npm - @arcis/node - Versions diffs - 1.2.0 → 1.4.0 - Mend

@arcis/node 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/dist/core/{index.d.mts → constants.d.ts} +21 -70
package/dist/core/constants.d.ts.map +1 -0
package/dist/core/errors.d.ts +53 -0
package/dist/core/errors.d.ts.map +1 -0
package/dist/core/index.d.ts +6 -168
package/dist/core/index.d.ts.map +1 -0
package/dist/{types-CsOFHoD9.d.mts → core/types.d.ts} +38 -31
package/dist/core/types.d.ts.map +1 -0
package/dist/index.d.ts +71 -166
package/dist/index.d.ts.map +1 -0
package/dist/index.js +151 -4
package/dist/index.js.map +1 -1
package/dist/index.mjs +145 -5
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.ts +4 -36
package/dist/logging/index.d.ts.map +1 -0
package/dist/logging/{index.d.mts → redactor.d.ts} +5 -9
package/dist/logging/redactor.d.ts.map +1 -0
package/dist/middleware/bot-detection.d.ts +86 -0
package/dist/middleware/bot-detection.d.ts.map +1 -0
package/dist/middleware/cookies.d.ts +48 -0
package/dist/middleware/cookies.d.ts.map +1 -0
package/dist/middleware/cors.d.ts +65 -0
package/dist/middleware/cors.d.ts.map +1 -0
package/dist/middleware/csrf.d.ts +109 -0
package/dist/middleware/csrf.d.ts.map +1 -0
package/dist/middleware/error-handler.d.ts +43 -0
package/dist/middleware/error-handler.d.ts.map +1 -0
package/dist/middleware/headers.d.ts +29 -0
package/dist/middleware/headers.d.ts.map +1 -0
package/dist/middleware/hpp.d.ts +56 -0
package/dist/middleware/hpp.d.ts.map +1 -0
package/dist/middleware/index.d.ts +16 -3
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +28 -3
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +28 -3
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts +40 -0
package/dist/middleware/main.d.ts.map +1 -0
package/dist/middleware/rate-limit-sliding.d.ts +46 -0
package/dist/middleware/rate-limit-sliding.d.ts.map +1 -0
package/dist/middleware/rate-limit-token.d.ts +51 -0
package/dist/middleware/rate-limit-token.d.ts.map +1 -0
package/dist/middleware/rate-limit.d.ts +34 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/sanitizers/command.d.ts +28 -0
package/dist/sanitizers/command.d.ts.map +1 -0
package/dist/sanitizers/encode.d.ts +46 -0
package/dist/sanitizers/encode.d.ts.map +1 -0
package/dist/sanitizers/headers.d.ts +46 -0
package/dist/sanitizers/headers.d.ts.map +1 -0
package/dist/sanitizers/index.d.ts +17 -22
package/dist/sanitizers/index.d.ts.map +1 -0
package/dist/sanitizers/index.js +72 -0
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +68 -1
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/jsonp.d.ts +34 -0
package/dist/sanitizers/jsonp.d.ts.map +1 -0
package/dist/sanitizers/nosql.d.ts +31 -0
package/dist/sanitizers/nosql.d.ts.map +1 -0
package/dist/sanitizers/path.d.ts +28 -0
package/dist/sanitizers/path.d.ts.map +1 -0
package/dist/sanitizers/pii.d.ts +80 -0
package/dist/sanitizers/pii.d.ts.map +1 -0
package/dist/sanitizers/prototype.d.ts +34 -0
package/dist/sanitizers/prototype.d.ts.map +1 -0
package/dist/sanitizers/sanitize.d.ts +51 -0
package/dist/sanitizers/sanitize.d.ts.map +1 -0
package/dist/sanitizers/sql.d.ts +28 -0
package/dist/sanitizers/sql.d.ts.map +1 -0
package/dist/sanitizers/ssti.d.ts +20 -0
package/dist/sanitizers/ssti.d.ts.map +1 -0
package/dist/sanitizers/utils.d.ts +19 -0
package/dist/sanitizers/utils.d.ts.map +1 -0
package/dist/sanitizers/xss.d.ts +35 -0
package/dist/sanitizers/xss.d.ts.map +1 -0
package/dist/sanitizers/xxe.d.ts +20 -0
package/dist/sanitizers/xxe.d.ts.map +1 -0
package/dist/stores/index.d.ts +6 -104
package/dist/stores/index.d.ts.map +1 -0
package/dist/stores/memory.d.ts +35 -0
package/dist/stores/memory.d.ts.map +1 -0
package/dist/stores/{index.d.mts → redis.d.ts} +6 -45
package/dist/stores/redis.d.ts.map +1 -0
package/dist/utils/duration.d.ts +34 -0
package/dist/utils/duration.d.ts.map +1 -0
package/dist/utils/fingerprint.d.ts +64 -0
package/dist/utils/fingerprint.d.ts.map +1 -0
package/dist/utils/index.d.ts +10 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +188 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/index.mjs +182 -0
package/dist/utils/index.mjs.map +1 -0
package/dist/utils/ip.d.ts +70 -0
package/dist/utils/ip.d.ts.map +1 -0
package/dist/validation/email.d.ts +82 -0
package/dist/validation/email.d.ts.map +1 -0
package/dist/validation/file.d.ts +90 -0
package/dist/validation/file.d.ts.map +1 -0
package/dist/validation/index.d.ts +10 -3
package/dist/validation/index.d.ts.map +1 -0
package/dist/validation/redirect.d.ts +64 -0
package/dist/validation/redirect.d.ts.map +1 -0
package/dist/validation/schema.d.ts +36 -0
package/dist/validation/schema.d.ts.map +1 -0
package/dist/validation/url.d.ts +65 -0
package/dist/validation/url.d.ts.map +1 -0
package/package.json +8 -6
package/dist/index-A-m-pPeW.d.mts +0 -340
package/dist/index-CgK94hY_.d.mts +0 -532
package/dist/index-Co5kPRZz.d.ts +0 -340
package/dist/index-D_bdJcF0.d.ts +0 -532
package/dist/index.d.mts +0 -175
package/dist/middleware/index.d.mts +0 -3
package/dist/pii-CXcHMlnX.d.mts +0 -438
package/dist/pii-DhNpl7M3.d.ts +0 -438
package/dist/sanitizers/index.d.mts +0 -24
package/dist/types-CsOFHoD9.d.ts +0 -269
package/dist/validation/index.d.mts +0 -3

package/dist/index.d.ts CHANGED Viewed

@@ -1,175 +1,80 @@
-export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-D_bdJcF0.js';
-export { P as PiiMatch, F as PiiRedactOptions, G as PiiScanOptions, H as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from './pii-DhNpl7M3.js';
-export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-Co5kPRZz.js';
-import { IncomingMessage } from 'http';
-export { createRedactor, createSafeLogger, safeLog } from './logging/index.js';
-export { MemoryStore, RedisClientLike, RedisStore, RedisStoreOptions, createRedisStore } from './stores/index.js';
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-CsOFHoD9.js';
-export { ArcisError, ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, RATE_LIMIT, REDACTION, RateLimitError, SanitizationError, SecurityThreatError, VALIDATION } from './core/index.js';
-import 'express';
 /**
- * @module @arcis/node/utils/duration
- * Parse human-readable duration strings into milliseconds.
+ * Arcis - One-line security for Node.js apps
+ * A cross-platform security library
  *
- * Supports: ms, s, m, h, d
+ * @module @arcis/node
+ * @version 1.0.0
  *
  * @example
- * parseDuration('5m')    // 300000
- * parseDuration('2h')    // 7200000
- * parseDuration(60000)   // 60000 (passthrough)
- * parseDuration('500ms') // 500
- */
-/**
- * Parse a duration string or number into milliseconds.
- *
- * @param value - Duration string (e.g. "5m", "2h", "30s") or number (ms)
- * @returns Duration in milliseconds
- * @throws {Error} If the value is not a valid duration
- *
- * @example
- * parseDuration('15m')   // 900000
- * parseDuration('1d')    // 86400000
- * parseDuration('500ms') // 500
- * parseDuration(60000)   // 60000
- */
-declare function parseDuration(value: string | number): number;
-/**
- * Format milliseconds into a human-readable duration string.
- *
- * @param ms - Duration in milliseconds
- * @returns Human-readable string (e.g. "5m", "2h 30m")
- */
-declare function formatDuration(ms: number): string;
-/**
- * @module @arcis/node/utils/ip
- * Platform-aware client IP detection.
- *
- * Prevents IP spoofing by reading platform-specific headers
- * instead of blindly trusting X-Forwarded-For.
- *
- * @example
- * // Auto-detect platform from environment
- * const ip = detectClientIp(req);
- *
- * // Explicit platform
- * const ip = detectClientIp(req, { platform: 'cloudflare' });
- */
-type Platform = 'auto' | 'cloudflare' | 'vercel' | 'flyio' | 'render' | 'firebase' | 'aws-alb' | 'generic';
-interface DetectIpOptions {
-    /** Platform to use for header selection. Default: 'auto' */
-    platform?: Platform;
-    /** Number of trusted proxies (for X-Forwarded-For parsing). Default: 1 */
-    trustedProxyCount?: number;
-}
-interface RequestLike$1 {
-    headers: Record<string, string | string[] | undefined>;
-    socket?: {
-        remoteAddress?: string;
-    };
-    connection?: {
-        remoteAddress?: string;
-    };
-    ip?: string;
-}
-/**
- * Detect the real client IP address from a request.
- *
- * Uses platform-specific headers when available to prevent IP spoofing.
- * Falls back to X-Forwarded-For (parsed from the right) and then
- * the socket remote address.
- *
- * @param req - HTTP request object (Express, raw http, etc.)
- * @param options - Detection options
- * @returns Client IP address, or 'unknown' if unresolvable
- *
- * @example
- * // Auto-detect platform
- * app.use((req, res, next) => {
- *   const clientIp = detectClientIp(req);
- *   console.log('Client IP:', clientIp);
- *   next();
- * });
- *
- * @example
- * // Behind Cloudflare
- * const ip = detectClientIp(req, { platform: 'cloudflare' });
- *
- * @example
- * // Behind 2 proxies (e.g. CDN + load balancer)
- * const ip = detectClientIp(req, { trustedProxyCount: 2 });
- */
-declare function detectClientIp(req: RequestLike$1 | IncomingMessage, options?: DetectIpOptions): string;
-/**
- * Check if an IP address is a private/internal address.
- *
- * Detects: loopback, private ranges (RFC 1918), link-local, IPv6 equivalents.
- */
-declare function isPrivateIp(ip: string): boolean;
-/**
- * @module @arcis/node/utils/fingerprint
- * Deterministic request fingerprinting via SHA-256.
- *
- * Generates a stable hash from request characteristics for
- * rate limiting keys, abuse detection, and analytics.
- *
- * @example
- * const fp = await fingerprint(req);
- * // "a3f2b8c1d4e5..."
- */
-interface FingerprintOptions {
-    /** Include IP address in fingerprint. Default: true */
-    ip?: boolean;
-    /** Include User-Agent header. Default: true */
-    userAgent?: boolean;
-    /** Include Accept header. Default: true */
-    accept?: boolean;
-    /** Include Accept-Language header. Default: true */
-    acceptLanguage?: boolean;
-    /** Include Accept-Encoding header. Default: true */
-    acceptEncoding?: boolean;
-    /** Additional custom components to include */
-    custom?: string[];
-    /** IP detection options */
-    ipOptions?: DetectIpOptions;
-}
-interface RequestLike {
-    headers: Record<string, string | string[] | undefined>;
-    socket?: {
-        remoteAddress?: string;
-    };
-    connection?: {
-        remoteAddress?: string;
-    };
-    ip?: string;
-}
-/**
- * Generate a deterministic fingerprint for a request.
- *
- * Creates a SHA-256 hash from configurable request components.
- * The fingerprint is stable across requests from the same client
- * (same IP, browser, language settings).
- *
- * @param req - HTTP request object
- * @param options - Fingerprint configuration
- * @returns Hex-encoded SHA-256 hash (64 characters)
- *
- * @example
- * // Default fingerprint (IP + UA + Accept headers)
- * const fp = fingerprint(req);
+ * // Full protection (recommended)
+ * import { arcis } from '@arcis/node';
+ * app.use(arcis());
  *
  * @example
- * // IP-only fingerprint (for simple rate limiting)
- * const fp = fingerprint(req, { userAgent: false, accept: false, acceptLanguage: false, acceptEncoding: false });
+ * // Granular control
+ * app.use(arcis.headers());
+ * app.use(arcis.rateLimit({ max: 100, windowMs: 60000 }));
+ * app.use(arcis.sanitize());
  *
  * @example
- * // With custom components
- * const fp = fingerprint(req, { custom: [req.body?.userId] });
+ * // With validation
+ * app.post('/users', arcis.validate({
+ *   email: { type: 'email', required: true },
+ *   age: { type: 'number', min: 0, max: 150 }
+ * }), handler);
  */
-declare function fingerprint(req: RequestLike, options?: FingerprintOptions): string;
-export { type DetectIpOptions, type FingerprintOptions, type Platform, detectClientIp, fingerprint, formatDuration, isPrivateIp, parseDuration };
+export { arcis, arcisFunction } from './middleware/main';
+export { default } from './middleware/main';
+export { createRateLimiter, rateLimit } from './middleware/rate-limit';
+export { createSlidingWindowLimiter } from './middleware/rate-limit-sliding';
+export { createTokenBucketLimiter } from './middleware/rate-limit-token';
+export { createHeaders, securityHeaders } from './middleware/headers';
+export { errorHandler, createErrorHandler } from './middleware/error-handler';
+export { safeCors, createCors } from './middleware/cors';
+export { secureCookieDefaults, createSecureCookies, enforceSecureCookie } from './middleware/cookies';
+export { botProtection, detectBot } from './middleware/bot-detection';
+export { csrfProtection, createCsrf, generateCsrfToken, validateCsrfToken } from './middleware/csrf';
+export { hpp, createHpp } from './middleware/hpp';
+export { sanitizeString, sanitizeObject, createSanitizer, } from './sanitizers/sanitize';
+export { sanitizeXss, detectXss } from './sanitizers/xss';
+export { sanitizeSql, detectSql } from './sanitizers/sql';
+export { sanitizePath, detectPathTraversal } from './sanitizers/path';
+export { sanitizeCommand, detectCommandInjection } from './sanitizers/command';
+export { sanitizeSsti, detectSsti } from './sanitizers/ssti';
+export { sanitizeXxe, detectXxe } from './sanitizers/xxe';
+export { sanitizeJsonpCallback, detectJsonpInjection } from './sanitizers/jsonp';
+export { isDangerousNoSqlKey, detectNoSqlInjection } from './sanitizers/nosql';
+export { isDangerousProtoKey, detectPrototypePollution } from './sanitizers/prototype';
+export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection } from './sanitizers/headers';
+export { scanPii, detectPii, redactPii, scanObjectPii, redactObjectPii } from './sanitizers/pii';
+export { encodeForHtml, encodeForAttribute, encodeForJs, encodeForUrl, encodeForCss } from './sanitizers/encode';
+export { validate, createValidator } from './validation/schema';
+export { validateUrl, isUrlSafe } from './validation/url';
+export { validateRedirect, isRedirectSafe } from './validation/redirect';
+export { validateFile, sanitizeFilename, isDangerousExtension } from './validation/file';
+export { validateEmail, verifyEmailMx, isValidEmailSyntax } from './validation/email';
+export { parseDuration, formatDuration } from './utils/duration';
+export { detectClientIp, isPrivateIp } from './utils/ip';
+export { fingerprint } from './utils/fingerprint';
+export { createSafeLogger, createRedactor, safeLog } from './logging/redactor';
+export { MemoryStore } from './stores/memory';
+export { RedisStore, createRedisStore } from './stores/redis';
+export type { ArcisOptions, ArcisFunction, ArcisMiddleware, SanitizeOptions, SanitizeResult, ThreatInfo, ThreatType, RateLimitOptions, RateLimitStore, RateLimitEntry, RateLimitResult, RateLimiterMiddleware, HeaderOptions, HstsOptions, ValidationConfig, ValidationSchema, FieldValidator, ValidationResult, ValidationError, LogOptions, SafeLogger, ErrorHandlerOptions, HttpError, } from './core/types';
+export type { ValidateUrlOptions, ValidateUrlResult } from './validation/url';
+export type { CorsOptions } from './middleware/cors';
+export type { SecureCookieOptions } from './middleware/cookies';
+export type { ValidateFileOptions, FileInput, ValidateFileResult } from './validation/file';
+export type { ValidateRedirectOptions, ValidateRedirectResult } from './validation/redirect';
+export type { RedisClientLike, RedisStoreOptions } from './stores/redis';
+export type { Platform, DetectIpOptions } from './utils/ip';
+export type { FingerprintOptions } from './utils/fingerprint';
+export type { EmailValidationOptions, EmailValidationResult } from './validation/email';
+export type { SlidingWindowOptions, SlidingWindowMiddleware } from './middleware/rate-limit-sliding';
+export type { TokenBucketOptions, TokenBucketMiddleware } from './middleware/rate-limit-token';
+export type { BotCategory, BotDetectionResult, BotProtectionOptions } from './middleware/bot-detection';
+export type { CsrfOptions } from './middleware/csrf';
+export type { HppOptions } from './middleware/hpp';
+export type { PiiType, PiiMatch, PiiScanOptions, PiiRedactOptions } from './sanitizers/pii';
+export { ArcisError, ArcisValidationError, RateLimitError, InputTooLargeError, SecurityThreatError, SanitizationError, } from './core/errors';
+export { INPUT, RATE_LIMIT, HEADERS, REDACTION, VALIDATION, ERRORS, BLOCKED, } from './core/constants';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAK5C,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACtG,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACrG,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAKlD,OAAO,EACL,cAAc,EACd,cAAc,EACd,eAAe,GAChB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACnG,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAKjH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAKtF,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAKlD,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAK/E,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAK9D,YAAY,EAEV,YAAY,EACZ,aAAa,EACb,eAAe,EAEf,eAAe,EACf,cAAc,EACd,UAAU,EACV,UAAU,EAEV,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EAErB,aAAa,EACb,WAAW,EAEX,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,eAAe,EAEf,UAAU,EACV,UAAU,EAEV,mBAAmB,EACnB,SAAS,GACV,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC9E,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,YAAY,EAAE,mBAAmB,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5F,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAG7F,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGzE,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AACxF,YAAY,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACrG,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC/F,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AACxG,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAK5F,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,KAAK,EACL,UAAU,EACV,OAAO,EACP,SAAS,EACT,UAAU,EACV,MAAM,EACN,OAAO,GACR,MAAM,kBAAkB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -307,7 +307,12 @@ function createHeaders(options = {}) {
     hsts = true,
     referrerPolicy = HEADERS.REFERRER_POLICY,
     permissionsPolicy = HEADERS.PERMISSIONS_POLICY,
-    cacheControl = true
+    cacheControl = true,
+    crossOriginOpenerPolicy = "same-origin",
+    crossOriginResourcePolicy = "same-origin",
+    crossOriginEmbedderPolicy = "require-corp",
+    originAgentCluster = true,
+    dnsPrefetchControl = true
   } = options;
   return (req, res, next) => {
     if (contentSecurityPolicy) {
@@ -315,7 +320,7 @@ function createHeaders(options = {}) {
       res.setHeader("Content-Security-Policy", csp);
     }
     if (xssFilter) {
-      res.setHeader("X-XSS-Protection", "1; mode=block");
+      res.setHeader("X-XSS-Protection", "0");
     }
     if (noSniff) {
       res.setHeader("X-Content-Type-Options", HEADERS.CONTENT_TYPE_OPTIONS);
@@ -342,6 +347,21 @@ function createHeaders(options = {}) {
     if (permissionsPolicy) {
       res.setHeader("Permissions-Policy", permissionsPolicy);
     }
+    if (crossOriginOpenerPolicy) {
+      res.setHeader("Cross-Origin-Opener-Policy", crossOriginOpenerPolicy);
+    }
+    if (crossOriginResourcePolicy) {
+      res.setHeader("Cross-Origin-Resource-Policy", crossOriginResourcePolicy);
+    }
+    if (crossOriginEmbedderPolicy) {
+      res.setHeader("Cross-Origin-Embedder-Policy", crossOriginEmbedderPolicy);
+    }
+    if (originAgentCluster) {
+      res.setHeader("Origin-Agent-Cluster", "?1");
+    }
+    if (dnsPrefetchControl) {
+      res.setHeader("X-DNS-Prefetch-Control", "off");
+    }
     res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
     if (cacheControl) {
       const cacheControlValue = typeof cacheControl === "string" ? cacheControl : HEADERS.CACHE_CONTROL;
@@ -1249,6 +1269,73 @@ function redactObjectPii(obj, options = {}) {
   return result;
 }
+// src/sanitizers/encode.ts
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;"
+};
+var HTML_ENCODE_RE = /[&<>"']/g;
+function encodeForHtml(value) {
+  if (!value) return "";
+  return value.replace(HTML_ENCODE_RE, (ch) => HTML_ENTITIES[ch]);
+}
+function encodeForAttribute(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `&#x${ch.toString(16).toUpperCase()};`;
+    }
+  }
+  return result;
+}
+function encodeForJs(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else if (ch < 256) {
+      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else {
+      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+    }
+  }
+  return result;
+}
+function encodeForUrl(value) {
+  if (!value) return "";
+  return encodeURIComponent(value).replace(/[!'()*]/g, (ch) => {
+    return `%${ch.charCodeAt(0).toString(16).toUpperCase()}`;
+  });
+}
+function encodeForCss(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `\\${ch.toString(16).toUpperCase()} `;
+    }
+  }
+  return result;
+}
 // src/validation/schema.ts
 function validate(schema, source = "body") {
   return (req, res, next) => {
@@ -2755,12 +2842,14 @@ function getRequestToken(req, headerName, fieldName) {
   return void 0;
 }
 function csrfProtection(options = {}) {
-  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const baseCookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const cookieName = options.useHostPrefix ? `__Host-${baseCookieName}` : baseCookieName;
   const headerName = options.headerName ?? DEFAULTS.headerName;
   const fieldName = options.fieldName ?? DEFAULTS.fieldName;
   const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
   const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
   const excludePaths = options.excludePaths ?? [];
+  const skipCsrf = options.skipCsrf;
   const isProduction = process.env.NODE_ENV === "production";
   const cookieOpts = {
     path: options.cookie?.path ?? "/",
@@ -2780,6 +2869,9 @@ function csrfProtection(options = {}) {
   const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
   return (req, res, next) => {
     const method = req.method.toUpperCase();
+    if (skipCsrf && skipCsrf(req)) {
+      return next();
+    }
     const requestPath = req.path || req.url;
     if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
       return next();
@@ -2836,6 +2928,54 @@ function escapeRegex(str) {
 }
 var createCsrf = csrfProtection;
+// src/middleware/hpp.ts
+function hpp(options = {}) {
+  const whitelist = new Set(options.whitelist ?? []);
+  const checkQuery = options.checkQuery ?? true;
+  const checkBody = options.checkBody ?? true;
+  return (req, _res, next) => {
+    if (checkQuery && req.query && typeof req.query === "object") {
+      const polluted = {};
+      const clean = {};
+      for (const [key, value] of Object.entries(req.query)) {
+        if (Array.isArray(value)) {
+          const strings = value.filter((v) => typeof v === "string");
+          if (whitelist.has(key)) {
+            clean[key] = strings;
+          } else {
+            polluted[key] = strings;
+            clean[key] = strings[strings.length - 1] ?? "";
+          }
+        } else {
+          clean[key] = value;
+        }
+      }
+      req.queryPolluted = polluted;
+      Object.defineProperty(req, "query", { value: clean, writable: true, configurable: true });
+    }
+    if (checkBody && req.body && typeof req.body === "object" && !Array.isArray(req.body)) {
+      const polluted = {};
+      const clean = {};
+      for (const [key, value] of Object.entries(req.body)) {
+        if (Array.isArray(value)) {
+          if (whitelist.has(key)) {
+            clean[key] = value;
+          } else {
+            polluted[key] = value;
+            clean[key] = value[value.length - 1];
+          }
+        } else {
+          clean[key] = value;
+        }
+      }
+      req.bodyPolluted = polluted;
+      Object.defineProperty(req, "body", { value: clean, writable: true, configurable: true });
+    }
+    next();
+  };
+}
+var createHpp = hpp;
 // src/utils/ip.ts
 var PLATFORM_HEADERS = {
   cloudflare: "cf-connecting-ip",
@@ -2956,7 +3096,7 @@ function fingerprint(req, options = {}) {
     components.push(`enc:${getHeader2(req, "accept-encoding")}`);
   }
   for (const c of custom) {
-    if (c != null) components.push(`custom:${c}`);
+    if (c !== null && c !== void 0) components.push(`custom:${c}`);
   }
   components.sort();
   const hash = crypto.createHash("sha256");
@@ -3121,6 +3261,7 @@ exports.createCors = createCors;
 exports.createCsrf = createCsrf;
 exports.createErrorHandler = createErrorHandler;
 exports.createHeaders = createHeaders;
+exports.createHpp = createHpp;
 exports.createRateLimiter = createRateLimiter;
 exports.createRedactor = createRedactor;
 exports.createRedisStore = createRedisStore;
@@ -3145,11 +3286,17 @@ exports.detectSql = detectSql;
 exports.detectSsti = detectSsti;
 exports.detectXss = detectXss;
 exports.detectXxe = detectXxe;
+exports.encodeForAttribute = encodeForAttribute;
+exports.encodeForCss = encodeForCss;
+exports.encodeForHtml = encodeForHtml;
+exports.encodeForJs = encodeForJs;
+exports.encodeForUrl = encodeForUrl;
 exports.enforceSecureCookie = enforceSecureCookie;
 exports.errorHandler = errorHandler;
 exports.fingerprint = fingerprint;
 exports.formatDuration = formatDuration;
 exports.generateCsrfToken = generateCsrfToken;
+exports.hpp = hpp;
 exports.isDangerousExtension = isDangerousExtension;
 exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
 exports.isDangerousProtoKey = isDangerousProtoKey;