@hoajs/secure-headers 0.1.0 → 0.1.1

package/CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.1.1 / 2026-02-11
+
+- refactor: use tsdown instead of tsup
+- chore(deps): update deps
+
 ## v0.1.0 / 2025-10-29
 
 - init

package/dist/cjs/index.cjs

@@ -0,0 +1,571 @@
+Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: 'Module' } });
+let hoa = require("hoa");
+
+//#region src/contentSecurityPolicy.ts
+const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc");
+const SHOULD_BE_QUOTED = new Set([
+	"none",
+	"self",
+	"strict-dynamic",
+	"report-sample",
+	"inline-speculation-rules",
+	"unsafe-inline",
+	"unsafe-eval",
+	"unsafe-hashes",
+	"wasm-unsafe-eval"
+]);
+const getDefaultDirectives = () => ({
+	"default-src": ["'self'"],
+	"base-uri": ["'self'"],
+	"font-src": [
+		"'self'",
+		"https:",
+		"data:"
+	],
+	"form-action": ["'self'"],
+	"frame-ancestors": ["'self'"],
+	"img-src": ["'self'", "data:"],
+	"object-src": ["'none'"],
+	"script-src": ["'self'"],
+	"script-src-attr": ["'none'"],
+	"style-src": [
+		"'self'",
+		"https:",
+		"'unsafe-inline'"
+	],
+	"upgrade-insecure-requests": []
+});
+const dashify$1 = (str) => str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
+const assertDirectiveValueIsValid = (directiveName, directiveValue) => {
+	if (/;|,/.test(directiveValue)) throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`);
+};
+const assertDirectiveValueEntryIsValid = (directiveName, directiveValueEntry) => {
+	if (SHOULD_BE_QUOTED.has(directiveValueEntry) || directiveValueEntry.startsWith("nonce-") || directiveValueEntry.startsWith("sha256-") || directiveValueEntry.startsWith("sha384-") || directiveValueEntry.startsWith("sha512-")) throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}. ${JSON.stringify(directiveValueEntry)} should be quoted`);
+};
+function normalizeDirectives$1(options) {
+	const defaultDirectives = getDefaultDirectives();
+	const { useDefaults = true, directives: rawDirectives = defaultDirectives } = options;
+	const result = /* @__PURE__ */ new Map();
+	const directiveNamesSeen = /* @__PURE__ */ new Set();
+	const directivesExplicitlyDisabled = /* @__PURE__ */ new Set();
+	for (const rawDirectiveName in rawDirectives) {
+		if (!Object.hasOwn(rawDirectives, rawDirectiveName)) continue;
+		if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) throw new Error(`Content-Security-Policy received an invalid directive name ${JSON.stringify(rawDirectiveName)}`);
+		const directiveName = dashify$1(rawDirectiveName);
+		if (directiveNamesSeen.has(directiveName)) throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`);
+		directiveNamesSeen.add(directiveName);
+		const rawDirectiveValue = rawDirectives[rawDirectiveName];
+		let directiveValue;
+		if (rawDirectiveValue === null) {
+			if (directiveName === "default-src") throw new Error("Content-Security-Policy needs a default-src but it was set to `null`. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.");
+			directivesExplicitlyDisabled.add(directiveName);
+			continue;
+		} else if (typeof rawDirectiveValue === "string") directiveValue = [rawDirectiveValue];
+		else if (!rawDirectiveValue) throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`);
+		else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) if (directiveName === "default-src") {
+			directivesExplicitlyDisabled.add("default-src");
+			continue;
+		} else throw new Error(`Content-Security-Policy: tried to disable ${JSON.stringify(directiveName)} as if it were default-src; simply omit the key`);
+		else directiveValue = rawDirectiveValue;
+		for (const element of directiveValue) {
+			if (typeof element !== "string") continue;
+			assertDirectiveValueIsValid(directiveName, element);
+			assertDirectiveValueEntryIsValid(directiveName, element);
+		}
+		result.set(directiveName, directiveValue);
+	}
+	if (useDefaults) Object.entries(defaultDirectives).forEach(([defaultDirectiveName, defaultDirectiveValue]) => {
+		if (!result.has(defaultDirectiveName) && !directivesExplicitlyDisabled.has(defaultDirectiveName)) result.set(defaultDirectiveName, defaultDirectiveValue);
+	});
+	if (!result.size) throw new Error("Content-Security-Policy has no directives. Either set some or disable the header");
+	if (!result.has("default-src") && !directivesExplicitlyDisabled.has("default-src")) throw new Error("Content-Security-Policy needs a default-src but none was provided. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.");
+	return result;
+}
+function getHeaderValue$1(ctx, normalizedDirectives) {
+	const result = [];
+	for (const [directiveName, rawDirectiveValue] of normalizedDirectives) {
+		let directiveValue = "";
+		for (const element of rawDirectiveValue) if (typeof element === "function") {
+			const newElement = element(ctx);
+			assertDirectiveValueEntryIsValid(directiveName, newElement);
+			directiveValue += " " + newElement;
+		} else directiveValue += " " + element;
+		if (directiveValue) {
+			assertDirectiveValueIsValid(directiveName, directiveValue);
+			result.push(`${directiveName}${directiveValue}`);
+		} else result.push(directiveName);
+	}
+	return result.join(";");
+}
+const contentSecurityPolicy = function contentSecurityPolicy(options = {}) {
+	const headerName = options.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
+	const normalizedDirectives = normalizeDirectives$1(options);
+	return async function contentSecurityPolicyMiddleware(ctx, next) {
+		const result = getHeaderValue$1(ctx, normalizedDirectives);
+		ctx.res.set(headerName, result);
+		await next();
+	};
+};
+contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives;
+contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc;
+
+//#endregion
+//#region src/crossOriginEmbedderPolicy.ts
+const ALLOWED_POLICIES$2 = new Set([
+	"require-corp",
+	"credentialless",
+	"unsafe-none"
+]);
+function getHeaderValueFromOptions$6({ policy = "require-corp" }) {
+	if (ALLOWED_POLICIES$2.has(policy)) return policy;
+	else throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`);
+}
+function crossOriginEmbedderPolicy(options = {}) {
+	const headerValue = getHeaderValueFromOptions$6(options);
+	return async function crossOriginEmbedderPolicyMiddleware(ctx, next) {
+		ctx.res.set("Cross-Origin-Embedder-Policy", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/crossOriginOpenerPolicy.ts
+const ALLOWED_POLICIES$1 = new Set([
+	"same-origin",
+	"same-origin-allow-popups",
+	"unsafe-none"
+]);
+function getHeaderValueFromOptions$5({ policy = "same-origin" }) {
+	if (ALLOWED_POLICIES$1.has(policy)) return policy;
+	else throw new Error(`Cross-Origin-Opener-Policy does not support the ${JSON.stringify(policy)} policy`);
+}
+function crossOriginOpenerPolicy(options = {}) {
+	const headerValue = getHeaderValueFromOptions$5(options);
+	return async function crossOriginOpenerPolicyMiddleware(ctx, next) {
+		ctx.res.set("Cross-Origin-Opener-Policy", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/crossOriginResourcePolicy.ts
+const ALLOWED_POLICIES = new Set([
+	"same-origin",
+	"same-site",
+	"cross-origin"
+]);
+function getHeaderValueFromOptions$4({ policy = "same-origin" }) {
+	if (ALLOWED_POLICIES.has(policy)) return policy;
+	else throw new Error(`Cross-Origin-Resource-Policy does not support the ${JSON.stringify(policy)} policy`);
+}
+function crossOriginResourcePolicy(options = {}) {
+	const headerValue = getHeaderValueFromOptions$4(options);
+	return async function crossOriginResourcePolicyMiddleware(ctx, next) {
+		ctx.res.set("Cross-Origin-Resource-Policy", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/originAgentCluster.ts
+function originAgentCluster() {
+	return async function originAgentClusterMiddleware(ctx, next) {
+		ctx.res.set("Origin-Agent-Cluster", "?1");
+		await next();
+	};
+}
+
+//#endregion
+//#region src/referrerPolicy.ts
+const ALLOWED_TOKENS = new Set([
+	"no-referrer",
+	"no-referrer-when-downgrade",
+	"same-origin",
+	"origin",
+	"strict-origin",
+	"origin-when-cross-origin",
+	"strict-origin-when-cross-origin",
+	"unsafe-url",
+	""
+]);
+function getHeaderValueFromOptions$3({ policy = ["no-referrer"] }) {
+	const tokens = typeof policy === "string" ? [policy] : policy;
+	if (tokens.length === 0) throw new Error("Referrer-Policy received no policy tokens");
+	const tokensSeen = /* @__PURE__ */ new Set();
+	tokens.forEach((token) => {
+		if (!ALLOWED_TOKENS.has(token)) throw new Error(`Referrer-Policy received an unexpected policy token ${JSON.stringify(token)}`);
+		else if (tokensSeen.has(token)) throw new Error(`Referrer-Policy received a duplicate policy token ${JSON.stringify(token)}`);
+		tokensSeen.add(token);
+	});
+	return tokens.join(",");
+}
+function referrerPolicy(options = {}) {
+	const headerValue = getHeaderValueFromOptions$3(options);
+	return async function referrerPolicyMiddleware(ctx, next) {
+		ctx.res.set("Referrer-Policy", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/strictTransportSecurity.ts
+const DEFAULT_MAX_AGE = 365 * 24 * 60 * 60;
+function parseMaxAge(value = DEFAULT_MAX_AGE) {
+	if (value >= 0 && Number.isFinite(value)) return Math.floor(value);
+	else throw new Error(`Strict-Transport-Security: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`);
+}
+function getHeaderValueFromOptions$2(options) {
+	if ("maxage" in options) throw new Error("Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?");
+	if ("includeSubdomains" in options) throw new Error("Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase \"D\".)");
+	const directives = [`max-age=${parseMaxAge(options.maxAge)}`];
+	if (options.includeSubDomains === void 0 || options.includeSubDomains) directives.push("includeSubDomains");
+	if (options.preload) directives.push("preload");
+	return directives.join("; ");
+}
+function strictTransportSecurity(options = {}) {
+	const headerValue = getHeaderValueFromOptions$2(options);
+	return async function strictTransportSecurityMiddleware(ctx, next) {
+		ctx.res.set("Strict-Transport-Security", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xContentTypeOptions.ts
+function xContentTypeOptions() {
+	return async function xContentTypeOptionsMiddleware(ctx, next) {
+		ctx.res.set("X-Content-Type-Options", "nosniff");
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xDnsPrefetchControl.ts
+function xDnsPrefetchControl(options = {}) {
+	const headerValue = options.allow ? "on" : "off";
+	return async function xDnsPrefetchControlMiddleware(ctx, next) {
+		ctx.res.set("X-DNS-Prefetch-Control", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xDownloadOptions.ts
+function xDownloadOptions() {
+	return async function xDownloadOptionsMiddleware(ctx, next) {
+		ctx.res.set("X-Download-Options", "noopen");
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xFrameOptions.ts
+function getHeaderValueFromOptions$1({ action = "sameorigin" }) {
+	const normalizedAction = typeof action === "string" ? action.toUpperCase() : action;
+	switch (normalizedAction) {
+		case "SAME-ORIGIN": return "SAMEORIGIN";
+		case "DENY":
+		case "SAMEORIGIN": return normalizedAction;
+		default: throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`);
+	}
+}
+function xFrameOptions(options = {}) {
+	const headerValue = getHeaderValueFromOptions$1(options);
+	return async function xFrameOptionsMiddleware(ctx, next) {
+		ctx.res.set("X-Frame-Options", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xPermittedCrossDomainPolicies.ts
+const ALLOWED_PERMITTED_POLICIES = new Set([
+	"none",
+	"master-only",
+	"by-content-type",
+	"all"
+]);
+function getHeaderValueFromOptions({ permittedPolicies = "none" }) {
+	if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) return permittedPolicies;
+	else throw new Error(`X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(permittedPolicies)}`);
+}
+function xPermittedCrossDomainPolicies(options = {}) {
+	const headerValue = getHeaderValueFromOptions(options);
+	return async function xPermittedCrossDomainPoliciesMiddleware(ctx, next) {
+		ctx.res.set("X-Permitted-Cross-Domain-Policies", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/xXssProtection.ts
+function xXssProtection() {
+	return async function xXssProtectionMiddleware(ctx, next) {
+		ctx.res.set("X-XSS-Protection", "0");
+		await next();
+	};
+}
+
+//#endregion
+//#region src/permissionPolicy.ts
+function dashify(str) {
+	return str.replace(/([a-z\d])([A-Z])/g, "$1-$2").toLowerCase();
+}
+const SHOULD_NOT_BE_QUOTED = new Set([
+	"*",
+	"none",
+	"self",
+	"src"
+]);
+function normalizeDirectives(options) {
+	const directiveNamesSeen = /* @__PURE__ */ new Set();
+	const result = {};
+	for (const rawDirectiveName in options) {
+		const directiveName = dashify(rawDirectiveName);
+		if (directiveNamesSeen.has(directiveName)) throw new Error(`Permission-Policy received a duplicate directive ${JSON.stringify(directiveName)}`);
+		directiveNamesSeen.add(directiveName);
+		const rawDirectiveValue = options[rawDirectiveName];
+		if (typeof rawDirectiveValue === "boolean") result[directiveName] = rawDirectiveValue ? "(*)" : "()";
+		else if (Array.isArray(rawDirectiveValue)) if (rawDirectiveValue.length === 0) result[directiveName] = "()";
+		else if (rawDirectiveValue.length === 1 && (rawDirectiveValue[0] === "*" || rawDirectiveValue[0] === "none")) result[directiveName] = `(${rawDirectiveValue[0]})`;
+		else result[directiveName] = `(${rawDirectiveValue.map((v) => SHOULD_NOT_BE_QUOTED.has(v) ? v : `"${v}"`).join(" ")})`;
+		else throw new Error(`Permission-Policy received an invalid directive value for ${JSON.stringify(directiveName)}. ${JSON.stringify(rawDirectiveValue)} should be a boolean or an array of strings.`);
+	}
+	if (Object.keys(result).length === 0) throw new Error("Permission-Policy has no directives. Either set some or disable the header");
+	return result;
+}
+function getHeaderValue(normalizedDirectives) {
+	return Object.entries(normalizedDirectives).map(([k, v]) => `${k}=${v}`).join(", ");
+}
+function permissionPolicy(options = {}) {
+	const headerValue = getHeaderValue(normalizeDirectives(options));
+	return async function permissionPolicyMiddleware(ctx, next) {
+		ctx.res.set("Permissions-Policy", headerValue);
+		await next();
+	};
+}
+
+//#endregion
+//#region src/index.ts
+function getMiddlewareFunctionsFromOptions(options) {
+	const result = [];
+	switch (options.contentSecurityPolicy) {
+		case void 0:
+		case true:
+			result.push(contentSecurityPolicy());
+			break;
+		case false: break;
+		default:
+			result.push(contentSecurityPolicy(options.contentSecurityPolicy));
+			break;
+	}
+	switch (options.crossOriginEmbedderPolicy) {
+		case void 0:
+		case false: break;
+		case true:
+			result.push(crossOriginEmbedderPolicy());
+			break;
+		default:
+			result.push(crossOriginEmbedderPolicy(options.crossOriginEmbedderPolicy));
+			break;
+	}
+	switch (options.crossOriginOpenerPolicy) {
+		case void 0:
+		case true:
+			result.push(crossOriginOpenerPolicy());
+			break;
+		case false: break;
+		default:
+			result.push(crossOriginOpenerPolicy(options.crossOriginOpenerPolicy));
+			break;
+	}
+	switch (options.crossOriginResourcePolicy) {
+		case void 0:
+		case true:
+			result.push(crossOriginResourcePolicy());
+			break;
+		case false: break;
+		default:
+			result.push(crossOriginResourcePolicy(options.crossOriginResourcePolicy));
+			break;
+	}
+	switch (options.originAgentCluster) {
+		case void 0:
+		case true:
+			result.push(originAgentCluster());
+			break;
+		case false: break;
+		default:
+			console.warn("Origin-Agent-Cluster does not take options. Remove the property to silence this warning.");
+			result.push(originAgentCluster());
+			break;
+	}
+	switch (options.referrerPolicy) {
+		case void 0:
+		case true:
+			result.push(referrerPolicy());
+			break;
+		case false: break;
+		default:
+			result.push(referrerPolicy(options.referrerPolicy));
+			break;
+	}
+	if ("strictTransportSecurity" in options && "hsts" in options) throw new Error("Strict-Transport-Security option was specified twice. Remove the `hsts` option to fix this error.");
+	const strictTransportSecurityOption = options.strictTransportSecurity ?? options.hsts;
+	switch (strictTransportSecurityOption) {
+		case void 0:
+		case true:
+			result.push(strictTransportSecurity());
+			break;
+		case false: break;
+		default:
+			result.push(strictTransportSecurity(strictTransportSecurityOption));
+			break;
+	}
+	if ("xContentTypeOptions" in options && "noSniff" in options) throw new Error("X-Content-Type-Options option was specified twice. Remove the `noSniff` option to fix this error.");
+	switch (options.xContentTypeOptions ?? options.noSniff) {
+		case void 0:
+		case true:
+			result.push(xContentTypeOptions());
+			break;
+		case false: break;
+		default:
+			console.warn("X-Content-Type-Options does not take options. Remove the property to silence this warning.");
+			result.push(xContentTypeOptions());
+			break;
+	}
+	if ("xDnsPrefetchControl" in options && "dnsPrefetchControl" in options) throw new Error("X-DNS-Prefetch-Control option was specified twice. Remove the `dnsPrefetchControl` option to fix this error.");
+	const xDnsPrefetchControlOption = options.xDnsPrefetchControl ?? options.dnsPrefetchControl;
+	switch (xDnsPrefetchControlOption) {
+		case void 0:
+		case true:
+			result.push(xDnsPrefetchControl());
+			break;
+		case false: break;
+		default:
+			result.push(xDnsPrefetchControl(xDnsPrefetchControlOption));
+			break;
+	}
+	if ("xDownloadOptions" in options && "ieNoOpen" in options) throw new Error("X-Download-Options option was specified twice. Remove the `ieNoOpen` option to fix this error.");
+	switch (options.xDownloadOptions ?? options.ieNoOpen) {
+		case void 0:
+		case true:
+			result.push(xDownloadOptions());
+			break;
+		case false: break;
+		default:
+			console.warn("X-Download-Options does not take options. Remove the property to silence this warning.");
+			result.push(xDownloadOptions());
+			break;
+	}
+	if ("xFrameOptions" in options && "frameguard" in options) throw new Error("X-Frame-Options option was specified twice. Remove the `frameguard` option to fix this error.");
+	const xFrameOptionsOption = options.xFrameOptions ?? options.frameguard;
+	switch (xFrameOptionsOption) {
+		case void 0:
+		case true:
+			result.push(xFrameOptions());
+			break;
+		case false: break;
+		default:
+			result.push(xFrameOptions(xFrameOptionsOption));
+			break;
+	}
+	if ("xPermittedCrossDomainPolicies" in options && "permittedCrossDomainPolicies" in options) throw new Error("X-Permitted-Cross-Domain-Policies option was specified twice. Remove the `permittedCrossDomainPolicies` option to fix this error.");
+	const xPermittedCrossDomainPoliciesOption = options.xPermittedCrossDomainPolicies ?? options.permittedCrossDomainPolicies;
+	switch (xPermittedCrossDomainPoliciesOption) {
+		case void 0:
+		case true:
+			result.push(xPermittedCrossDomainPolicies());
+			break;
+		case false: break;
+		default:
+			result.push(xPermittedCrossDomainPolicies(xPermittedCrossDomainPoliciesOption));
+			break;
+	}
+	if ("xPoweredBy" in options && "hidePoweredBy" in options) throw new Error("X-Powered-By option was specified twice. Remove the `hidePoweredBy` option to fix this error.");
+	const xPoweredByOption = options.xPoweredBy ?? options.hidePoweredBy;
+	const xPoweredBy = function xPoweredBy() {
+		return async function xPoweredByMiddleware(ctx, next) {
+			ctx.res.delete("X-Powered-By");
+			await next();
+		};
+	};
+	switch (xPoweredByOption) {
+		case void 0:
+		case true:
+			result.push(xPoweredBy());
+			break;
+		case false: break;
+		default:
+			console.warn("X-Powered-By does not take options. Remove the property to silence this warning.");
+			result.push(xPoweredBy());
+			break;
+	}
+	if ("xXssProtection" in options && "xssFilter" in options) throw new Error("X-XSS-Protection option was specified twice. Remove the `xssFilter` option to fix this error.");
+	switch (options.xXssProtection ?? options.xssFilter) {
+		case void 0:
+		case true:
+			result.push(xXssProtection());
+			break;
+		case false: break;
+		default:
+			console.warn("X-XSS-Protection does not take options. Remove the property to silence this warning.");
+			result.push(xXssProtection());
+			break;
+	}
+	if (options.permissionPolicy && typeof options.permissionPolicy === "object") result.push(permissionPolicy(options.permissionPolicy));
+	return result;
+}
+const secureHeaders = Object.assign(function secureHeaders(options = {}) {
+	const secureHeadersHandler = (0, hoa.compose)(getMiddlewareFunctionsFromOptions(options));
+	return async function secureHeadersMiddleware(ctx, next) {
+		await secureHeadersHandler(ctx, next);
+	};
+}, {
+	contentSecurityPolicy,
+	crossOriginEmbedderPolicy,
+	crossOriginOpenerPolicy,
+	crossOriginResourcePolicy,
+	originAgentCluster,
+	referrerPolicy,
+	strictTransportSecurity,
+	xContentTypeOptions,
+	xDnsPrefetchControl,
+	xDownloadOptions,
+	xFrameOptions,
+	xPermittedCrossDomainPolicies,
+	xXssProtection,
+	permissionPolicy,
+	dnsPrefetchControl: xDnsPrefetchControl,
+	xssFilter: xXssProtection,
+	permittedCrossDomainPolicies: xPermittedCrossDomainPolicies,
+	ieNoOpen: xDownloadOptions,
+	noSniff: xContentTypeOptions,
+	frameguard: xFrameOptions,
+	hsts: strictTransportSecurity
+});
+
+//#endregion
+exports.contentSecurityPolicy = contentSecurityPolicy;
+exports.crossOriginEmbedderPolicy = crossOriginEmbedderPolicy;
+exports.crossOriginOpenerPolicy = crossOriginOpenerPolicy;
+exports.crossOriginResourcePolicy = crossOriginResourcePolicy;
+exports.default = secureHeaders;
+exports.secureHeaders = secureHeaders;
+exports.dnsPrefetchControl = xDnsPrefetchControl;
+exports.xDnsPrefetchControl = xDnsPrefetchControl;
+exports.frameguard = xFrameOptions;
+exports.xFrameOptions = xFrameOptions;
+exports.hsts = strictTransportSecurity;
+exports.strictTransportSecurity = strictTransportSecurity;
+exports.ieNoOpen = xDownloadOptions;
+exports.xDownloadOptions = xDownloadOptions;
+exports.noSniff = xContentTypeOptions;
+exports.xContentTypeOptions = xContentTypeOptions;
+exports.originAgentCluster = originAgentCluster;
+exports.permissionPolicy = permissionPolicy;
+exports.permittedCrossDomainPolicies = xPermittedCrossDomainPolicies;
+exports.xPermittedCrossDomainPolicies = xPermittedCrossDomainPolicies;
+exports.referrerPolicy = referrerPolicy;
+exports.xXssProtection = xXssProtection;
+exports.xssFilter = xXssProtection;