32 @@ function createFastifyPlugin(client) {
           userId,
           meta: { url, method, ruleId: fwMatch.rule.id, attackType: fwMatch.rule.attackType }
         });
-        if (fwMatch.rule.action === "block") {
-          const rep = reply;
-          if (typeof rep["code"] === "function") {
-            const chained = rep["code"](403);
-            if (chained && typeof chained["send"] === "function") {
-              chained["send"]({ error: "Blocked by firewall rule" });
-            }
-          }
+        const rep = reply;
+        const replyCode = (code) => typeof rep["code"] === "function" ? rep["code"](code) : rep;
+        const replyHeader = (k, v) => {
+          if (typeof rep["header"] === "function") rep["header"](k, v);
+        };
+        const replySend = (chained, body) => {
+          if (chained && typeof chained["send"] === "function") chained["send"](body);
+        };
+        const action = fwMatch.rule.action;
+        if (action === "block" || action === "temporary_block") {
+          replySend(replyCode(403), { error: "Blocked by firewall rule" });
+          return;
+        }
+        if (action === "rate_limit") {
+          replyHeader("Retry-After", "60");
+          replySend(replyCode(429), { error: "Rate limit exceeded", retryAfter: 60 });
+          return;
+        }
+        if (action === "redirect_honeypot") {
+          const target = fwMatch.rule.redirectTarget ?? "/.env";
+          replyHeader("Location", target);
+          replySend(replyCode(302), "");
+          return;
+        }
+        if (action === "challenge") {
+          replySend(replyCode(403), { error: "Request challenge required" });
           return;
         }
       }
@@ -2183,11 +2431,11 @@ function createFastifyPlugin(client) {
       const ip = client.config.getIp(req);
       const url = req["url"] ?? "/";
       const method = req["method"]?.toUpperCase() ?? "GET";
-      const userId = client.config.getUserId(req);
+      const serverUserId = client.config.getUserId(req);
       const status = reply["statusCode"] ?? 0;
       if (!userIdWarnFired && userIdCheckCount < 20) {
         userIdCheckCount++;
-        if (!userId) userIdMissCount++;
+        if (!serverUserId) userIdMissCount++;
         if (userIdCheckCount === 20 && userIdMissCount >= 18) {
           userIdWarnFired = true;
           console.warn(
@@ -2202,6 +2450,28 @@ function createFastifyPlugin(client) {
       const fingerprint = computeBrowserFingerprint(headers ?? {}, ua);
       const h2settings = extractHttp2Settings(req);
       const upstreamTls = extractUpstreamTls(headers ?? {});
+      const cookieHdrF = headers?.["cookie"];
+      const cookieTokF = cookieHdrF ? cookieHdrF.split(";").map((c) => c.trim()).find((c) => c.startsWith("anomira_fp="))?.slice("anomira_fp=".length) ?? "" : "";
+      const bfpRawF = cookieTokF || headers?.["x-anomira-fp"] || "";
+      let browserFpF = null;
+      if (bfpRawF) {
+        try {
+          const raw = JSON.parse(Buffer.from(bfpRawF, "base64").toString("utf8"));
+          if (typeof raw["v"] === "number" && typeof raw["fp"] === "string") {
+            browserFpF = {
+              fp: raw["fp"],
+              bot: raw["bot"] ?? 0,
+              sigs: (raw["sigs"] ?? []).join(","),
+              uid: typeof raw["uid"] === "string" && raw["uid"] ? raw["uid"] : void 0,
+              pst: raw["frm"]?.pst,
+              ttf: raw["frm"]?.ttf,
+              tts: raw["frm"]?.tts
+            };
+          }
+        } catch {
+        }
+      }
+      const userId = serverUserId || browserFpF?.uid || "";
       client.track(EventName.REQUEST, {
         ip,
         userId,
@@ -2215,6 +2485,14 @@ function createFastifyPlugin(client) {
           _fp: fingerprint.score,
           _fpSig: fingerprint.signals.join(","),
           ...fingerprint.knownClient ? { _fpClient: fingerprint.knownClient } : {},
+          ...browserFpF ? {
+            _bfp: browserFpF.fp,
+            _bbot: browserFpF.bot,
+            _bsigs: browserFpF.sigs,
+            ...browserFpF.pst !== void 0 ? { _bpaste: browserFpF.pst } : {},
+            ...browserFpF.ttf !== void 0 && browserFpF.ttf >= 0 ? { _bttf: browserFpF.ttf } : {},
+            ...browserFpF.tts !== void 0 && browserFpF.tts >= 0 ? { _btts: browserFpF.tts } : {}
+          } : {},
           ...h2settings ? {
             _h2Window: h2settings.initialWindowSize,
             _h2HdrTable: h2settings.headerTableSize,