@lopatnov/express-reverse-proxy 3.0.0 → 4.0.0

package/README.md

@@ -20,11 +20,19 @@
 - [CLI Options](#cli-options)
 - [Configuration](#configuration)
   - [port](#port)
+  - [logging](#logging)
+  - [hotReload](#hotreload)
+  - [compression](#compression)
+  - [helmet](#helmet)
+  - [cors](#cors)
+  - [favicon](#favicon)
+  - [responseTime](#responsetime)
   - [headers](#headers)
   - [folders](#folders)
   - [proxy](#proxy)
   - [unhandled](#unhandled)
   - [host](#host)
+  - [ssl](#ssl)
 - [Configuration Recipes](#configuration-recipes)
 - [Docker & PM2](#docker--pm2)
 - [Testing](#testing)
@@ -154,6 +162,15 @@ Static files always take priority over proxy rules. Proxies are checked only whe
 
 ## CLI Options
 
+The package installs two equivalent commands — use whichever you prefer:
+
+```shell
+express-reverse-proxy [options]
+lerp [options]
+```
+
+`lerp` is a short alias for **L**opatnov **E**xpress **R**everse **P**roxy.
+
 | Option                    | Description                                                                                     |
 | ------------------------- | ----------------------------------------------------------------------------------------------- |
 | `--help`                  | Print help and exit                                                                             |
@@ -462,6 +479,108 @@ Paths are resolved **relative to the config file**, not the current working dire
 
 > All site configs on the same port must either all have `ssl` or none — mixing is a startup error.
 
+### compression
+
+Enable gzip/deflate response compression. Reduces the size of HTML, CSS, JS, and JSON responses sent to the browser. Set to `true` for defaults, or pass an options object.
+
+```json
+{
+  "port": 8080,
+  "compression": true,
+  "folders": "www"
+}
+```
+
+With custom options (see [compression docs](https://github.com/expressjs/compression#options)):
+
+```json
+{
+  "compression": { "level": 6, "threshold": 1024 }
+}
+```
+
+> Compression is applied per-site. Assets that are already compressed (images, fonts, video) are not affected — the browser signals it accepts compressed responses via the `Accept-Encoding` header.
+
+### helmet
+
+Set security-related HTTP response headers. Protects against common web vulnerabilities by configuring headers such as `Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`, and others.
+
+```json
+{
+  "port": 8080,
+  "helmet": true,
+  "folders": "www"
+}
+```
+
+Disable a specific header (see [helmet docs](https://helmetjs.github.io/) for all options):
+
+```json
+{
+  "helmet": { "contentSecurityPolicy": false }
+}
+```
+
+> When `helmet: true` is set, the default helmet configuration is applied. This may block inline scripts and cross-origin resources. Adjust `contentSecurityPolicy` or other options as needed for your project.
+
+### cors
+
+Enable CORS (Cross-Origin Resource Sharing) headers and handle preflight `OPTIONS` requests automatically. Useful when your front-end on one origin calls an API on a different origin.
+
+```json
+{
+  "port": 8080,
+  "cors": true,
+  "proxy": { "/api": "http://localhost:4000" }
+}
+```
+
+Restrict to a specific origin (see [cors docs](https://github.com/expressjs/cors#configuration-options)):
+
+```json
+{
+  "cors": { "origin": "https://app.example.com" }
+}
+```
+
+> The `cors` middleware handles `OPTIONS` preflight requests that the `headers` option cannot respond to. Use `cors` when you need to allow requests from JavaScript on a different domain — for example a React app calling this proxy's API routes.
+
+### favicon
+
+Serve a favicon file efficiently. The file is read into memory at startup and served from there on every `/favicon.ico` request — before static folder scanning or proxy rules run.
+
+```json
+{
+  "port": 8080,
+  "favicon": "./public/favicon.ico",
+  "folders": "www"
+}
+```
+
+The path is resolved **relative to the config file**, consistent with the `ssl` option. Absolute paths are also accepted.
+
+> If your favicon already lives inside a directory listed in `folders`, this option is not needed — `express.static` will serve it automatically.
+
+### responseTime
+
+Add an `X-Response-Time` header to every response, recording how long the server took to handle the request. Useful for performance monitoring and debugging.
+
+```json
+{
+  "port": 8080,
+  "responseTime": true,
+  "folders": "www"
+}
+```
+
+With custom precision (see [response-time docs](https://github.com/expressjs/response-time#options)):
+
+```json
+{
+  "responseTime": { "digits": 0, "suffix": false }
+}
+```
+
 ---
 
 ## Configuration Recipes
@@ -530,6 +649,26 @@ node server.js --config server-config.json
 
 ---
 
+### Production hardening (helmet + cors + compression)
+
+Enable security headers, CORS, and response compression in one config:
+
+```json
+{
+  "port": 8080,
+  "compression": true,
+  "helmet": true,
+  "cors": { "origin": "https://app.example.com" },
+  "responseTime": true,
+  "folders": "www",
+  "proxy": {
+    "/api": "http://localhost:4000"
+  }
+}
+```
+
+---
+
 ### CORS headers + rich error responses
 
 ```json
@@ -807,6 +946,11 @@ Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) before
 - [Express](https://expressjs.com/) — HTTP server framework
 - [express-http-proxy](https://github.com/villadora/express-http-proxy) — reverse proxy middleware
 - [Morgan](https://github.com/expressjs/morgan) — HTTP request logger
+- [compression](https://github.com/expressjs/compression) — gzip/deflate response compression
+- [helmet](https://helmetjs.github.io/) — security HTTP headers
+- [cors](https://github.com/expressjs/cors) — CORS headers and preflight handling
+- [serve-favicon](https://github.com/expressjs/serve-favicon) — efficient favicon serving
+- [response-time](https://github.com/expressjs/response-time) — X-Response-Time header
 - [PM2](https://pm2.keymetrics.io/) — production process manager with clustering
 - [Biome](https://biomejs.dev/) — fast linter and formatter (Rust-based)
 - [Cypress](https://www.cypress.io/) — E2E testing framework

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@lopatnov/express-reverse-proxy",
   "email": "oleksandr@lopatnov.cv.ua",
-  "version": "3.0.0",
+  "version": "4.0.0",
   "description": "Node.js CLI tool to serve static front-end files with a reverse proxy for back-end APIs",
   "type": "module",
   "author": "lopatnov",
@@ -11,7 +11,8 @@
     "./hot-reload-client": "./hot-reload-client.js"
   },
   "bin": {
-    "express-reverse-proxy": "./server.js"
+    "express-reverse-proxy": "./server.js",
+    "lerp": "./server.js"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -67,10 +68,15 @@
     "access": "public"
   },
   "dependencies": {
+    "compression": "^1.7.5",
+    "cors": "^2.8.5",
     "express": "^5.2.1",
     "express-http-proxy": "^2.1.2",
+    "helmet": "^8.0.0",
     "morgan": "^1.10.1",
-    "pm2": "^6.0.14"
+    "pm2": "^6.0.14",
+    "response-time": "^2.3.2",
+    "serve-favicon": "^2.5.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.2",

package/server.js

@@ -4,9 +4,14 @@ import fs from 'node:fs';
 import https from 'node:https';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
+import compression from 'compression';
+import cors from 'cors';
 import express from 'express';
 import proxy from 'express-http-proxy';
+import helmet from 'helmet';
 import morgan from 'morgan';
+import responseTime from 'response-time';
+import favicon from 'serve-favicon';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -361,6 +366,30 @@ configsByPort.forEach((portConfigs, p) => {
 
     console.log(`[host] ${siteHost} → :${p}`);
 
+    if (siteConfig.responseTime) {
+      const opts = typeof siteConfig.responseTime === 'object' ? siteConfig.responseTime : {};
+      router.use(responseTime(opts));
+    }
+
+    if (siteConfig.cors) {
+      const opts = typeof siteConfig.cors === 'object' ? siteConfig.cors : {};
+      router.use(cors(opts));
+    }
+
+    if (siteConfig.compression) {
+      const opts = typeof siteConfig.compression === 'object' ? siteConfig.compression : {};
+      router.use(compression(opts));
+    }
+
+    if (siteConfig.helmet) {
+      const opts = typeof siteConfig.helmet === 'object' ? siteConfig.helmet : {};
+      router.use(helmet(opts));
+    }
+
+    if (siteConfig.favicon) {
+      router.use(favicon(path.resolve(configDir, siteConfig.favicon)));
+    }
+
     if (siteConfig.headers) {
       router.use((_req, res, next) => {
         for (const h of Object.keys(siteConfig.headers)) res.setHeader(h, siteConfig.headers[h]);