npm - @lwrjs/security - Versions diffs - 0.15.0-alpha.8 → 0.15.0 - Mend

@lwrjs/security 0.15.0-alpha.8 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/cjs/headers.cjs CHANGED Viewed

@@ -30,6 +30,10 @@ var import_shared_utils = __toModule(require("@lwrjs/shared-utils"));
 var import_content_security_policy = __toModule(require("./headers/content-security-policy.cjs"));
 var import_referrer_policy = __toModule(require("./headers/referrer-policy.cjs"));
 var import_strict_transport_security = __toModule(require("./headers/strict-transport-security.cjs"));
+var import_diagnostics = __toModule(require("@lwrjs/diagnostics"));
+var import_util = __toModule(require("util"));
+var CSP_HEADER_NAME = "content-security-policy";
+var MAX_HEADER_SIZE = 4096;
 function getResources(viewDefinition) {
   const {viewRecord} = viewDefinition;
   const resources = [];
@@ -75,9 +79,6 @@ async function getResourceHashes(viewResponse) {
   }
   return hashes;
 }
-function normalizeHeaders(headers = {}) {
-  return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]));
-}
 function normalizeOptions(options = {}) {
   for (const [option, value] of Object.entries(options)) {
     if (value === true) {
@@ -88,23 +89,31 @@ function normalizeOptions(options = {}) {
 }
 async function resolveHeaders(viewResponse, options) {
   options = normalizeOptions(options);
-  const headers = normalizeHeaders(viewResponse.headers);
+  const headers = (0, import_shared_utils.normalizeHeaders)(viewResponse.headers);
   if (options.contentSecurityPolicy === void 0 || typeof options.contentSecurityPolicy === "object") {
-    const headerName = options.contentSecurityPolicy?.reportOnly ? "content-security-policy-report-only" : "content-security-policy";
+    const headerName = options.contentSecurityPolicy?.reportOnly ? "content-security-policy-report-only" : CSP_HEADER_NAME;
     let hashes = [];
     if (options.contentSecurityPolicy?.resourceHashing === void 0) {
       hashes = await getResourceHashes(viewResponse);
     }
     headers[headerName] = (0, import_content_security_policy.default)(headers[headerName], options.contentSecurityPolicy, hashes);
+    const size = byteSize(headers[headerName]);
+    if (size > MAX_HEADER_SIZE) {
+      import_diagnostics.logger.warn(`[security] Header "${headerName}" size (${size}) exceeds the recommended limit of ${MAX_HEADER_SIZE}.`);
+    }
   }
   if (typeof options.contentSecurityPolicy === "string") {
     const parsedOptions = {
       directives: options.contentSecurityPolicy,
       useDefault: false
     };
-    const headerName = "content-security-policy";
+    const headerName = CSP_HEADER_NAME;
     const hashes = await getResourceHashes(viewResponse);
     headers[headerName] = (0, import_content_security_policy.default)(headers[headerName], parsedOptions, hashes);
+    const size = byteSize(headers[headerName]);
+    if (size > MAX_HEADER_SIZE) {
+      import_diagnostics.logger.warn(`[security] Header "${headerName}" size (${size}) exceeds the recommended limit of ${MAX_HEADER_SIZE}.`);
+    }
   }
   if (options.referrerPolicy === void 0 || typeof options.referrerPolicy === "object") {
     const headerName = "referrer-policy";
@@ -140,3 +149,6 @@ async function resolveHeaders(viewResponse, options) {
   }
   return headers;
 }
+function byteSize(str) {
+  return str ? new import_util.TextEncoder().encode(str).length : 0;
+}

package/build/es/headers.js CHANGED Viewed

@@ -1,7 +1,12 @@
-import { createIntegrityHash, getFeatureFlags, streamToString } from '@lwrjs/shared-utils';
+import { createIntegrityHash, getFeatureFlags, streamToString, normalizeHeaders } from '@lwrjs/shared-utils';
 import contentSecurityPolicy from './headers/content-security-policy.js';
 import referrerPolicy from './headers/referrer-policy.js';
 import strictTransportSecurity from './headers/strict-transport-security.js';
+import { logger } from '@lwrjs/diagnostics';
+import { TextEncoder } from 'util';
+const CSP_HEADER_NAME = 'content-security-policy';
+// Recommend CSP header should be < than 4k.  There is a 10k MAX for all headers on AWS API gateway.
+const MAX_HEADER_SIZE = 4096;
 function getResources(viewDefinition) {
     const { viewRecord } = viewDefinition;
     const resources = [];
@@ -51,9 +56,6 @@ async function getResourceHashes(viewResponse) {
     }
     return hashes;
 }
-function normalizeHeaders(headers = {}) {
-    return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]));
-}
 function normalizeOptions(options = {}) {
     for (const [option, value] of Object.entries(options)) {
         // true values are the same as undefined
@@ -69,21 +71,31 @@ export async function resolveHeaders(viewResponse, options) {
     if (options.contentSecurityPolicy === undefined || typeof options.contentSecurityPolicy === 'object') {
         const headerName = options.contentSecurityPolicy?.reportOnly
             ? 'content-security-policy-report-only'
-            : 'content-security-policy';
+            : CSP_HEADER_NAME;
         let hashes = [];
         if (options.contentSecurityPolicy?.resourceHashing === undefined) {
             hashes = await getResourceHashes(viewResponse);
         }
         headers[headerName] = contentSecurityPolicy(headers[headerName], options.contentSecurityPolicy, hashes);
+        // Warn if the header size is greater than the recommended limit
+        const size = byteSize(headers[headerName]);
+        if (size > MAX_HEADER_SIZE) {
+            logger.warn(`[security] Header "${headerName}" size (${size}) exceeds the recommended limit of ${MAX_HEADER_SIZE}.`);
+        }
     }
     if (typeof options.contentSecurityPolicy === 'string') {
         const parsedOptions = {
             directives: options.contentSecurityPolicy,
             useDefault: false,
         };
-        const headerName = 'content-security-policy';
+        const headerName = CSP_HEADER_NAME;
         const hashes = await getResourceHashes(viewResponse);
         headers[headerName] = contentSecurityPolicy(headers[headerName], parsedOptions, hashes);
+        // Warn if the header size is greater than the recommended limit
+        const size = byteSize(headers[headerName]);
+        if (size > MAX_HEADER_SIZE) {
+            logger.warn(`[security] Header "${headerName}" size (${size}) exceeds the recommended limit of ${MAX_HEADER_SIZE}.`);
+        }
     }
     if (options.referrerPolicy === undefined || typeof options.referrerPolicy === 'object') {
         const headerName = 'referrer-policy';
@@ -125,4 +137,8 @@ export async function resolveHeaders(viewResponse, options) {
     }
     return headers;
 }
+// Get number of bytes from a string.  Different char encodings can effect size per char.
+function byteSize(str) {
+    return str ? new TextEncoder().encode(str).length : 0;
+}
 //# sourceMappingURL=headers.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@lwrjs/security",
-    "version": "0.15.0-alpha.8",
+    "version": "0.15.0",
     "license": "MIT",
     "type": "module",
     "types": "build/es/index.d.ts",
@@ -32,13 +32,14 @@
         "build": "tsc -b"
     },
     "dependencies": {
-        "@lwrjs/shared-utils": "0.15.0-alpha.8"
+        "@lwrjs/diagnostics": "0.15.0",
+        "@lwrjs/shared-utils": "0.15.0"
     },
     "devDependencies": {
-        "@lwrjs/types": "0.15.0-alpha.8"
+        "@lwrjs/types": "0.15.0"
     },
     "engines": {
         "node": ">=18.0.0"
     },
-    "gitHead": "79fa28a99f3d89eca6a254c53a2a944778203ef2"
+    "gitHead": "ee374df435d5342f63e4da126a09461e761837f3"
 }