@hoajs/secure-headers 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/LICENSE +21 -0
  3. package/README.md +39 -0
  4. package/dist/cjs/index.d.cts +170 -0
  5. package/dist/cjs/index.js +811 -0
  6. package/dist/esm/index.d.ts +170 -0
  7. package/dist/esm/index.js +766 -0
  8. package/package.json +77 -0
package/dist/esm/index.d.ts ADDED
@@ -0,0 +1,170 @@
1
+ import { HoaContext, HoaMiddleware } from 'hoa';
2
+
3
+ type ContentSecurityPolicyDirectiveValueFunction = (ctx: HoaContext) => string;
4
+ type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction;
5
+ interface ContentSecurityPolicyOptions {
6
+ useDefaults?: boolean;
7
+ directives?: Record<string, null | Iterable<ContentSecurityPolicyDirectiveValue> | typeof dangerouslyDisableDefaultSrc>;
8
+ reportOnly?: boolean;
9
+ }
10
+ interface ContentSecurityPolicy {
11
+ (options?: Readonly<ContentSecurityPolicyOptions>): HoaMiddleware;
12
+ getDefaultDirectives: typeof getDefaultDirectives;
13
+ dangerouslyDisableDefaultSrc: typeof dangerouslyDisableDefaultSrc;
14
+ }
15
+ declare const dangerouslyDisableDefaultSrc: unique symbol;
16
+ declare const getDefaultDirectives: () => Record<string, Iterable<ContentSecurityPolicyDirectiveValue>>;
17
+ declare const contentSecurityPolicy: ContentSecurityPolicy;
18
+
19
+ interface CrossOriginEmbedderPolicyOptions {
20
+ policy?: 'require-corp' | 'credentialless' | 'unsafe-none';
21
+ }
22
+ declare function crossOriginEmbedderPolicy(options?: Readonly<CrossOriginEmbedderPolicyOptions>): HoaMiddleware;
23
+
24
+ interface CrossOriginOpenerPolicyOptions {
25
+ policy?: 'same-origin' | 'same-origin-allow-popups' | 'unsafe-none';
26
+ }
27
+ declare function crossOriginOpenerPolicy(options?: Readonly<CrossOriginOpenerPolicyOptions>): HoaMiddleware;
28
+
29
+ interface CrossOriginResourcePolicyOptions {
30
+ policy?: 'same-origin' | 'same-site' | 'cross-origin';
31
+ }
32
+ declare function crossOriginResourcePolicy(options?: Readonly<CrossOriginResourcePolicyOptions>): HoaMiddleware;
33
+
34
+ declare function originAgentCluster(): HoaMiddleware;
35
+
36
+ type ReferrerPolicyToken = 'no-referrer' | 'no-referrer-when-downgrade' | 'same-origin' | 'origin' | 'strict-origin' | 'origin-when-cross-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url' | '';
37
+ interface ReferrerPolicyOptions {
38
+ policy?: ReferrerPolicyToken | ReferrerPolicyToken[];
39
+ }
40
+ declare function referrerPolicy(options?: Readonly<ReferrerPolicyOptions>): HoaMiddleware;
41
+
42
+ interface StrictTransportSecurityOptions {
43
+ maxAge?: number;
44
+ includeSubDomains?: boolean;
45
+ preload?: boolean;
46
+ }
47
+ declare function strictTransportSecurity(options?: Readonly<StrictTransportSecurityOptions>): HoaMiddleware;
48
+
49
+ declare function xContentTypeOptions(): HoaMiddleware;
50
+
51
+ interface XDnsPrefetchControlOptions {
52
+ allow?: boolean;
53
+ }
54
+ declare function xDnsPrefetchControl(options?: Readonly<XDnsPrefetchControlOptions>): HoaMiddleware;
55
+
56
+ declare function xDownloadOptions(): HoaMiddleware;
57
+
58
+ interface XFrameOptionsOptions {
59
+ action?: 'deny' | 'sameorigin';
60
+ }
61
+ declare function xFrameOptions(options?: Readonly<XFrameOptionsOptions>): HoaMiddleware;
62
+
63
+ interface XPermittedCrossDomainPoliciesOptions {
64
+ permittedPolicies?: 'none' | 'master-only' | 'by-content-type' | 'all';
65
+ }
66
+ declare function xPermittedCrossDomainPolicies(options?: Readonly<XPermittedCrossDomainPoliciesOptions>): HoaMiddleware;
67
+
68
+ declare function xXssProtection(): HoaMiddleware;
69
+
70
+ type PermissionsPolicyDirective = StandardizedFeatures | ProposedFeatures | ExperimentalFeatures;
71
+ /**
72
+ * These features have been declared in a published version of the respective specification.
73
+ */
74
+ type StandardizedFeatures = 'accelerometer' | 'ambientLightSensor' | 'attributionReporting' | 'autoplay' | 'battery' | 'bluetooth' | 'camera' | 'chUa' | 'chUaArch' | 'chUaBitness' | 'chUaFullVersion' | 'chUaFullVersionList' | 'chUaMobile' | 'chUaModel' | 'chUaPlatform' | 'chUaPlatformVersion' | 'chUaWow64' | 'computePressure' | 'crossOriginIsolated' | 'directSockets' | 'displayCapture' | 'encryptedMedia' | 'executionWhileNotRendered' | 'executionWhileOutOfViewport' | 'fullscreen' | 'geolocation' | 'gyroscope' | 'hid' | 'identityCredentialsGet' | 'idleDetection' | 'keyboardMap' | 'magnetometer' | 'microphone' | 'midi' | 'navigationOverride' | 'payment' | 'pictureInPicture' | 'publickeyCredentialsGet' | 'screenWakeLock' | 'serial' | 'storageAccess' | 'syncXhr' | 'usb' | 'webShare' | 'windowManagement' | 'xrSpatialTracking';
75
+ /**
76
+ * These features have been proposed, but the definitions have not yet been integrated into their respective specs.
77
+ */
78
+ type ProposedFeatures = 'clipboardRead' | 'clipboardWrite' | 'gamepad' | 'sharedAutofill' | 'speakerSelection';
79
+ /**
80
+ * These features generally have an explainer only but may be available for experimentation by web developers.
81
+ */
82
+ type ExperimentalFeatures = 'allScreensCapture' | 'browsingTopics' | 'capturedSurfaceControl' | 'conversionMeasurement' | 'digitalCredentialsGet' | 'focusWithoutUserActivation' | 'joinAdInterestGroup' | 'localFonts' | 'runAdAuction' | 'smartCard' | 'syncScript' | 'trustTokenRedemption' | 'unload' | 'verticalScroll';
83
+ type PermissionsPolicyValue = '*' | 'self' | 'src' | 'none' | string;
84
+ type PermissionPolicyOptions = Partial<Record<PermissionsPolicyDirective, PermissionsPolicyValue[] | boolean>>;
85
+ declare function permissionPolicy(options?: PermissionPolicyOptions): HoaMiddleware;
86
+
87
+ type SecureHeadersOptions = {
88
+ contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean;
89
+ crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean;
90
+ crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
91
+ crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
92
+ originAgentCluster?: boolean;
93
+ referrerPolicy?: ReferrerPolicyOptions | boolean;
94
+ permissionPolicy?: PermissionPolicyOptions;
95
+ } & ({
96
+ strictTransportSecurity?: StrictTransportSecurityOptions | boolean;
97
+ hsts?: never;
98
+ } | {
99
+ hsts?: StrictTransportSecurityOptions | boolean;
100
+ strictTransportSecurity?: never;
101
+ }) & ({
102
+ xContentTypeOptions?: boolean;
103
+ noSniff?: never;
104
+ } | {
105
+ noSniff?: boolean;
106
+ xContentTypeOptions?: never;
107
+ }) & ({
108
+ xDnsPrefetchControl?: XDnsPrefetchControlOptions | boolean;
109
+ dnsPrefetchControl?: never;
110
+ } | {
111
+ dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean;
112
+ xDnsPrefetchControl?: never;
113
+ }) & ({
114
+ xDownloadOptions?: boolean;
115
+ ieNoOpen?: never;
116
+ } | {
117
+ ieNoOpen?: boolean;
118
+ xDownloadOptions?: never;
119
+ }) & ({
120
+ xFrameOptions?: XFrameOptionsOptions | boolean;
121
+ frameguard?: never;
122
+ } | {
123
+ frameguard?: XFrameOptionsOptions | boolean;
124
+ xFrameOptions?: never;
125
+ }) & ({
126
+ xPermittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean;
127
+ permittedCrossDomainPolicies?: never;
128
+ } | {
129
+ permittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean;
130
+ xPermittedCrossDomainPolicies?: never;
131
+ }) & ({
132
+ xPoweredBy?: boolean;
133
+ hidePoweredBy?: never;
134
+ } | {
135
+ hidePoweredBy?: boolean;
136
+ xPoweredBy?: never;
137
+ }) & ({
138
+ xXssProtection?: boolean;
139
+ xssFilter?: never;
140
+ } | {
141
+ xssFilter?: boolean;
142
+ xXssProtection?: never;
143
+ });
144
+ interface SecureHeaders {
145
+ (options?: SecureHeadersOptions): HoaMiddleware;
146
+ contentSecurityPolicy: typeof contentSecurityPolicy;
147
+ crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy;
148
+ crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy;
149
+ crossOriginResourcePolicy: typeof crossOriginResourcePolicy;
150
+ originAgentCluster: typeof originAgentCluster;
151
+ referrerPolicy: typeof referrerPolicy;
152
+ strictTransportSecurity: typeof strictTransportSecurity;
153
+ xContentTypeOptions: typeof xContentTypeOptions;
154
+ xDnsPrefetchControl: typeof xDnsPrefetchControl;
155
+ xDownloadOptions: typeof xDownloadOptions;
156
+ xFrameOptions: typeof xFrameOptions;
157
+ xPermittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
158
+ xXssProtection: typeof xXssProtection;
159
+ permissionPolicy: typeof permissionPolicy;
160
+ dnsPrefetchControl: typeof xDnsPrefetchControl;
161
+ frameguard: typeof xFrameOptions;
162
+ hsts: typeof strictTransportSecurity;
163
+ ieNoOpen: typeof xDownloadOptions;
164
+ noSniff: typeof xContentTypeOptions;
165
+ permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
166
+ xssFilter: typeof xXssProtection;
167
+ }
168
+ declare const secureHeaders: SecureHeaders;
169
+
170
+ export { type SecureHeadersOptions, contentSecurityPolicy, crossOriginEmbedderPolicy, crossOriginOpenerPolicy, crossOriginResourcePolicy, secureHeaders as default, xDnsPrefetchControl as dnsPrefetchControl, xFrameOptions as frameguard, strictTransportSecurity as hsts, xDownloadOptions as ieNoOpen, xContentTypeOptions as noSniff, originAgentCluster, permissionPolicy, xPermittedCrossDomainPolicies as permittedCrossDomainPolicies, referrerPolicy, secureHeaders, strictTransportSecurity, xContentTypeOptions, xDnsPrefetchControl, xDownloadOptions, xFrameOptions, xPermittedCrossDomainPolicies, xXssProtection, xXssProtection as xssFilter };