npm - @jaypie/constructs - Versions diffs - 1.2.29 → 1.2.31 - Mend

@jaypie/constructs 1.2.29 → 1.2.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/cjs/JaypieDistribution.d.ts +22 -0
package/dist/cjs/JaypieDynamoDb.d.ts +0 -19
package/dist/cjs/constants.d.ts +5 -0
package/dist/cjs/index.cjs +75 -12
package/dist/cjs/index.cjs.map +1 -1
package/dist/cjs/index.d.ts +1 -1
package/dist/esm/JaypieDistribution.d.ts +22 -0
package/dist/esm/JaypieDynamoDb.d.ts +0 -19
package/dist/esm/constants.d.ts +5 -0
package/dist/esm/index.d.ts +1 -1
package/dist/esm/index.js +76 -13
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/JaypieDistribution.d.ts CHANGED Viewed

@@ -7,6 +7,14 @@ import * as s3 from "aws-cdk-lib/aws-s3";
 import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+export interface SecurityHeadersOverrides {
+    contentSecurityPolicy?: string;
+    frameOption?: cloudfront.HeadersFrameOption;
+    hstsIncludeSubdomains?: boolean;
+    hstsMaxAge?: number;
+    permissionsPolicy?: string;
+    referrerPolicy?: cloudfront.HeadersReferrerPolicy;
+}
 export interface JaypieDistributionProps extends Omit<cloudfront.DistributionProps, "certificate" | "defaultBehavior" | "logBucket"> {
     /**
      * SSL certificate for the CloudFront distribution
@@ -73,6 +81,19 @@ export interface JaypieDistributionProps extends Omit<cloudfront.DistributionPro
      * @max Duration.seconds(120)
      */
     originReadTimeout?: Duration;
+    /**
+     * Full override for the response headers policy.
+     * When provided, bypasses all default security header logic.
+     */
+    responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    /**
+     * Security headers configuration.
+     * - true/undefined: apply sensible defaults (HSTS, X-Frame-Options, CSP, etc.)
+     * - false: disable security headers entirely
+     * - SecurityHeadersOverrides object: merge overrides with defaults
+     * @default true
+     */
+    securityHeaders?: boolean | SecurityHeadersOverrides;
     /**
      * Role tag for tagging resources
      * @default CDK.ROLE.HOSTING
@@ -94,6 +115,7 @@ export declare class JaypieDistribution extends Construct implements cloudfront.
     readonly functionUrl?: lambda.FunctionUrl;
     readonly host?: string;
     readonly logBucket?: s3.IBucket;
+    readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
     constructor(scope: Construct, id: string, props: JaypieDistributionProps);
     private isIOrigin;
     private isIFunctionUrl;

package/dist/cjs/JaypieDynamoDb.d.ts CHANGED Viewed

@@ -8,19 +8,11 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
      * - `undefined`: No GSIs (default)
      * - Array of IndexDefinition: Use the specified indexes
      *
-     * Use `JaypieDynamoDb.DEFAULT_INDEXES` for the standard Jaypie GSIs.
-     *
      * @example
      * // No GSIs (default)
      * new JaypieDynamoDb(this, "myTable");
      *
      * @example
-     * // With default Jaypie indexes
-     * new JaypieDynamoDb(this, "myTable", {
-     *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
-     * });
-     *
-     * @example
      * // With custom indexes
      * new JaypieDynamoDb(this, "myTable", {
      *   indexes: [
@@ -73,12 +65,6 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
  * const table = new JaypieDynamoDb(this, "myApp");
  *
  * @example
- * // With default Jaypie indexes
- * const table = new JaypieDynamoDb(this, "myApp", {
- *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
- * });
- *
- * @example
  * // With explicit table name (overrides CDK-generated name)
  * const table = new JaypieDynamoDb(this, "MyTable", {
  *   tableName: "custom-table-name",
@@ -89,11 +75,6 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
  * });
  */
 export declare class JaypieDynamoDb extends Construct implements dynamodb.ITableV2 {
-    /**
-     * Default Jaypie GSI definitions from @jaypie/fabric.
-     * Pass to `indexes` prop to create all standard GSIs.
-     */
-    static readonly DEFAULT_INDEXES: IndexDefinition[];
     private readonly _table;
     constructor(scope: Construct, id: string, props?: JaypieDynamoDbProps);
     /**

package/dist/cjs/constants.d.ts CHANGED Viewed

@@ -98,6 +98,11 @@ export declare const CDK: {
     PROJECT: {
         INFRASTRUCTURE: string;
     };
+    SECURITY_HEADERS: {
+        CONTENT_SECURITY_POLICY: string;
+        HSTS_MAX_AGE: number;
+        PERMISSIONS_POLICY: string;
+    };
     ROLE: {
         API: string;
         DEPLOY: string;

package/dist/cjs/index.cjs CHANGED Viewed

@@ -169,6 +169,11 @@ const CDK$2 = {
     PROJECT: {
         INFRASTRUCTURE: "infrastructure",
     },
+    SECURITY_HEADERS: {
+        CONTENT_SECURITY_POLICY: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';",
+        HSTS_MAX_AGE: 63072000, // 2 years
+        PERMISSIONS_POLICY: "camera=(), microphone=(), geolocation=(), payment=()",
+    },
     ROLE: {
         API: "api",
         DEPLOY: "deploy",
@@ -2364,7 +2369,7 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
 class JaypieDistribution extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), roleTag = CDK$2.ROLE.API, streaming = false, zone: propsZone, ...distributionProps } = props;
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, zone: propsZone, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -2446,6 +2451,72 @@ class JaypieDistribution extends constructs.Construct {
                 handler.addEnvironment("PROJECT_BASE_URL", `https://${host}`);
             }
         }
+        // Resolve response headers policy for security headers
+        let resolvedResponseHeadersPolicy;
+        if (responseHeadersPolicyProp) {
+            resolvedResponseHeadersPolicy = responseHeadersPolicyProp;
+        }
+        else if (securityHeadersProp !== false) {
+            const overrides = typeof securityHeadersProp === "object" ? securityHeadersProp : {};
+            resolvedResponseHeadersPolicy = new cloudfront__namespace.ResponseHeadersPolicy(this, "SecurityHeaders", {
+                customHeadersBehavior: {
+                    customHeaders: [
+                        {
+                            header: "Cache-Control",
+                            override: true,
+                            value: "no-store, no-cache, must-revalidate, proxy-revalidate",
+                        },
+                        {
+                            header: "Cross-Origin-Embedder-Policy",
+                            override: true,
+                            value: "unsafe-none",
+                        },
+                        {
+                            header: "Cross-Origin-Opener-Policy",
+                            override: true,
+                            value: "same-origin",
+                        },
+                        {
+                            header: "Cross-Origin-Resource-Policy",
+                            override: true,
+                            value: "same-origin",
+                        },
+                        {
+                            header: "Permissions-Policy",
+                            override: true,
+                            value: overrides.permissionsPolicy ??
+                                CDK$2.SECURITY_HEADERS.PERMISSIONS_POLICY,
+                        },
+                    ],
+                },
+                removeHeaders: ["Server"],
+                securityHeadersBehavior: {
+                    contentSecurityPolicy: {
+                        contentSecurityPolicy: overrides.contentSecurityPolicy ??
+                            CDK$2.SECURITY_HEADERS.CONTENT_SECURITY_POLICY,
+                        override: true,
+                    },
+                    contentTypeOptions: { override: true },
+                    frameOptions: {
+                        frameOption: overrides.frameOption ?? cloudfront__namespace.HeadersFrameOption.DENY,
+                        override: true,
+                    },
+                    referrerPolicy: {
+                        referrerPolicy: overrides.referrerPolicy ??
+                            cloudfront__namespace.HeadersReferrerPolicy
+                                .STRICT_ORIGIN_WHEN_CROSS_ORIGIN,
+                        override: true,
+                    },
+                    strictTransportSecurity: {
+                        accessControlMaxAge: cdk.Duration.seconds(overrides.hstsMaxAge ?? CDK$2.SECURITY_HEADERS.HSTS_MAX_AGE),
+                        includeSubdomains: overrides.hstsIncludeSubdomains ?? true,
+                        override: true,
+                        preload: true,
+                    },
+                },
+            });
+        }
+        this.responseHeadersPolicy = resolvedResponseHeadersPolicy;
         // Build default behavior
         let defaultBehavior;
         if (propsDefaultBehavior) {
@@ -2457,6 +2528,9 @@ class JaypieDistribution extends constructs.Construct {
                 cachePolicy: cloudfront__namespace.CachePolicy.CACHING_DISABLED,
                 origin,
                 originRequestPolicy: cloudfront__namespace.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                ...(resolvedResponseHeadersPolicy
+                    ? { responseHeadersPolicy: resolvedResponseHeadersPolicy }
+                    : {}),
                 viewerProtocolPolicy: cloudfront__namespace.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
             };
         }
@@ -2764,12 +2838,6 @@ function indexesToGsi(indexes) {
  * const table = new JaypieDynamoDb(this, "myApp");
  *
  * @example
- * // With default Jaypie indexes
- * const table = new JaypieDynamoDb(this, "myApp", {
- *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
- * });
- *
- * @example
  * // With explicit table name (overrides CDK-generated name)
  * const table = new JaypieDynamoDb(this, "MyTable", {
  *   tableName: "custom-table-name",
@@ -2908,11 +2976,6 @@ class JaypieDynamoDb extends constructs.Construct {
         return this._table.metricUserErrors(props);
     }
 }
-/**
- * Default Jaypie GSI definitions from @jaypie/fabric.
- * Pass to `indexes` prop to create all standard GSIs.
- */
-JaypieDynamoDb.DEFAULT_INDEXES = fabric.DEFAULT_INDEXES;
 class JaypieEventsRule extends constructs.Construct {
     /**