@blamejs/core 0.7.63 → 0.7.73

package/lib/middleware/index.js

@@ -27,14 +27,17 @@ var cors = require("./cors");
 var cspNonce = require("./csp-nonce");
 var csrfProtect = require("./csrf-protect");
 var dbRoleFor = require("./db-role-for");
+var dpop = require("./dpop");
 var errorHandler = require("./error-handler");
 var fetchMetadata = require("./fetch-metadata");
+var gpc = require("./gpc");
 var headers = require("./headers");
 var health = require("./health");
 var networkAllowlist = require("./network-allowlist");
 var rateLimit = require("./rate-limit");
 var requestId = require("./request-id");
 var requestLog = require("./request-log");
+var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
 var securityHeaders = require("./security-headers");
 var sse = require("./sse");
@@ -48,9 +51,11 @@ module.exports = {
   rateLimit:        rateLimit.create,
   attachUser:       attachUser.create,
   bearerAuth:       bearerAuth.create,
+  requireAal:       requireAal.create,
   requireAuth:      requireAuth.create,
   csrfProtect:      csrfProtect.create,
   fetchMetadata:    fetchMetadata.create,
+  gpc:              gpc.create,
   headers:          headers.create,
   bodyParser:       bodyParser.create,
   health:           health.create,
@@ -61,6 +66,7 @@ module.exports = {
   requestLog:       requestLog.create,
   apiEncrypt:       apiEncrypt,
   dbRoleFor:        dbRoleFor.create,
+  dpop:             dpop.create,
   networkAllowlist: networkAllowlist.create,
 
   // Module exports for advanced use (constants, raw factory access)
@@ -73,6 +79,7 @@ module.exports = {
     rateLimit:        rateLimit,
     attachUser:       attachUser,
     bearerAuth:       bearerAuth,
+    requireAal:       requireAal,
     requireAuth:      requireAuth,
     csrfProtect:      csrfProtect,
     fetchMetadata:    fetchMetadata,
@@ -84,6 +91,7 @@ module.exports = {
     requestLog:       requestLog,
     apiEncrypt:       apiEncrypt,
     dbRoleFor:        dbRoleFor,
+    dpop:             dpop,
     networkAllowlist: networkAllowlist,
   },
 };

package/lib/middleware/require-aal.js

@@ -0,0 +1,107 @@
+"use strict";
+/**
+ * require-aal middleware — gate routes by NIST SP 800-63-4 AAL band.
+ *
+ *   var stepUp = b.middleware.requireAal({ minimum: "AAL2" });
+ *   router.use("/admin", stepUp);
+ *
+ * Reads the AAL band from `req.user.aal` by default. Operators with a
+ * different shape pass `getAal(req)` returning the band string.
+ *
+ * On failure the middleware writes 401 with
+ * `WWW-Authenticate: AAL-StepUp realm="<X>", required="<minimum>"`
+ * — the bespoke scheme name signals to the operator's frontend that a
+ * step-up flow should be triggered (re-prompt for TOTP / passkey).
+ *
+ * Audit:
+ *   auth.aal.granted — request passed (carries the actual band)
+ *   auth.aal.denied  — request below the required minimum
+ */
+
+var lazyRequire = require("../lazy-require");
+var requestHelpers = require("../request-helpers");
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+var aal = lazyRequire(function () { return require("../auth/aal"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+
+function _writeUnauthorized(res, requiredBand, actualBand, realm) {
+  if (res.headersSent) return;
+  var body = JSON.stringify({
+    error:             "step_up_required",
+    error_description: "AAL " + requiredBand + " is required for this resource",
+    required_aal:      requiredBand,
+    actual_aal:        actualBand || null,
+  });
+  var realmStr = realm ? ' realm="' + realm + '"' : "";
+  var challenge = "AAL-StepUp" + realmStr + ', required="' + requiredBand + '"';
+  res.writeHead(401, {                                                             // allow:raw-byte-literal — HTTP 401 status
+    "Content-Type":     "application/json; charset=utf-8",
+    "Content-Length":   Buffer.byteLength(body),
+    "WWW-Authenticate": challenge,
+  });
+  res.end(body);
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "minimum", "getAal", "audit", "realm",
+  ], "middleware.requireAal");
+
+  var minimum = opts.minimum;
+  if (!aal().isValidBand(minimum)) {
+    throw new AuthError("auth-aal/bad-minimum",
+      "middleware.requireAal: opts.minimum must be one of " +
+      aal().BANDS.join(", ") + " (got " + JSON.stringify(minimum) + ")");
+  }
+  validateOpts.optionalFunction(opts.getAal,
+    "middleware.requireAal: getAal", AuthError, "auth-aal/bad-opt");
+
+  var auditOn = opts.audit !== false;
+  var realm = (typeof opts.realm === "string" && opts.realm.length > 0) ? opts.realm : null;
+
+  return function requireAalMiddleware(req, res, next) {
+    var actual = null;
+    if (typeof opts.getAal === "function") {
+      try { actual = opts.getAal(req); } catch (_e) { actual = null; }
+    } else if (req.user && typeof req.user.aal === "string") {
+      actual = req.user.aal;
+    }
+
+    if (!aal().meets(actual, minimum)) {
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "auth.aal.denied",
+            actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
+            outcome: "fail",
+            metadata: {
+              required: minimum,
+              actual:   actual || null,
+              route:    req.url,
+            },
+          });
+        } catch (_ignored) { /* drop-silent */ }
+      }
+      return _writeUnauthorized(res, minimum, actual, realm);
+    }
+
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "auth.aal.granted",
+          actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
+          outcome: "ok",
+          metadata: { aal: actual, required: minimum, route: req.url },
+        });
+      } catch (_ignored) { /* drop-silent */ }
+    }
+    return next();
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/security-headers.js

@@ -75,6 +75,7 @@ function create(opts) {
     "hsts", "contentTypeOptions", "frameOptions", "referrerPolicy",
     "permissionsPolicy", "coop", "coep", "corp",
     "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
+    "reportingEndpoints",
   ], "middleware.securityHeaders");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -89,6 +90,32 @@ function create(opts) {
   var oac   = opts.originAgentCluster === undefined ? "?1" : opts.originAgentCluster;
   var dpc   = opts.dnsPrefetchControl === undefined ? "off" : opts.dnsPrefetchControl;
   var csp   = opts.csp === undefined ? DEFAULT_CSP : opts.csp;
+  // Reporting-Endpoints (W3C Reporting API) — when operator passes a
+  // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
+  // name2="url2", ...` and (when default CSP is in force) append
+  // `report-to default` to the CSP so violations route to the named
+  // endpoint. Operators using a custom CSP add `report-to` to it
+  // themselves.
+  var reportingEndpoints = null;
+  if (opts.reportingEndpoints && typeof opts.reportingEndpoints === "object") {
+    var pairs = [];
+    var keys = Object.keys(opts.reportingEndpoints);
+    for (var i = 0; i < keys.length; i += 1) {
+      var k = keys[i];
+      var v = opts.reportingEndpoints[k];
+      if (typeof v !== "string" || v.length === 0) continue;
+      // Defensive — refuse CR/LF/NUL in either side (header injection).
+      if (/[\r\n\0]/.test(k) || /[\r\n\0]/.test(v)) continue;                   // allow:duplicate-regex — CR/LF/NUL header-injection rejection appears in cookies / mail / security-headers; each is the boundary primitive — extracting forces a shared module that hides the boundary check from each domain
+      pairs.push(k + '="' + v + '"');
+    }
+    if (pairs.length > 0) reportingEndpoints = pairs.join(", ");
+  }
+  // Auto-append `report-to default` to the default CSP when operator
+  // wires a `default` reporting endpoint and didn't override `csp`.
+  if (csp === DEFAULT_CSP && reportingEndpoints &&
+      opts.reportingEndpoints && opts.reportingEndpoints["default"]) {
+    csp = csp.replace(/;\s*$/, "") + "; report-to default;";
+  }
 
   return function securityHeaders(req, res, next) {
     if (typeof res.setHeader !== "function") return next();
@@ -109,7 +136,8 @@ function create(opts) {
     if (corp)       res.setHeader("Cross-Origin-Resource-Policy", corp);
     if (oac)        res.setHeader("Origin-Agent-Cluster", oac);
     if (dpc)        res.setHeader("X-DNS-Prefetch-Control", dpc);
-    if (csp)        res.setHeader("Content-Security-Policy", csp);
+    if (csp)                res.setHeader("Content-Security-Policy", csp);
+    if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
     next();
   };
 }

package/lib/network-dns.js

@@ -291,28 +291,44 @@ function _encodeDnsQuery(host, qtype) {
   return { buf: buf, id: id };
 }
 
+// Walk a DNS-message name in-place and advance `state.off`. RFC 1035
+// §3.1 names terminate either with a single 0x00 byte OR with a
+// 2-byte compression pointer (high two bits 11). The pre-0.7.68
+// parser unconditionally executed `if (buf[off] === 0) off++`
+// after the loop, which consumed the high byte of the next field
+// when the loop had exited via the compression pointer — silently
+// breaking every DNS response that used name compression in the
+// answer section (which is most of them).
+function _skipDnsName(buf, state) {
+  var endedViaPointer = false;
+  while (state.off < buf.length && buf[state.off] !== 0) {
+    if ((buf[state.off] & 0xc0) === 0xc0) {                                      // allow:raw-byte-literal — RFC 1035 name-compression pointer mask
+      state.off += 2;
+      endedViaPointer = true;
+      break;
+    }
+    state.off += buf[state.off] + 1;
+  }
+  if (!endedViaPointer && state.off < buf.length && buf[state.off] === 0) {
+    state.off += 1;
+  }
+}
+
 function _decodeDnsAnswer(buf, qtype) {
   if (!Buffer.isBuffer(buf) || buf.length < 12) throw new DnsError("dns/bad-reply", "dns reply truncated");
   var rcode = buf.readUInt8(3) & 0x0f;
   if (rcode !== 0) throw new DnsError("dns/no-result", "dns reply rcode " + rcode);
   var qdcount = buf.readUInt16BE(4);
   var ancount = buf.readUInt16BE(6);
-  var off = 12;
+  var state = { off: 12 };
   for (var q = 0; q < qdcount; q++) {
-    while (off < buf.length && buf[off] !== 0) {
-      if ((buf[off] & 0xc0) === 0xc0) { off += 2; break; }
-      off += buf[off] + 1;
-    }
-    if (buf[off] === 0) off++;
-    off += 4;
+    _skipDnsName(buf, state);
+    state.off += 4;
   }
   var addrs = [];
   for (var a = 0; a < ancount; a++) {
-    while (off < buf.length && buf[off] !== 0) {
-      if ((buf[off] & 0xc0) === 0xc0) { off += 2; break; }
-      off += buf[off] + 1;
-    }
-    if (buf[off] === 0) off++;
+    _skipDnsName(buf, state);
+    var off = state.off;
     var rtype  = buf.readUInt16BE(off); off += 2;
     off += 2;
     off += 4;
@@ -327,10 +343,20 @@ function _decodeDnsAnswer(buf, qtype) {
       addrs.push(groups.join(":"));
     }
     off += rdlen;
+    state.off = off;
   }
   return addrs;
 }
 
+// Read the AD bit (Authenticated Data, RFC 4035) from a DNS reply
+// header. Byte 3 holds RA, Z, AD, CD, and rcode bits; AD is bit 5
+// (mask 0x20). Set when the upstream recursive resolver has validated
+// the chain.
+function _readAdBit(buf) {
+  if (!Buffer.isBuffer(buf) || buf.length < 12) return false;
+  return (buf.readUInt8(3) & 0x20) !== 0;                                        // allow:raw-byte-literal — RFC 4035 AD-bit mask
+}
+
 // DoH GET URL length cap. RFC 8484 §4.1 says clients MAY use POST when
 // the GET URL would exceed implementation limits. We pick 2048 bytes
 // (a conservative ceiling well below RFC 7230's recommended 8 KB) so
@@ -404,6 +430,98 @@ async function _dohLookup(host, family) {
   });
 }
 
+// _dohLookupSecure — DNSSEC-aware DoH lookup. Returns `{ rrs, ad }`
+// where `ad` is the AD bit (RFC 4035) set by the upstream resolver
+// after chain validation. Internal — operators reach for
+// `resolveSecure` instead.
+async function _dohLookupSecure(host, family) {
+  var qtype = family === 6 ? 28 : 1;                                             // allow:raw-byte-literal — DNS QTYPE values for A / AAAA
+  var enc = _encodeDnsQuery(host, qtype);
+  var b64 = enc.buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  var getUrl = STATE.doh.url + (STATE.doh.url.indexOf("?") === -1 ? "?" : "&") + "dns=" + b64;
+  var forcedMethod = STATE.doh.method;
+  var usePost = forcedMethod === "POST" || (!forcedMethod && getUrl.length > DOH_GET_URL_MAX_BYTES);
+  var u = safeUrl.parse(STATE.doh.url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
+  return new Promise(function (resolve, reject) {
+    var reqOpts = {
+      hostname:   u.hostname,
+      port:       u.port || 443,                                                 // allow:raw-byte-literal — HTTPS default port
+      path:       u.pathname + u.search,
+      method:     usePost ? "POST" : "GET",
+      headers:    { "accept": "application/dns-message" },
+      minVersion: "TLSv1.3",
+      ecdhCurve:  C.TLS_GROUP_CURVE_STR,
+    };
+    if (STATE.doh.ca) reqOpts.ca = STATE.doh.ca;
+    if (usePost) {
+      reqOpts.headers["content-type"]   = "application/dns-message";
+      reqOpts.headers["content-length"] = enc.buf.length;
+    } else {
+      var parsedGet = safeUrl.parse(getUrl, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
+      reqOpts.path = parsedGet.pathname + parsedGet.search;
+    }
+    var req = https.request(reqOpts, function (res) {
+      var collector = safeBuffer.boundedChunkCollector({
+        maxBytes:    C.BYTES.kib(256),
+        errorClass:  DnsError,
+        sizeCode:    "dns/doh-too-large",
+        sizeMessage: "DoH response exceeds 256 KiB",
+      });
+      var pushFailed = null;
+      res.on("data", function (c) {
+        if (pushFailed) return;
+        try { collector.push(c); }
+        catch (e) { pushFailed = e; }
+      });
+      res.on("end", function () {
+        try {
+          if (pushFailed) { reject(pushFailed); return; }
+          var body = collector.result();
+          if (res.statusCode !== 200) {                                          // allow:raw-byte-literal — HTTP 200 OK
+            reject(new DnsError("dns/doh-http", "DoH HTTP " + res.statusCode + " for " + host));
+            return;
+          }
+          resolve({ rrs: _decodeDnsAnswer(body, qtype), ad: _readAdBit(body) });
+        } catch (e) { reject(e); }
+      });
+    });
+    req.on("error", function (e) { reject(new DnsError("dns/doh-failed", "DoH request failed: " + e.message)); });
+    if (usePost) req.write(enc.buf);
+    req.end();
+  });
+}
+
+// resolveSecure — DNSSEC-aware resolution. Returns `{ rrs, ad }`
+// where `ad` is the AD bit (RFC 4035) set by the upstream DoH
+// resolver after chain validation, and `rrs` is the answer-record
+// list (IPv4 / IPv6 string addresses for A / AAAA queries).
+//
+// Operators wiring DANE / TLSA validation (RFC 7672 SMTP DANE)
+// require `ad === true` to honor the DANE security claim per RFC
+// 7672 §1.3 — without DNSSEC validation the TLSA records can't be
+// authenticated and the chain check is meaningless.
+//
+// Only available over DoH transport. The system resolver and DoT
+// transports don't surface the AD bit through Node's API today.
+async function resolveSecure(host, type) {
+  type = type || "A";
+  if (!STATE.doh) {
+    throw new DnsError("dns/secure-requires-doh",
+      "resolveSecure requires DoH transport (call useDnsOverHttps " +
+      "or rely on the default-on DoH posture)");
+  }
+  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // allow:raw-byte-literal — RFC 1035 hostname octet ceiling
+    throw new DnsError("dns/bad-host",
+      "resolveSecure host is malformed");
+  }
+  var family;
+  if (type === "A")    family = 4;
+  else if (type === "AAAA") family = 6;
+  else throw new DnsError("dns/secure-unsupported-type",
+    "resolveSecure currently supports A and AAAA; got " + type);
+  return _dohLookupSecure(host, family);
+}
+
 // DoT connection pool. Per-(host:port) cached TLS socket so successive
 // lookups amortize the handshake. Sockets idle past the timeout are
 // closed and removed; first lookup after expiry rebuilds. Each socket
@@ -695,6 +813,7 @@ module.exports = {
   resolve4:          resolve4,
   resolve6:          resolve6,
   resolveAaaa:       resolveAaaa,
+  resolveSecure:     resolveSecure,
   nodeLookup:        nodeLookup,
   clearCache:        _clearCache,
   DnsError:          DnsError,

package/lib/network-smtp-policy.js

@@ -42,9 +42,13 @@
  *   - Full DANE certificate-chain verification per RFC 6698 (needs
  *     ASN.1 cert parsing). Operators today verify policy presence +
  *     match the leaf SHA-256 themselves.
- *   - DNSSEC-validated DANE lookups (node:dns doesn't expose
- *     DNSSEC ad-bit; operators pin to a DNSSEC-validating resolver
- *     externally).
+ *   - DNSSEC-validated DANE lookups: the framework now exposes the
+ *     AD bit via `b.network.dns.resolveSecure(name, type) → { rrs,
+ *     ad }`. Operators wiring strict RFC 7672 §1.3 compliance pass
+ *     a DNSSEC-aware resolver via opts and refuse the chain when
+ *     ad === false. The default `tlsa()` lookup path stays on
+ *     `node:dns` for compatibility with operators on system
+ *     resolvers.
  */
 
 var dns = require("node:dns");

package/lib/router.js

@@ -626,10 +626,32 @@ class Router {
       // accept both. enableConnectProtocol: true is what enables h2
       // WebSocket (RFC 8441) — clients refuse to issue Extended CONNECT
       // until they see this in the server's SETTINGS frame.
+      // Framework-default HTTP/2 hardening — operator-supplied
+      // tlsOptions can override any of these.
+      //
+      // maxConcurrentStreams: cap concurrent streams per session (Node
+      //   default is 4294967295 — way too high; CVE-2023-44487 Rapid
+      //   Reset relies on the unbounded default).
+      // maxSessionMemory: 10 MB cap per session (Node default; explicit).
+      // maxHeaderListPairs: 100 header pairs max (Node default 128;
+      //   tightened — CVE-2024-27983 / CVE-2024-28182 CONTINUATION
+      //   flood relies on header-pair amplification).
+      // maxSettings: cap SETTINGS-frame entries.
+      // peerMaxConcurrentStreams: cap how many streams the peer is
+      //   willing to accept (limits server-initiated push, which the
+      //   framework doesn't use).
+      // unknownProtocolTimeout: 10s — drop sessions stuck in protocol-
+      //   detection (Slowloris-h2 variant).
       server = http2.createSecureServer(Object.assign({
-        allowHTTP1:    true,
-        ALPNProtocols: ["h2", "http/1.1"],
-        settings:      { enableConnectProtocol: true },
+        allowHTTP1:               true,
+        ALPNProtocols:             ["h2", "http/1.1"],
+        settings:                  { enableConnectProtocol: true },
+        maxConcurrentStreams:      100,                                            // allow:raw-byte-literal — CVE-2023-44487 Rapid Reset cap
+        maxSessionMemory:          10,                                             // allow:raw-byte-literal — MB cap (Node default explicit)
+        maxHeaderListPairs:        100,                                            // allow:raw-byte-literal — CVE-2024-27983 CONTINUATION-flood cap
+        maxSettings:               32,                                             // allow:raw-byte-literal — SETTINGS-frame entry ceiling
+        peerMaxConcurrentStreams:  100,                                            // allow:raw-byte-literal — peer-side stream cap
+        unknownProtocolTimeout:    C.TIME.seconds(10),
       }, tlsOptions), requestHandler);
     } else {
       // Cleartext path is h1-only. Operators wanting h2c on cleartext
@@ -710,7 +732,23 @@ class Router {
 
     if (host) server.listen(port, host, cb);
     else server.listen(port, cb);
-    server.timeout = C.TIME.minutes(5);
+    // Slowloris / slow-read defenses. Node defaults shifted across
+    // versions; the framework pins them explicitly so operators on
+    // older Node releases get the modern bar.
+    //
+    // headersTimeout: 60s — time allotted for the entire request-line
+    //   + header section. Slowloris's classic posture is a connection
+    //   that trickles headers indefinitely.
+    // requestTimeout: 5min — total wall-clock for a request including
+    //   body. Body-streaming uploads through fileUpload can take
+    //   minutes; this is the operator-overridable ceiling.
+    // keepAliveTimeout: 5s — idle timeout between requests on a
+    //   keep-alive connection.
+    // server.timeout: 5min — hardware/network timeout (legacy).
+    server.headersTimeout   = C.TIME.seconds(60);
+    server.requestTimeout   = C.TIME.minutes(5);
+    server.keepAliveTimeout = C.TIME.seconds(5);
+    server.timeout          = C.TIME.minutes(5);
     return server;
   }
 }

package/lib/vendor/MANIFEST.json

@@ -13,7 +13,10 @@
         "server": "lib/vendor/noble-ciphers.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node",
-      "bundledAt": "2026-04-25"
+      "bundledAt": "2026-04-25",
+      "hashes": {
+        "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
+      }
     },
     "argon2": {
       "version": "0.44.0",
@@ -39,7 +42,11 @@
         "win32-x64"
       ],
       "bundler": "esbuild --format=cjs --platform=node (inlines @phc/format + node-gyp-build)",
-      "bundledAt": "2026-04-25"
+      "bundledAt": "2026-04-25",
+      "hashes": {
+        "server": "sha256:93b8d2fb7f24dc1b3304dc9420844d5e1afc199c41ab1f9a90c8de48cc7c2359",
+        "prebuilds": "sha256-tree:65921b7cf331e0a9430a1b52440da8f26cdf9d215a4cd490edbc4804dd713df3"
+      }
     },
     "@simplewebauthn/server": {
       "version": "13.3.0",
@@ -57,7 +64,10 @@
         "server": "lib/vendor/simplewebauthn-server.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-26"
+      "bundledAt": "2026-04-26",
+      "hashes": {
+        "server": "sha256:a9777dca582095d67f17ca24e19a0791de29928555b6b779c2233429175eb3f0"
+      }
     },
     "SecLists-common-passwords-top-10000": {
       "version": "10k-most-common (master)",
@@ -69,7 +79,10 @@
         "server": "lib/vendor/common-passwords-top-10000.txt"
       },
       "bundler": "curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt",
-      "bundledAt": "2026-05-02"
+      "bundledAt": "2026-05-02",
+      "hashes": {
+        "server": "sha256:4adb3f0afb4a10cf19ebe48d8c69a46f934bbc8d77c694c210564f9583e7f4ba"
+      }
     },
     "peculiar-pki": {
       "version": "2.0.0+pkijs-3.4.0",
@@ -90,7 +103,10 @@
         "server": "lib/vendor/pki.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-29"
+      "bundledAt": "2026-04-29",
+      "hashes": {
+        "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
+      }
     }
   }
 }

package/lib/websocket.js

@@ -221,12 +221,17 @@ function negotiateSubprotocol(req, supported) {
 // origins shapes:
 //   array — strict allowlist, enforced
 //   "*"   — explicit "accept all" (operator opt-in to no checking)
-//   null/undefined — same as "*" but caller (router) is expected to
-//                    have logged a startup warning. Origin policy is a
-//                    framework-level decision; this primitive doesn't
-//                    re-warn here.
+//   null/undefined — DEFAULT: same-origin (Origin host matches Host
+//                    header). The pre-0.7.64 default was "accept all" —
+//                    flipped here because cross-site WebSocket
+//                    hijacking (CSWSH) is a real attacker capability
+//                    against any browser-targeted WebSocket route, and
+//                    same-origin is the safe default. Operators
+//                    needing cross-origin opt in explicitly via
+//                    `origins: "*"` (with audited reason) or
+//                    `origins: [...allowlist]`.
 function isOriginAllowed(req, origins) {
-  if (!origins || origins === "*") return true;
+  if (origins === "*") return true;
   var origin = (req.headers || {}).origin;
   // Non-browser clients (curl, server-to-server, native apps) don't
   // send Origin. Origin enforcement only meaningfully applies to
@@ -234,6 +239,17 @@ function isOriginAllowed(req, origins) {
   // the operator's network ACL / auth middleware, not Origin.
   if (!origin) return true;
   if (Array.isArray(origins)) return origins.indexOf(origin) !== -1;
+  // Default: same-origin. Compare the Origin header's hostname against
+  // the Host header. Operators behind a TLS-terminating LB pass the
+  // canonical Host through (or set `origins: [...]` explicitly).
+  if (!origins) {
+    var host = (req.headers || {}).host;
+    if (!host) return false;
+    var originHost;
+    try { originHost = new URL(origin).host; }                                   // allow:raw-new-url — comparing browser-supplied Origin header against Host; safeUrl.parse adds policy filtering that isn't appropriate for exact host comparison
+    catch (_e) { return false; }
+    return originHost === host;
+  }
   return false;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.63",
+  "version": "0.7.73",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e7800257-940b-492f-8159-1b9d7b8b5f90",
+  "serialNumber": "urn:uuid:55a0114a-f249-481f-b122-6997247485a1",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T00:32:55.128Z",
+    "timestamp": "2026-05-06T03:31:31.641Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.63",
+      "bom-ref": "@blamejs/core@0.7.73",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.63",
+      "version": "0.7.73",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.63",
+      "purl": "pkg:npm/%40blamejs/core@0.7.73",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.63",
+      "ref": "@blamejs/core@0.7.73",
       "dependsOn": []
     }
   ]