@blamejs/core 0.14.19 → 0.14.21

package/lib/middleware/api-encrypt.js

@@ -289,18 +289,28 @@ function create(opts) {
   ], "middleware.apiEncrypt");
   var keypairs       = _resolveKeypairs(opts);
   var activeKeypair  = keypairs[0];
+  // replayWindowMs gates the timestamp-staleness check (Math.abs(now - ts)
+  // > replayWindowMs). A non-numeric value would make that comparison
+  // always false and SILENTLY disable the staleness defense, so a typo
+  // throws at boot rather than shipping an open replay window.
+  validateOpts.optionalPositiveFinite(opts.replayWindowMs,
+    "apiEncrypt: replayWindowMs", ApiEncryptError, "BAD_OPT");
   var replayWindowMs = opts.replayWindowMs || DEFAULT_REPLAY_WINDOW_MS;
   // Cap on decrypted-payload size handed to safeJson.parse. Defaults
   // to 4 MiB (bodyParser's default 1 MiB plus headroom for crypto +
   // base64 round-trip). Operators with chunkier inbound payloads
   // raise this; the framework refuses to parse anything larger as a
   // parse-bomb defense.
+  validateOpts.optionalPositiveInt(opts.maxDecryptedBytes,
+    "apiEncrypt: maxDecryptedBytes", ApiEncryptError, "BAD_OPT");
   var maxDecryptedBytes = opts.maxDecryptedBytes != null
     ? opts.maxDecryptedBytes
     : C.BYTES.mib(4);
   // The spec calls for a sweep cadence of replayWindowMs/2 — short
   // enough that expired nonces don't pile up but not so frequent the
   // sweep query becomes a hot path. Operators can override.
+  validateOpts.optionalPositiveFinite(opts.pruneIntervalMs,
+    "apiEncrypt: pruneIntervalMs", ApiEncryptError, "BAD_OPT");
   var pruneIntervalMs = opts.pruneIntervalMs != null
     ? opts.pruneIntervalMs : Math.max(C.TIME.seconds(30), Math.floor(replayWindowMs / 2));
   var nonceStore     = opts.nonceStore || nonceStoreLib.create({ backend: "memory" });
@@ -446,7 +456,11 @@ function create(opts) {
   // replayed responses with a monotonic counter check.
   function _encodeEnvelope(data, sessionKey, sessionCtx) {
     var ptBuf = Buffer.from(JSON.stringify(data), "utf8");
-    var ctBuf = bCrypto.encryptPacked(ptBuf, sessionKey);
+    // Response AAD binds _sid/_ctr so a captured response cannot be
+    // replayed to the client under a rewritten counter.
+    var ctBuf = bCrypto.encryptPacked(ptBuf, sessionKey,
+      _responseAad(sessionCtx ? sessionCtx.sid : undefined,
+                   sessionCtx ? sessionCtx.responseCtr : undefined));
     var encrypted = { _ct: ctBuf.toString("base64") };
     if (sessionCtx) {
       encrypted._sid = sessionCtx.sid;
@@ -527,6 +541,10 @@ function create(opts) {
 
     if (typeof ek === "string" && typeof nonce === "string") {
       // ---- Bootstrap path (per-request mode OR first request of session) ----
+      // The window-scoped claim TTL is sufficient HERE because _ts is
+      // AEAD-bound into _ct: a captured bootstrap envelope cannot have
+      // its timestamp rewritten, so past replayWindowMs the staleness
+      // gate above refuses it independently of this claim.
       var nonceHash = bCrypto.sha3Hash(nonce, "hex");
       var expireAt = now + replayWindowMs;
       var freshNonce;
@@ -553,11 +571,18 @@ function create(opts) {
           _emitFailure(req, "shape");
           return _writeRejection(res, HTTP_STATUS.BAD_REQUEST, { error: "encrypted-payload-required" });
         }
-        // Bootstrap a new session row keyed by sid.
+        // Bootstrap a new session row keyed by sid. responsesEmitted is
+        // set to 1 (this bootstrap emits one response) BEFORE the store
+        // write so a cluster store — which serialises a copy at set() time
+        // rather than holding a live reference — persists the same count
+        // the next subsequent request reads. Mutating the local object
+        // after set() would leave the stored row at 0, making the next
+        // response counter restart from 1 (a non-monotonic response _ctr
+        // that trips the client's strictly-increasing replay check).
         session = {
           sessionKey:       sessionKey,
           lastReqCtr:       ctr,
-          responsesEmitted: 0,
+          responsesEmitted: 1,
           createdAt:        now,
           lastUsedAt:       now,
           expiresAt:        now + sessionTtlMs,
@@ -574,7 +599,6 @@ function create(opts) {
           requestId: req.requestId || null,
         });
         sessionCtx = { sid: sid, responseCtr: 1 };
-        session.responsesEmitted = 1;
       }
     } else if (keying === "per-session" &&
                typeof sid === "string" && typeof ctr === "number") {
@@ -633,6 +657,47 @@ function create(opts) {
         _emitFailure(req, "counter-replay");
         return _writeRejection(res, HTTP_STATUS.BAD_REQUEST, { error: "encrypted-payload-rejected" });
       }
+      // Atomic replay gate (CWE-367). The monotonic counter check above is
+      // an ordering fast-path only: on a clustered session store, get(sid)
+      // returns a fresh deserialised copy per call, so two concurrent
+      // requests carrying the SAME valid ctr both observe the same
+      // lastReqCtr and both pass — double-execution replay. Claiming the
+      // (sid, ctr) tuple through the same atomic nonceStore the bootstrap
+      // path uses closes the window: exactly one concurrent request wins the
+      // insert; the loser is refused with the counter-replay shape. The
+      // "ctr:" prefix keeps this keyspace disjoint from the bootstrap
+      // nonceHash keyspace (a sha3 hex digest never starts with "ctr:").
+      // The claim must outlive the staleness window, not just span it:
+      // the post-handler sessionStore.set below is best-effort, so a
+      // failed write leaves lastReqCtr stale in the store, and _ts is
+      // plaintext envelope metadata (not bound into the AEAD) — were the
+      // claim to expire after replayWindowMs, the same captured
+      // (sid, ctr, _ct) could be replayed later with a fresh _ts, pass
+      // the stale monotonic check, re-claim the expired tuple, and
+      // execute twice. Claiming until session.expiresAt (the session is
+      // non-expired here, so that bound is in the future) keeps the
+      // tuple burned for as long as the session can accept requests;
+      // outstanding claims per session are bounded by
+      // sessionMaxResponses, and the memory nonce store fails closed at
+      // capacity.
+      var ctrKey = "ctr:" + sid + ":" + ctr;
+      var ctrFresh;
+      try { ctrFresh = await nonceStore.checkAndInsert(ctrKey, session.expiresAt); }
+      catch (_e) {
+        _emitFailure(req, "nonce-store-error");
+        return _writeRejection(res, HTTP_STATUS.INTERNAL_SERVER_ERROR, { error: "nonce-store-unavailable" });
+      }
+      if (!ctrFresh) {
+        _emitObs("apiEncrypt.session.replay_rejected", 1, { lane: "atomic" });
+        _emitSessionAudit("apiEncrypt.session.replay_rejected", {
+          outcome: "denied",
+          actor: requestHelpers.extractActorContext(req),
+          metadata: { sid: sid, receivedCtr: ctr, lane: "atomic" },
+          requestId: req.requestId || null,
+        });
+        _emitFailure(req, "counter-replay");
+        return _writeRejection(res, HTTP_STATUS.BAD_REQUEST, { error: "encrypted-payload-rejected" });
+      }
       sessionKey = session.sessionKey;
       if (Buffer.isBuffer(sessionKey) === false) {
         // Operator-supplied store may have JSON-serialised the buffer.
@@ -660,11 +725,15 @@ function create(opts) {
       return _writeRejection(res, HTTP_STATUS.BAD_REQUEST, { error: "encrypted-payload-required" });
     }
 
-    // Decrypt _ct → cleartext payload bytes → JSON object.
+    // Decrypt _ct → cleartext payload bytes → JSON object. The request
+    // AAD authenticates the plaintext envelope fields exactly as the
+    // client bound them — a rewritten _ts/_nonce/_sid/_ctr fails the
+    // AEAD tag here, so the staleness gate above operates on a
+    // timestamp the sender cannot forge after capture.
     var clearObj;
     try {
       var ctBuf = Buffer.from(ct, "base64");
-      var ptBuf = bCrypto.decryptPacked(ctBuf, sessionKey);
+      var ptBuf = bCrypto.decryptPacked(ctBuf, sessionKey, _requestAad(ts, nonce, sid, ctr));
       clearObj = safeJson.parse(ptBuf.toString("utf8"), { maxBytes: maxDecryptedBytes });
     } catch (_e) {
       _emitFailure(req, "tag");
@@ -740,6 +809,8 @@ function client(opts) {
       "apiEncrypt.client: pubkey.publicKey + ecPublicKey must be PEM strings", 500);
   }
   var pubkey = opts.pubkey;
+  validateOpts.optionalPositiveInt(opts.maxDecryptedBytes,
+    "apiEncrypt.client: maxDecryptedBytes", ApiEncryptError, "CLIENT_BAD_OPT");
   var maxDecryptedBytes = opts.maxDecryptedBytes != null
     ? opts.maxDecryptedBytes
     : C.BYTES.mib(4);
@@ -785,9 +856,23 @@ function client(opts) {
         "apiEncrypt.client: response counter is not strictly increasing " +
         "(got " + responseBody._ctr + ", lastSeen " + perSessionLastResCtr + ")");
     }
-    perSessionLastResCtr = responseBody._ctr;
     var resCtBuf = Buffer.from(responseBody._ct, "base64");
-    var resPtBuf = bCrypto.decryptPacked(resCtBuf, perSessionKey);
+    // Response AAD authenticates _sid/_ctr — the monotonic counter
+    // check above reads plaintext fields, so without this binding a
+    // captured response could be replayed under a bumped _ctr.
+    var resPtBuf;
+    try {
+      resPtBuf = bCrypto.decryptPacked(resCtBuf, perSessionKey,
+        _responseAad(responseBody._sid, responseBody._ctr));
+    } catch (_e) {
+      throw _err("CLIENT_RESPONSE_TAMPERED",
+        "apiEncrypt.client: response failed authenticated decryption (ciphertext or envelope metadata tampered)");
+    }
+    // Advance the counter only AFTER authenticated decryption — were it
+    // committed before, a forged high _ctr (which fails the AEAD above)
+    // would poison the monotonic check and refuse every subsequent
+    // genuine response for the rest of the session.
+    perSessionLastResCtr = responseBody._ctr;
     return safeJson.parse(resPtBuf.toString("utf8"), { maxBytes: maxDecryptedBytes });
   }
 
@@ -795,14 +880,18 @@ function client(opts) {
     if (payload === undefined) payload = null;
     if (!perSessionKey) _resetSession();
     var ts = Date.now();
-    var ptBuf = Buffer.from(JSON.stringify(payload), "utf8");
-    var ctBuf = bCrypto.encryptPacked(ptBuf, perSessionKey);
     perSessionReqCtr += 1;
+    var ptBuf = Buffer.from(JSON.stringify(payload), "utf8");
+    var ctBuf;
     var body;
     if (perSessionReqCtr === 1) {
       // Bootstrap envelope — full _ek + _nonce; server stores sid → sessionKey.
+      // The plaintext metadata is AEAD-bound so a captured envelope
+      // cannot be replayed under a rewritten _ts/_nonce/_sid/_ctr.
       var ek = bCrypto.encrypt(perSessionKey.toString("base64"), pubkey);
       var nonce = bCrypto.generateBytes(REQUEST_NONCE_BYTES).toString("hex");
+      ctBuf = bCrypto.encryptPacked(ptBuf, perSessionKey,
+        _requestAad(ts, nonce, perSessionSid, perSessionReqCtr));
       body = {
         _ek:    ek,
         _ct:    ctBuf.toString("base64"),
@@ -813,6 +902,8 @@ function client(opts) {
       };
     } else {
       // Subsequent — sid + ctr only. KEM material amortized across the session.
+      ctBuf = bCrypto.encryptPacked(ptBuf, perSessionKey,
+        _requestAad(ts, undefined, perSessionSid, perSessionReqCtr));
       body = {
         _ct:    ctBuf.toString("base64"),
         _ts:    ts,
@@ -827,10 +918,13 @@ function client(opts) {
     if (payload === undefined) payload = null;
     var sessionKey = bCrypto.generateBytes(SESSION_KEY_BYTES);
     var ek = bCrypto.encrypt(sessionKey.toString("base64"), pubkey);
-    var ptBuf = Buffer.from(JSON.stringify(payload), "utf8");
-    var ctBuf = bCrypto.encryptPacked(ptBuf, sessionKey);
     var requestNonce = bCrypto.generateBytes(REQUEST_NONCE_BYTES).toString("hex");
     var ts = Date.now();
+    var ptBuf = Buffer.from(JSON.stringify(payload), "utf8");
+    // AEAD-bind _ts/_nonce so a captured per-request envelope cannot
+    // be replayed past the staleness window with a rewritten _ts.
+    var ctBuf = bCrypto.encryptPacked(ptBuf, sessionKey,
+      _requestAad(ts, requestNonce, undefined, undefined));
     return {
       body: {
         _ek:    ek,
@@ -845,7 +939,14 @@ function client(opts) {
             "apiEncrypt.client: response missing _ct field");
         }
         var resCtBuf = Buffer.from(responseBody._ct, "base64");
-        var resPtBuf = bCrypto.decryptPacked(resCtBuf, sessionKey);
+        var resPtBuf;
+        try {
+          resPtBuf = bCrypto.decryptPacked(resCtBuf, sessionKey,
+            _responseAad(undefined, undefined));
+        } catch (_e) {
+          throw _err("CLIENT_RESPONSE_TAMPERED",
+            "apiEncrypt.client: response failed authenticated decryption (ciphertext or envelope metadata tampered)");
+        }
         return safeJson.parse(resPtBuf.toString("utf8"), { maxBytes: maxDecryptedBytes });
       },
     };
@@ -865,6 +966,30 @@ function client(opts) {
   };
 }
 
+// AEAD associated-data builders — bind the envelope's PLAINTEXT
+// metadata into the ciphertext so a captured envelope cannot be
+// replayed with rewritten fields. `_ts` drives the staleness gate,
+// `_nonce` the bootstrap replay claim, `_sid`/`_ctr` the session
+// replay gates on requests and the client's monotonic counter check
+// on responses; none are confidential, but every one is
+// integrity-critical — rode plaintext, an attacker who captured an
+// envelope could refresh `_ts` past the staleness window or replay a
+// response under a bumped `_ctr`. Both halves of the protocol
+// (middleware + client) live in this module and MUST build
+// byte-identical strings; absent fields encode as the empty string so
+// the per-request and per-session shapes stay unambiguous.
+function _requestAad(ts, nonce, sid, ctr) {
+  return "blamejs-apienc/req/1|ts=" + String(ts) +
+         "|nonce=" + (typeof nonce === "string" ? nonce : "") +
+         "|sid=" + (typeof sid === "string" ? sid : "") +
+         "|ctr=" + (typeof ctr === "number" ? String(ctr) : "");
+}
+
+function _responseAad(sid, ctr) {
+  return "blamejs-apienc/res/1|sid=" + (typeof sid === "string" ? sid : "") +
+         "|ctr=" + (typeof ctr === "number" ? String(ctr) : "");
+}
+
 // _generateUuidV4 — UUID v4 from 16 random bytes, formatted dash-separated.
 // Used for client-side session-id generation in per-session keying.
 // Slice offsets are RFC 4122 UUID hex-byte boundaries (`xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx`)
@@ -914,6 +1039,8 @@ function httpClientEncrypted(opts) {
     throw _err("CLIENT_INVALID_PUBKEY",
       "httpClient.encrypted: opts.pubkey is required (the callee's bootstrap doc)", 500);
   }
+  validateOpts.optionalPositiveInt(opts.maxDecryptedBytes,
+    "httpClient.encrypted: maxDecryptedBytes", ApiEncryptError, "CLIENT_BAD_OPT");
   var maxDecryptedBytes = opts.maxDecryptedBytes != null
     ? opts.maxDecryptedBytes
     : C.BYTES.mib(4);

package/lib/middleware/asyncapi-serve.js

@@ -173,6 +173,9 @@ function create(opts) {
       if (allowOriginHeader !== "*") headers["Vary"] = "Origin";
     }
     res.writeHead(200, headers);                                                     // HTTP 200
+    // HEAD carries the GET headers (incl. Content-Length) with no body
+    // (RFC 9110 §9.3.2).
+    if ((req.method || "GET").toUpperCase() === "HEAD") { res.end(); return; }
     res.end(body);
   }
 

package/lib/middleware/csp-report.js

@@ -135,8 +135,10 @@ function create(opts) {
       typeof opts.onReject !== "function") {
     throw new TypeError("middleware.cspReport: opts.onReject must be a function");
   }
-  var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
-    ? opts.maxBytes : DEFAULT_MAX_BYTES;
+  validateOpts.optionalPositiveInt(opts.maxBytes, "middleware.cspReport: maxBytes");
+  var maxBytes = (opts.maxBytes === undefined || opts.maxBytes === null)
+    ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var auditOn  = opts.audit !== false;
   var onReport = (typeof opts.onReport === "function") ? opts.onReport : null;
   var onReject = (typeof opts.onReject === "function") ? opts.onReject : null;
 
@@ -176,13 +178,15 @@ function create(opts) {
     for (var i = 0; i < reports.length; i++) {
       var normalized = _normalizeOne(reports[i]);
       if (!normalized) continue;
-      try {
-        audit().safeEmit({
-          action:  "csp.violation",
-          outcome: "failure",
-          metadata: Object.assign({ type: normalized.type, url: normalized.url }, normalized.body),
-        });
-      } catch (_e) { /* audit best-effort */ }
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "csp.violation",
+            outcome: "failure",
+            metadata: Object.assign({ type: normalized.type, url: normalized.url }, normalized.body),
+          });
+        } catch (_e) { /* audit best-effort */ }
+      }
       if (onReport) {
         try { onReport(normalized); } catch (_e) { /* hook best-effort */ }
       }

package/lib/middleware/fetch-metadata.js

@@ -43,6 +43,52 @@ var observability = lazyRequire(function () { return require("../observability")
 
 var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
 
+// Sec-Fetch-Dest request-destination vocabulary (Fetch Standard §3.2.6
+// "destination", https://fetch.spec.whatwg.org/#concept-request-destination;
+// surfaced as the Sec-Fetch-Dest header by the Fetch Metadata Request
+// Headers spec, https://www.w3.org/TR/fetch-metadata/#sec-fetch-dest-header).
+// "webidentity" (FedCM credentialed-request destination,
+// https://w3c.github.io/FedCM/) is included so an operator can recognize
+// and gate FedCM traffic first-class — a webidentity Sec-Fetch-Dest on a
+// route that is not a FedCM identity endpoint is a request worth refusing.
+var KNOWN_DESTINATIONS = Object.freeze([
+  "audio", "audioworklet", "document", "embed", "empty", "fencedframe",
+  "font", "frame", "iframe", "image", "json", "manifest", "object",
+  "paintworklet", "report", "script", "serviceworker", "sharedworker",
+  "style", "track", "video", "webidentity", "worker", "xslt",
+]);
+var KNOWN_DEST_SET = Object.create(null);
+(function () {
+  for (var i = 0; i < KNOWN_DESTINATIONS.length; i += 1) {
+    KNOWN_DEST_SET[KNOWN_DESTINATIONS[i]] = true;
+  }
+})();
+
+// Sec-Fetch-Storage-Access status values (Storage Access API,
+// https://privacycg.github.io/storage-access-headers/ — the header is
+// distinct from Sec-Fetch-Dest). The browser sends this only on cross-site
+// credentialed requests. "active" / "inactive" both indicate the embedded
+// context can (active) or could (inactive, permission granted but not yet
+// exercised) reach unpartitioned cross-site cookies; "none" carries no
+// such capability. A route that does not participate in the Storage Access
+// flow may refuse the active/inactive escalation.
+var STORAGE_ACCESS_ESCALATED = Object.freeze({ active: true, inactive: true });
+
+function _validateDestList(list, label) {
+  // Config-time tier — an unknown Sec-Fetch-Dest value in a strict
+  // allow/deny list is almost always an operator typo (e.g. "web-identity"
+  // for "webidentity"). Throw at boot per the config/entry-point tier so
+  // the typo surfaces before it silently fails to match at request time.
+  if (!Array.isArray(list)) return;
+  for (var i = 0; i < list.length; i += 1) {
+    if (!KNOWN_DEST_SET[list[i]]) {
+      throw new Error("middleware.fetchMetadata: " + label + "[" + i +
+        "] is not a known Sec-Fetch-Dest value (got '" + String(list[i]) +
+        "'). Known destinations: " + KNOWN_DESTINATIONS.join(", ") + ".");
+    }
+  }
+}
+
 function _writeReject(req, res, message, reason, onDeny, problemMode) {
   denyResponse(req, res, {
     onDeny:        onDeny,
@@ -75,17 +121,30 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * the value-add; non-browser callers carry their own auth threat
  * model.
  *
+ * The Sec-Fetch-Dest vocabulary tracks the Fetch Standard request-
+ * destination list, including `webidentity` (FedCM credentialed
+ * requests). `deniedDest` refuses chosen destinations outright on the
+ * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
+ * that is not an identity endpoint is refused. `allowStorageAccess:
+ * false` refuses the Storage Access API escalation (a cross-site request
+ * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
+ * that do not participate in the Storage Access flow. Both are opt-in;
+ * leaving them unset preserves the prior behavior exactly.
+ *
  * @opts
  *   {
- *     allowSameSite:   boolean,    // default true
- *     allowCrossSite:  boolean,    // default false
- *     allowMissing:    boolean,    // default true
- *     allowedDest:     string[],
- *     allowedNavigate: boolean,    // default true
- *     methods:         string[],   // default POST/PUT/DELETE/PATCH
- *     audit:           boolean,    // default true
- *     onDeny:          function(req, res, info): void,  // own the 403; info = { status, reason }
- *     problemDetails:  boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
+ *     allowSameSite:      boolean,    // default true
+ *     allowCrossSite:     boolean,    // default false
+ *     allowMissing:       boolean,    // default true
+ *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
+ *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
+ *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
+ *     allowedNavigate:    boolean,    // default true
+ *     methods:            string[],   // default POST/PUT/DELETE/PATCH
+ *     audit:              boolean,    // default true
+ *     onDeny:             function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:     boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -102,15 +161,34 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "allowSameSite", "allowCrossSite", "allowMissing",
-    "allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
+    "allowedDest", "deniedDest", "allowStorageAccess", "strictDest",
+    "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
   ], "middleware.fetchMetadata");
+  validateOpts.optionalBoolean(opts.allowStorageAccess, "middleware.fetchMetadata: allowStorageAccess");
+  validateOpts.optionalBoolean(opts.strictDest, "middleware.fetchMetadata: strictDest");
+  validateOpts.optionalNonEmptyStringArray(opts.deniedDest, "middleware.fetchMetadata: deniedDest");
+  if (opts.strictDest === true) {
+    _validateDestList(opts.allowedDest, "allowedDest");
+    _validateDestList(opts.deniedDest, "deniedDest");
+  }
 
   var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
   var problemMode = opts.problemDetails === true;
-  var allowSameSite   = opts.allowSameSite !== false;
-  var allowCrossSite  = opts.allowCrossSite === true;
-  var allowMissing    = opts.allowMissing !== false;
-  var allowedDest     = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowSameSite      = opts.allowSameSite !== false;
+  var allowCrossSite     = opts.allowCrossSite === true;
+  var allowMissing       = opts.allowMissing !== false;
+  var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // deniedDest → a null-prototype membership map; an operator-supplied
+  // destination string is never assigned onto a plain object, so no
+  // reserved name (__proto__ / constructor / prototype) can pollute it.
+  var deniedDest = null;
+  if (Array.isArray(opts.deniedDest) && opts.deniedDest.length > 0) {
+    deniedDest = Object.create(null);
+    for (var di = 0; di < opts.deniedDest.length; di += 1) {
+      deniedDest[opts.deniedDest[di]] = true;
+    }
+  }
   var allowedNavigate = opts.allowedNavigate !== false;
   var methods         = (opts.methods || DEFAULT_METHODS).map(function (m) { return m.toUpperCase(); });
   var auditOn         = opts.audit !== false;
@@ -139,6 +217,16 @@ function create(opts) {
     var mode = headers["sec-fetch-mode"];
     var dest = headers["sec-fetch-dest"];
 
+    // Destination refusal — independent of site. A FedCM `webidentity`
+    // (or any operator-denied) Sec-Fetch-Dest on a route that is not an
+    // identity endpoint is refused outright. The membership test is exact
+    // (null-prototype map keyed on the verbatim header value), never a
+    // substring scan.
+    if (deniedDest && typeof dest === "string" && deniedDest[dest] === true) {
+      _emitDenied(req, "dest-denied (dest=" + dest + ")");
+      return _writeReject(req, res, "Request destination not allowed for this route.", "dest-not-allowed", onDeny, problemMode);
+    }
+
     if (typeof site !== "string" || site.length === 0) {
       // No Sec-Fetch-Site header — legacy browser or non-browser client.
       // Defer to other auth/CSRF layers per allowMissing.
@@ -165,6 +253,19 @@ function create(opts) {
     }
 
     // cross-site
+    // Storage Access API escalation — the browser sends
+    // Sec-Fetch-Storage-Access only on cross-site credentialed requests.
+    // active|inactive both mean the embedded context can / could reach
+    // unpartitioned cross-site cookies; refuse it on routes that do not
+    // participate in the Storage Access flow. Exact membership, never a
+    // substring scan. Checked before the allowCrossSite shortcut so the
+    // escalation is gated even when cross-site is otherwise permitted.
+    var storageAccess = headers["sec-fetch-storage-access"];
+    if (!allowStorageAccess && typeof storageAccess === "string" &&
+        STORAGE_ACCESS_ESCALATED[storageAccess] === true) {
+      _emitDenied(req, "storage-access-refused (status=" + storageAccess + ")");
+      return _writeReject(req, res, "Storage Access escalation not allowed for this route.", "storage-access-refused", onDeny, problemMode);
+    }
     if (allowCrossSite) return next();
     if (allowedDest && typeof dest === "string" && allowedDest.indexOf(dest) !== -1) {
       return next();

package/lib/middleware/openapi-serve.js

@@ -179,6 +179,9 @@ function create(opts) {
       if (allowOriginHeader !== "*") headers["Vary"] = "Origin";
     }
     res.writeHead(200, headers);                                                    // HTTP 200
+    // HEAD carries the GET headers (incl. Content-Length) with no body
+    // (RFC 9110 §9.3.2).
+    if ((req.method || "GET").toUpperCase() === "HEAD") { res.end(); return; }
     res.end(body);
   }