@middy/http-security-headers 2.5.1 → 3.0.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE +1 -1
  2. package/README.md +1 -1
  3. package/package.json +7 -7
  4. package/index.js +0 -162
package/LICENSE CHANGED
@@ -1,6 +1,6 @@
1
1
  MIT License
2
2
 
3
- Copyright (c) 2017-2021 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
3
+ Copyright (c) 2017-2022 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
package/README.md CHANGED
@@ -77,7 +77,7 @@ Everyone is very welcome to contribute to this repository. Feel free to [raise i
77
77
 
78
78
  ## License
79
79
 
80
- Licensed under [MIT License](LICENSE). Copyright (c) 2017-2021 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
80
+ Licensed under [MIT License](LICENSE). Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
81
81
 
82
82
  <a href="https://app.fossa.io/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy?ref=badge_large">
83
83
  <img src="https://app.fossa.io/api/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy.svg?type=large" alt="FOSSA Status" style="max-width:100%;">
package/package.json CHANGED
@@ -1,16 +1,16 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "2.5.1",
3
+ "version": "3.0.0-alpha.0",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
- "type": "commonjs",
5
+ "type": "module",
6
6
  "engines": {
7
- "node": ">=12"
7
+ "node": ">=14"
8
8
  },
9
9
  "engineStrict": true,
10
10
  "publishConfig": {
11
11
  "access": "public"
12
12
  },
13
- "main": "index.js",
13
+ "exports": "./index.js",
14
14
  "types": "index.d.ts",
15
15
  "files": [
16
16
  "index.d.ts"
@@ -48,11 +48,11 @@
48
48
  "url": "https://github.com/middyjs/middy/issues"
49
49
  },
50
50
  "homepage": "https://github.com/middyjs/middy#readme",
51
- "gitHead": "df18e5eff7d73492a96a2ca4780a2eae45d1cedb",
51
+ "gitHead": "c533f62841c8a39d061d7b94f30ba178f002c8db",
52
52
  "dependencies": {
53
- "@middy/util": "^2.5.1"
53
+ "@middy/util": "^3.0.0-alpha.0"
54
54
  },
55
55
  "devDependencies": {
56
- "@middy/core": "^2.5.1"
56
+ "@middy/core": "^3.0.0-alpha.0"
57
57
  }
58
58
  }
package/index.js DELETED
@@ -1,162 +0,0 @@
1
- "use strict";
2
-
3
- const {
4
- normalizeHttpResponse
5
- } = require('@middy/util'); // Code and Defaults heavily based off https://helmetjs.github.io/
6
-
7
-
8
- const defaults = {
9
- dnsPrefetchControl: {
10
- allow: false
11
- },
12
- expectCT: {
13
- enforce: true,
14
- maxAge: 30,
15
- reportUri: ''
16
- },
17
- frameguard: {
18
- action: 'deny'
19
- },
20
- hidePoweredBy: {
21
- setTo: null
22
- },
23
- hsts: {
24
- maxAge: 180 * 24 * 60 * 60,
25
- includeSubDomains: true,
26
- preload: true
27
- },
28
- ieNoOpen: {
29
- action: 'noopen'
30
- },
31
- noSniff: {
32
- action: 'nosniff'
33
- },
34
- permittedCrossDomainPolicies: {
35
- policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
36
-
37
- },
38
- referrerPolicy: {
39
- policy: 'no-referrer'
40
- },
41
- xssFilter: {
42
- reportUri: ''
43
- }
44
- };
45
- const helmet = {};
46
- const helmetHtmlOnly = {}; // contentSecurityPolicy - N/A - no HTML
47
- // featurePolicy - N/A - no HTML
48
- // crossdomain - N/A - For Adobe products
49
- // https://github.com/helmetjs/dns-Prefetch-control
50
-
51
- helmet.dnsPrefetchControl = (headers, config) => {
52
- headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
53
- return headers;
54
- }; // expectCt - in-progress spec
55
- // https://github.com/helmetjs/frameguard
56
-
57
-
58
- helmetHtmlOnly.frameguard = (headers, config) => {
59
- headers['X-Frame-Options'] = config.action.toUpperCase();
60
- return headers;
61
- }; // https://github.com/helmetjs/hide-powered-by
62
-
63
-
64
- helmet.hidePoweredBy = (headers, config) => {
65
- if (config.setTo) {
66
- headers['X-Powered-By'] = config.setTo;
67
- } else {
68
- Reflect.deleteProperty(headers, 'Server');
69
- Reflect.deleteProperty(headers, 'X-Powered-By');
70
- }
71
-
72
- return headers;
73
- }; // hpkp - deprecated
74
- // https://github.com/helmetjs/hsts
75
-
76
-
77
- helmet.hsts = (headers, config) => {
78
- let header = 'max-age=' + Math.round(config.maxAge);
79
-
80
- if (config.includeSubDomains) {
81
- header += '; includeSubDomains';
82
- }
83
-
84
- if (config.preload) {
85
- header += '; preload';
86
- }
87
-
88
- headers['Strict-Transport-Security'] = header;
89
- return headers;
90
- }; // https://github.com/helmetjs/ienoopen
91
-
92
-
93
- helmet.ieNoOpen = (headers, config) => {
94
- headers['X-Download-Options'] = config.action;
95
- return headers;
96
- }; // noCache - N/A - separate middleware
97
- // https://github.com/helmetjs/dont-sniff-mimetype
98
-
99
-
100
- helmet.noSniff = (headers, config) => {
101
- headers['X-Content-Type-Options'] = config.action;
102
- return headers;
103
- }; // https://github.com/helmetjs/referrer-policy
104
-
105
-
106
- helmet.referrerPolicy = (headers, config) => {
107
- headers['Referrer-Policy'] = config.policy;
108
- return headers;
109
- }; // https://github.com/helmetjs/crossdomain
110
-
111
-
112
- helmet.permittedCrossDomainPolicies = (headers, config) => {
113
- headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
114
- return headers;
115
- }; // https://github.com/helmetjs/x-xss-protection
116
-
117
-
118
- helmetHtmlOnly.xssFilter = (headers, config) => {
119
- let header = '1; mode=block';
120
-
121
- if (config.reportUri) {
122
- header += '; report=' + config.reportUri;
123
- }
124
-
125
- headers['X-XSS-Protection'] = header;
126
- return headers;
127
- };
128
-
129
- const httpSecurityHeadersMiddleware = (opts = {}) => {
130
- const options = { ...defaults,
131
- ...opts
132
- };
133
-
134
- const httpSecurityHeadersMiddlewareAfter = async request => {
135
- var _request$response$hea, _request$response$hea2;
136
-
137
- request.response = normalizeHttpResponse(request.response);
138
- Object.keys(helmet).forEach(key => {
139
- const config = { ...defaults[key],
140
- ...options[key]
141
- };
142
- request.response.headers = helmet[key](request.response.headers, config);
143
- });
144
-
145
- if ((_request$response$hea = request.response.headers) !== null && _request$response$hea !== void 0 && (_request$response$hea2 = _request$response$hea['Content-Type']) !== null && _request$response$hea2 !== void 0 && _request$response$hea2.includes('text/html')) {
146
- Object.keys(helmetHtmlOnly).forEach(key => {
147
- const config = { ...defaults[key],
148
- ...options[key]
149
- };
150
- request.response.headers = helmetHtmlOnly[key](request.response.headers, config);
151
- });
152
- }
153
- };
154
-
155
- const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter;
156
- return {
157
- after: httpSecurityHeadersMiddlewareAfter,
158
- onError: httpSecurityHeadersMiddlewareOnError
159
- };
160
- };
161
-
162
- module.exports = httpSecurityHeadersMiddleware;