@hoajs/secure-headers 0.1.0

package/dist/cjs/index.js

@@ -0,0 +1,811 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  contentSecurityPolicy: () => contentSecurityPolicy_default,
+  crossOriginEmbedderPolicy: () => crossOriginEmbedderPolicy_default,
+  crossOriginOpenerPolicy: () => crossOriginOpenerPolicy_default,
+  crossOriginResourcePolicy: () => crossOriginResourcePolicy_default,
+  default: () => index_default,
+  dnsPrefetchControl: () => xDnsPrefetchControl_default,
+  frameguard: () => xFrameOptions_default,
+  hsts: () => strictTransportSecurity_default,
+  ieNoOpen: () => xDownloadOptions_default,
+  noSniff: () => xContentTypeOptions_default,
+  originAgentCluster: () => originAgentCluster_default,
+  permissionPolicy: () => permissionPolicy_default,
+  permittedCrossDomainPolicies: () => xPermittedCrossDomainPolicies_default,
+  referrerPolicy: () => referrerPolicy_default,
+  secureHeaders: () => secureHeaders,
+  strictTransportSecurity: () => strictTransportSecurity_default,
+  xContentTypeOptions: () => xContentTypeOptions_default,
+  xDnsPrefetchControl: () => xDnsPrefetchControl_default,
+  xDownloadOptions: () => xDownloadOptions_default,
+  xFrameOptions: () => xFrameOptions_default,
+  xPermittedCrossDomainPolicies: () => xPermittedCrossDomainPolicies_default,
+  xXssProtection: () => xXssProtection_default,
+  xssFilter: () => xXssProtection_default
+});
+module.exports = __toCommonJS(index_exports);
+var import_hoa = require("hoa");
+
+// src/contentSecurityPolicy.ts
+var dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc");
+var SHOULD_BE_QUOTED = /* @__PURE__ */ new Set([
+  "none",
+  "self",
+  "strict-dynamic",
+  "report-sample",
+  "inline-speculation-rules",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "wasm-unsafe-eval"
+]);
+var getDefaultDirectives = () => ({
+  "default-src": ["'self'"],
+  "base-uri": ["'self'"],
+  "font-src": ["'self'", "https:", "data:"],
+  "form-action": ["'self'"],
+  "frame-ancestors": ["'self'"],
+  "img-src": ["'self'", "data:"],
+  "object-src": ["'none'"],
+  "script-src": ["'self'"],
+  "script-src-attr": ["'none'"],
+  "style-src": ["'self'", "https:", "'unsafe-inline'"],
+  "upgrade-insecure-requests": []
+});
+var dashify = (str) => str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
+var assertDirectiveValueIsValid = (directiveName, directiveValue) => {
+  if (/;|,/.test(directiveValue)) {
+    throw new Error(
+      `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+        directiveName
+      )}`
+    );
+  }
+};
+var assertDirectiveValueEntryIsValid = (directiveName, directiveValueEntry) => {
+  if (SHOULD_BE_QUOTED.has(directiveValueEntry) || directiveValueEntry.startsWith("nonce-") || directiveValueEntry.startsWith("sha256-") || directiveValueEntry.startsWith("sha384-") || directiveValueEntry.startsWith("sha512-")) {
+    throw new Error(
+      `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+        directiveName
+      )}. ${JSON.stringify(directiveValueEntry)} should be quoted`
+    );
+  }
+};
+function normalizeDirectives(options) {
+  const defaultDirectives = getDefaultDirectives();
+  const { useDefaults = true, directives: rawDirectives = defaultDirectives } = options;
+  const result = /* @__PURE__ */ new Map();
+  const directiveNamesSeen = /* @__PURE__ */ new Set();
+  const directivesExplicitlyDisabled = /* @__PURE__ */ new Set();
+  for (const rawDirectiveName in rawDirectives) {
+    if (!Object.hasOwn(rawDirectives, rawDirectiveName)) {
+      continue;
+    }
+    if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) {
+      throw new Error(
+        `Content-Security-Policy received an invalid directive name ${JSON.stringify(
+          rawDirectiveName
+        )}`
+      );
+    }
+    const directiveName = dashify(rawDirectiveName);
+    if (directiveNamesSeen.has(directiveName)) {
+      throw new Error(
+        `Content-Security-Policy received a duplicate directive ${JSON.stringify(
+          directiveName
+        )}`
+      );
+    }
+    directiveNamesSeen.add(directiveName);
+    const rawDirectiveValue = rawDirectives[rawDirectiveName];
+    let directiveValue;
+    if (rawDirectiveValue === null) {
+      if (directiveName === "default-src") {
+        throw new Error(
+          "Content-Security-Policy needs a default-src but it was set to `null`. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`."
+        );
+      }
+      directivesExplicitlyDisabled.add(directiveName);
+      continue;
+    } else if (typeof rawDirectiveValue === "string") {
+      directiveValue = [rawDirectiveValue];
+    } else if (!rawDirectiveValue) {
+      throw new Error(
+        `Content-Security-Policy received an invalid directive value for ${JSON.stringify(
+          directiveName
+        )}`
+      );
+    } else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) {
+      if (directiveName === "default-src") {
+        directivesExplicitlyDisabled.add("default-src");
+        continue;
+      } else {
+        throw new Error(
+          `Content-Security-Policy: tried to disable ${JSON.stringify(
+            directiveName
+          )} as if it were default-src; simply omit the key`
+        );
+      }
+    } else {
+      directiveValue = rawDirectiveValue;
+    }
+    for (const element of directiveValue) {
+      if (typeof element !== "string") continue;
+      assertDirectiveValueIsValid(directiveName, element);
+      assertDirectiveValueEntryIsValid(directiveName, element);
+    }
+    result.set(directiveName, directiveValue);
+  }
+  if (useDefaults) {
+    Object.entries(defaultDirectives).forEach(
+      ([defaultDirectiveName, defaultDirectiveValue]) => {
+        if (!result.has(defaultDirectiveName) && !directivesExplicitlyDisabled.has(defaultDirectiveName)) {
+          result.set(defaultDirectiveName, defaultDirectiveValue);
+        }
+      }
+    );
+  }
+  if (!result.size) {
+    throw new Error(
+      "Content-Security-Policy has no directives. Either set some or disable the header"
+    );
+  }
+  if (!result.has("default-src") && !directivesExplicitlyDisabled.has("default-src")) {
+    throw new Error(
+      "Content-Security-Policy needs a default-src but none was provided. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`."
+    );
+  }
+  return result;
+}
+function getHeaderValue(ctx, normalizedDirectives) {
+  const result = [];
+  for (const [directiveName, rawDirectiveValue] of normalizedDirectives) {
+    let directiveValue = "";
+    for (const element of rawDirectiveValue) {
+      if (typeof element === "function") {
+        const newElement = element(ctx);
+        assertDirectiveValueEntryIsValid(directiveName, newElement);
+        directiveValue += " " + newElement;
+      } else {
+        directiveValue += " " + element;
+      }
+    }
+    if (directiveValue) {
+      assertDirectiveValueIsValid(directiveName, directiveValue);
+      result.push(`${directiveName}${directiveValue}`);
+    } else {
+      result.push(directiveName);
+    }
+  }
+  return result.join(";");
+}
+var contentSecurityPolicy = function contentSecurityPolicy2(options = {}) {
+  const headerName = options.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
+  const normalizedDirectives = normalizeDirectives(options);
+  return async function contentSecurityPolicyMiddleware(ctx, next) {
+    const result = getHeaderValue(ctx, normalizedDirectives);
+    ctx.res.set(headerName, result);
+    await next();
+  };
+};
+contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives;
+contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc;
+var contentSecurityPolicy_default = contentSecurityPolicy;
+
+// src/crossOriginEmbedderPolicy.ts
+var ALLOWED_POLICIES = /* @__PURE__ */ new Set([
+  "require-corp",
+  "credentialless",
+  "unsafe-none"
+]);
+function getHeaderValueFromOptions({
+  policy = "require-corp"
+}) {
+  if (ALLOWED_POLICIES.has(policy)) {
+    return policy;
+  } else {
+    throw new Error(
+      `Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(
+        policy
+      )} policy`
+    );
+  }
+}
+function crossOriginEmbedderPolicy(options = {}) {
+  const headerValue = getHeaderValueFromOptions(options);
+  return async function crossOriginEmbedderPolicyMiddleware(ctx, next) {
+    ctx.res.set("Cross-Origin-Embedder-Policy", headerValue);
+    await next();
+  };
+}
+var crossOriginEmbedderPolicy_default = crossOriginEmbedderPolicy;
+
+// src/crossOriginOpenerPolicy.ts
+var ALLOWED_POLICIES2 = /* @__PURE__ */ new Set(["same-origin", "same-origin-allow-popups", "unsafe-none"]);
+function getHeaderValueFromOptions2({
+  policy = "same-origin"
+}) {
+  if (ALLOWED_POLICIES2.has(policy)) {
+    return policy;
+  } else {
+    throw new Error(
+      `Cross-Origin-Opener-Policy does not support the ${JSON.stringify(
+        policy
+      )} policy`
+    );
+  }
+}
+function crossOriginOpenerPolicy(options = {}) {
+  const headerValue = getHeaderValueFromOptions2(options);
+  return async function crossOriginOpenerPolicyMiddleware(ctx, next) {
+    ctx.res.set("Cross-Origin-Opener-Policy", headerValue);
+    await next();
+  };
+}
+var crossOriginOpenerPolicy_default = crossOriginOpenerPolicy;
+
+// src/crossOriginResourcePolicy.ts
+var ALLOWED_POLICIES3 = /* @__PURE__ */ new Set(["same-origin", "same-site", "cross-origin"]);
+function getHeaderValueFromOptions3({
+  policy = "same-origin"
+}) {
+  if (ALLOWED_POLICIES3.has(policy)) {
+    return policy;
+  } else {
+    throw new Error(
+      `Cross-Origin-Resource-Policy does not support the ${JSON.stringify(
+        policy
+      )} policy`
+    );
+  }
+}
+function crossOriginResourcePolicy(options = {}) {
+  const headerValue = getHeaderValueFromOptions3(options);
+  return async function crossOriginResourcePolicyMiddleware(ctx, next) {
+    ctx.res.set("Cross-Origin-Resource-Policy", headerValue);
+    await next();
+  };
+}
+var crossOriginResourcePolicy_default = crossOriginResourcePolicy;
+
+// src/originAgentCluster.ts
+function originAgentCluster() {
+  return async function originAgentClusterMiddleware(ctx, next) {
+    ctx.res.set("Origin-Agent-Cluster", "?1");
+    await next();
+  };
+}
+var originAgentCluster_default = originAgentCluster;
+
+// src/referrerPolicy.ts
+var ALLOWED_TOKENS = /* @__PURE__ */ new Set([
+  "no-referrer",
+  "no-referrer-when-downgrade",
+  "same-origin",
+  "origin",
+  "strict-origin",
+  "origin-when-cross-origin",
+  "strict-origin-when-cross-origin",
+  "unsafe-url",
+  ""
+]);
+function getHeaderValueFromOptions4({
+  policy = ["no-referrer"]
+}) {
+  const tokens = typeof policy === "string" ? [policy] : policy;
+  if (tokens.length === 0) {
+    throw new Error("Referrer-Policy received no policy tokens");
+  }
+  const tokensSeen = /* @__PURE__ */ new Set();
+  tokens.forEach((token) => {
+    if (!ALLOWED_TOKENS.has(token)) {
+      throw new Error(
+        `Referrer-Policy received an unexpected policy token ${JSON.stringify(
+          token
+        )}`
+      );
+    } else if (tokensSeen.has(token)) {
+      throw new Error(
+        `Referrer-Policy received a duplicate policy token ${JSON.stringify(
+          token
+        )}`
+      );
+    }
+    tokensSeen.add(token);
+  });
+  return tokens.join(",");
+}
+function referrerPolicy(options = {}) {
+  const headerValue = getHeaderValueFromOptions4(options);
+  return async function referrerPolicyMiddleware(ctx, next) {
+    ctx.res.set("Referrer-Policy", headerValue);
+    await next();
+  };
+}
+var referrerPolicy_default = referrerPolicy;
+
+// src/strictTransportSecurity.ts
+var DEFAULT_MAX_AGE = 365 * 24 * 60 * 60;
+function parseMaxAge(value = DEFAULT_MAX_AGE) {
+  if (value >= 0 && Number.isFinite(value)) {
+    return Math.floor(value);
+  } else {
+    throw new Error(
+      `Strict-Transport-Security: ${JSON.stringify(
+        value
+      )} is not a valid value for maxAge. Please choose a positive integer.`
+    );
+  }
+}
+function getHeaderValueFromOptions5(options) {
+  if ("maxage" in options) {
+    throw new Error(
+      "Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?"
+    );
+  }
+  if ("includeSubdomains" in options) {
+    throw new Error(
+      'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)'
+    );
+  }
+  const directives = [`max-age=${parseMaxAge(options.maxAge)}`];
+  if (options.includeSubDomains === void 0 || options.includeSubDomains) {
+    directives.push("includeSubDomains");
+  }
+  if (options.preload) {
+    directives.push("preload");
+  }
+  return directives.join("; ");
+}
+function strictTransportSecurity(options = {}) {
+  const headerValue = getHeaderValueFromOptions5(options);
+  return async function strictTransportSecurityMiddleware(ctx, next) {
+    ctx.res.set("Strict-Transport-Security", headerValue);
+    await next();
+  };
+}
+var strictTransportSecurity_default = strictTransportSecurity;
+
+// src/xContentTypeOptions.ts
+function xContentTypeOptions() {
+  return async function xContentTypeOptionsMiddleware(ctx, next) {
+    ctx.res.set("X-Content-Type-Options", "nosniff");
+    await next();
+  };
+}
+var xContentTypeOptions_default = xContentTypeOptions;
+
+// src/xDnsPrefetchControl.ts
+function xDnsPrefetchControl(options = {}) {
+  const headerValue = options.allow ? "on" : "off";
+  return async function xDnsPrefetchControlMiddleware(ctx, next) {
+    ctx.res.set("X-DNS-Prefetch-Control", headerValue);
+    await next();
+  };
+}
+var xDnsPrefetchControl_default = xDnsPrefetchControl;
+
+// src/xDownloadOptions.ts
+function xDownloadOptions() {
+  return async function xDownloadOptionsMiddleware(ctx, next) {
+    ctx.res.set("X-Download-Options", "noopen");
+    await next();
+  };
+}
+var xDownloadOptions_default = xDownloadOptions;
+
+// src/xFrameOptions.ts
+function getHeaderValueFromOptions6({
+  action = "sameorigin"
+}) {
+  const normalizedAction = typeof action === "string" ? action.toUpperCase() : action;
+  switch (normalizedAction) {
+    case "SAME-ORIGIN":
+      return "SAMEORIGIN";
+    case "DENY":
+    case "SAMEORIGIN":
+      return normalizedAction;
+    default:
+      throw new Error(
+        `X-Frame-Options received an invalid action ${JSON.stringify(action)}`
+      );
+  }
+}
+function xFrameOptions(options = {}) {
+  const headerValue = getHeaderValueFromOptions6(options);
+  return async function xFrameOptionsMiddleware(ctx, next) {
+    ctx.res.set("X-Frame-Options", headerValue);
+    await next();
+  };
+}
+var xFrameOptions_default = xFrameOptions;
+
+// src/xPermittedCrossDomainPolicies.ts
+var ALLOWED_PERMITTED_POLICIES = /* @__PURE__ */ new Set([
+  "none",
+  "master-only",
+  "by-content-type",
+  "all"
+]);
+function getHeaderValueFromOptions7({
+  permittedPolicies = "none"
+}) {
+  if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) {
+    return permittedPolicies;
+  } else {
+    throw new Error(
+      `X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(
+        permittedPolicies
+      )}`
+    );
+  }
+}
+function xPermittedCrossDomainPolicies(options = {}) {
+  const headerValue = getHeaderValueFromOptions7(options);
+  return async function xPermittedCrossDomainPoliciesMiddleware(ctx, next) {
+    ctx.res.set("X-Permitted-Cross-Domain-Policies", headerValue);
+    await next();
+  };
+}
+var xPermittedCrossDomainPolicies_default = xPermittedCrossDomainPolicies;
+
+// src/xXssProtection.ts
+function xXssProtection() {
+  return async function xXssProtectionMiddleware(ctx, next) {
+    ctx.res.set("X-XSS-Protection", "0");
+    await next();
+  };
+}
+var xXssProtection_default = xXssProtection;
+
+// src/permissionPolicy.ts
+function dashify2(str) {
+  return str.replace(/([a-z\d])([A-Z])/g, "$1-$2").toLowerCase();
+}
+var SHOULD_NOT_BE_QUOTED = /* @__PURE__ */ new Set(["*", "none", "self", "src"]);
+function normalizeDirectives2(options) {
+  const directiveNamesSeen = /* @__PURE__ */ new Set();
+  const result = {};
+  for (const rawDirectiveName in options) {
+    const directiveName = dashify2(rawDirectiveName);
+    if (directiveNamesSeen.has(directiveName)) {
+      throw new Error(`Permission-Policy received a duplicate directive ${JSON.stringify(
+        directiveName
+      )}`);
+    }
+    directiveNamesSeen.add(directiveName);
+    const rawDirectiveValue = options[rawDirectiveName];
+    if (typeof rawDirectiveValue === "boolean") {
+      result[directiveName] = rawDirectiveValue ? "(*)" : "()";
+    } else if (Array.isArray(rawDirectiveValue)) {
+      if (rawDirectiveValue.length === 0) {
+        result[directiveName] = "()";
+      } else if (rawDirectiveValue.length === 1 && (rawDirectiveValue[0] === "*" || rawDirectiveValue[0] === "none")) {
+        result[directiveName] = `(${rawDirectiveValue[0]})`;
+      } else {
+        const allowList = rawDirectiveValue.map((v) => SHOULD_NOT_BE_QUOTED.has(v) ? v : `"${v}"`);
+        result[directiveName] = `(${allowList.join(" ")})`;
+      }
+    } else {
+      throw new Error(
+        `Permission-Policy received an invalid directive value for ${JSON.stringify(
+          directiveName
+        )}. ${JSON.stringify(rawDirectiveValue)} should be a boolean or an array of strings.`
+      );
+    }
+  }
+  if (Object.keys(result).length === 0) {
+    throw new Error("Permission-Policy has no directives. Either set some or disable the header");
+  }
+  return result;
+}
+function getHeaderValue2(normalizedDirectives) {
+  return Object.entries(normalizedDirectives).map(([k, v]) => `${k}=${v}`).join(", ");
+}
+function permissionPolicy(options = {}) {
+  const normalizedDirectives = normalizeDirectives2(options);
+  const headerValue = getHeaderValue2(normalizedDirectives);
+  return async function permissionPolicyMiddleware(ctx, next) {
+    ctx.res.set("Permissions-Policy", headerValue);
+    await next();
+  };
+}
+var permissionPolicy_default = permissionPolicy;
+
+// src/index.ts
+function getMiddlewareFunctionsFromOptions(options) {
+  const result = [];
+  switch (options.contentSecurityPolicy) {
+    case void 0:
+    case true:
+      result.push(contentSecurityPolicy_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(contentSecurityPolicy_default(options.contentSecurityPolicy));
+      break;
+  }
+  switch (options.crossOriginEmbedderPolicy) {
+    case void 0:
+    case false:
+      break;
+    case true:
+      result.push(crossOriginEmbedderPolicy_default());
+      break;
+    default:
+      result.push(crossOriginEmbedderPolicy_default(options.crossOriginEmbedderPolicy));
+      break;
+  }
+  switch (options.crossOriginOpenerPolicy) {
+    case void 0:
+    case true:
+      result.push(crossOriginOpenerPolicy_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(crossOriginOpenerPolicy_default(options.crossOriginOpenerPolicy));
+      break;
+  }
+  switch (options.crossOriginResourcePolicy) {
+    case void 0:
+    case true:
+      result.push(crossOriginResourcePolicy_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(crossOriginResourcePolicy_default(options.crossOriginResourcePolicy));
+      break;
+  }
+  switch (options.originAgentCluster) {
+    case void 0:
+    case true:
+      result.push(originAgentCluster_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(originAgentCluster_default());
+      break;
+  }
+  switch (options.referrerPolicy) {
+    case void 0:
+    case true:
+      result.push(referrerPolicy_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(referrerPolicy_default(options.referrerPolicy));
+      break;
+  }
+  if ("strictTransportSecurity" in options && "hsts" in options) {
+    throw new Error(
+      "Strict-Transport-Security option was specified twice. Remove the `hsts` option to fix this error."
+    );
+  }
+  const strictTransportSecurityOption = options.strictTransportSecurity ?? options.hsts;
+  switch (strictTransportSecurityOption) {
+    case void 0:
+    case true:
+      result.push(strictTransportSecurity_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(strictTransportSecurity_default(strictTransportSecurityOption));
+      break;
+  }
+  if ("xContentTypeOptions" in options && "noSniff" in options) {
+    throw new Error(
+      "X-Content-Type-Options option was specified twice. Remove the `noSniff` option to fix this error."
+    );
+  }
+  const xContentTypeOptionsOption = options.xContentTypeOptions ?? options.noSniff;
+  switch (xContentTypeOptionsOption) {
+    case void 0:
+    case true:
+      result.push(xContentTypeOptions_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xContentTypeOptions_default());
+      break;
+  }
+  if ("xDnsPrefetchControl" in options && "dnsPrefetchControl" in options) {
+    throw new Error(
+      "X-DNS-Prefetch-Control option was specified twice. Remove the `dnsPrefetchControl` option to fix this error."
+    );
+  }
+  const xDnsPrefetchControlOption = options.xDnsPrefetchControl ?? options.dnsPrefetchControl;
+  switch (xDnsPrefetchControlOption) {
+    case void 0:
+    case true:
+      result.push(xDnsPrefetchControl_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xDnsPrefetchControl_default(xDnsPrefetchControlOption));
+      break;
+  }
+  if ("xDownloadOptions" in options && "ieNoOpen" in options) {
+    throw new Error(
+      "X-Download-Options option was specified twice. Remove the `ieNoOpen` option to fix this error."
+    );
+  }
+  const xDownloadOptionsOption = options.xDownloadOptions ?? options.ieNoOpen;
+  switch (xDownloadOptionsOption) {
+    case void 0:
+    case true:
+      result.push(xDownloadOptions_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xDownloadOptions_default());
+      break;
+  }
+  if ("xFrameOptions" in options && "frameguard" in options) {
+    throw new Error(
+      "X-Frame-Options option was specified twice. Remove the `frameguard` option to fix this error."
+    );
+  }
+  const xFrameOptionsOption = options.xFrameOptions ?? options.frameguard;
+  switch (xFrameOptionsOption) {
+    case void 0:
+    case true:
+      result.push(xFrameOptions_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xFrameOptions_default(xFrameOptionsOption));
+      break;
+  }
+  if ("xPermittedCrossDomainPolicies" in options && "permittedCrossDomainPolicies" in options) {
+    throw new Error(
+      "X-Permitted-Cross-Domain-Policies option was specified twice. Remove the `permittedCrossDomainPolicies` option to fix this error."
+    );
+  }
+  const xPermittedCrossDomainPoliciesOption = options.xPermittedCrossDomainPolicies ?? options.permittedCrossDomainPolicies;
+  switch (xPermittedCrossDomainPoliciesOption) {
+    case void 0:
+    case true:
+      result.push(xPermittedCrossDomainPolicies_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(
+        xPermittedCrossDomainPolicies_default(xPermittedCrossDomainPoliciesOption)
+      );
+      break;
+  }
+  if ("xPoweredBy" in options && "hidePoweredBy" in options) {
+    throw new Error(
+      "X-Powered-By option was specified twice. Remove the `hidePoweredBy` option to fix this error."
+    );
+  }
+  const xPoweredByOption = options.xPoweredBy ?? options.hidePoweredBy;
+  const xPoweredBy = function xPoweredBy2() {
+    return async function xPoweredByMiddleware(ctx, next) {
+      ctx.res.delete("X-Powered-By");
+      await next();
+    };
+  };
+  switch (xPoweredByOption) {
+    case void 0:
+    case true:
+      result.push(xPoweredBy());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xPoweredBy());
+      break;
+  }
+  if ("xXssProtection" in options && "xssFilter" in options) {
+    throw new Error(
+      "X-XSS-Protection option was specified twice. Remove the `xssFilter` option to fix this error."
+    );
+  }
+  const xXssProtectionOption = options.xXssProtection ?? options.xssFilter;
+  switch (xXssProtectionOption) {
+    case void 0:
+    case true:
+      result.push(xXssProtection_default());
+      break;
+    case false:
+      break;
+    default:
+      result.push(xXssProtection_default());
+      break;
+  }
+  if (options.permissionPolicy && typeof options.permissionPolicy === "object") {
+    result.push(permissionPolicy_default(options.permissionPolicy));
+  }
+  return result;
+}
+var secureHeaders = Object.assign(
+  function secureHeaders2(options = {}) {
+    const middlewareFunctions = getMiddlewareFunctionsFromOptions(options);
+    const secureHeadersHandler = (0, import_hoa.compose)(middlewareFunctions);
+    return async function secureHeadersMiddleware(ctx, next) {
+      await secureHeadersHandler(ctx, next);
+    };
+  },
+  {
+    contentSecurityPolicy: contentSecurityPolicy_default,
+    crossOriginEmbedderPolicy: crossOriginEmbedderPolicy_default,
+    crossOriginOpenerPolicy: crossOriginOpenerPolicy_default,
+    crossOriginResourcePolicy: crossOriginResourcePolicy_default,
+    originAgentCluster: originAgentCluster_default,
+    referrerPolicy: referrerPolicy_default,
+    strictTransportSecurity: strictTransportSecurity_default,
+    xContentTypeOptions: xContentTypeOptions_default,
+    xDnsPrefetchControl: xDnsPrefetchControl_default,
+    xDownloadOptions: xDownloadOptions_default,
+    xFrameOptions: xFrameOptions_default,
+    xPermittedCrossDomainPolicies: xPermittedCrossDomainPolicies_default,
+    xXssProtection: xXssProtection_default,
+    permissionPolicy: permissionPolicy_default,
+    // Legacy aliases
+    dnsPrefetchControl: xDnsPrefetchControl_default,
+    xssFilter: xXssProtection_default,
+    permittedCrossDomainPolicies: xPermittedCrossDomainPolicies_default,
+    ieNoOpen: xDownloadOptions_default,
+    noSniff: xContentTypeOptions_default,
+    frameguard: xFrameOptions_default,
+    hsts: strictTransportSecurity_default
+  }
+);
+var index_default = secureHeaders;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  contentSecurityPolicy,
+  crossOriginEmbedderPolicy,
+  crossOriginOpenerPolicy,
+  crossOriginResourcePolicy,
+  dnsPrefetchControl,
+  frameguard,
+  hsts,
+  ieNoOpen,
+  noSniff,
+  originAgentCluster,
+  permissionPolicy,
+  permittedCrossDomainPolicies,
+  referrerPolicy,
+  secureHeaders,
+  strictTransportSecurity,
+  xContentTypeOptions,
+  xDnsPrefetchControl,
+  xDownloadOptions,
+  xFrameOptions,
+  xPermittedCrossDomainPolicies,
+  xXssProtection,
+  xssFilter
+});