npm - @middy/http-security-headers - Versions diffs - 2.5.2 → 3.0.0-alpha.1 - Mend

@middy/http-security-headers 2.5.2 → 3.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2017-2021 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
+Copyright (c) 2017-2022 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md CHANGED Viewed

@@ -77,7 +77,7 @@ Everyone is very welcome to contribute to this repository. Feel free to [raise i
 ## License
-Licensed under [MIT License](LICENSE). Copyright (c) 2017-2021 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
+Licensed under [MIT License](LICENSE). Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
 <a href="https://app.fossa.io/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy?ref=badge_large">
   <img src="https://app.fossa.io/api/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy.svg?type=large" alt="FOSSA Status"  style="max-width:100%;">

package/index.js CHANGED Viewed

@@ -1,14 +1,5 @@
-"use strict";
-const {
-  normalizeHttpResponse
-} = require('@middy/util'); // Code and Defaults heavily based off https://helmetjs.github.io/
+import { normalizeHttpResponse } from '@middy/util';
 const defaults = {
-  // contentDisposition: {
-  //   filename: undefined
-  // },
   dnsPrefetchControl: {
     allow: false
   },
@@ -35,8 +26,7 @@ const defaults = {
     action: 'nosniff'
   },
   permittedCrossDomainPolicies: {
-    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+    policy: 'none'
   },
   referrerPolicy: {
     policy: 'no-referrer'
@@ -46,42 +36,28 @@ const defaults = {
   }
 };
 const helmet = {};
-const helmetHtmlOnly = {}; // OWASP ASVS 14.4.2
-// API Gateway strips out this header :(
-// helmet.content = (headers, config) => {
-//   const filename = config.filename ?? `api.${headers?.['Content-Type'].split(/[/;]/)[1] ?? 'json'}`
-//   headers['Content-Disposition'] = `attachment; filename="${filename}"`
-// }
-// contentSecurityPolicy - N/A - no HTML
-// featurePolicy - N/A - no HTML
-// crossdomain - N/A - For Adobe products
-// https://github.com/helmetjs/dns-Prefetch-control
+const helmetHtmlOnly = {};
 helmet.dnsPrefetchControl = (headers, config) => {
   headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
   return headers;
-}; // expectCt - in-progress spec
-// https://github.com/helmetjs/frameguard
+};
 helmetHtmlOnly.frameguard = (headers, config) => {
   headers['X-Frame-Options'] = config.action.toUpperCase();
   return headers;
-}; // https://github.com/helmetjs/hide-powered-by
+};
 helmet.hidePoweredBy = (headers, config) => {
   if (config.setTo) {
     headers['X-Powered-By'] = config.setTo;
   } else {
-    Reflect.deleteProperty(headers, 'Server');
-    Reflect.deleteProperty(headers, 'X-Powered-By');
+    delete headers.Server;
+    delete headers['X-Powered-By'];
   }
   return headers;
-}; // hpkp - deprecated
-// https://github.com/helmetjs/hsts
+};
 helmet.hsts = (headers, config) => {
   let header = 'max-age=' + Math.round(config.maxAge);
@@ -96,33 +72,27 @@ helmet.hsts = (headers, config) => {
   headers['Strict-Transport-Security'] = header;
   return headers;
-}; // https://github.com/helmetjs/ienoopen
+};
 helmet.ieNoOpen = (headers, config) => {
   headers['X-Download-Options'] = config.action;
   return headers;
-}; // noCache - N/A - separate middleware
-// https://github.com/helmetjs/dont-sniff-mimetype
+};
 helmet.noSniff = (headers, config) => {
   headers['X-Content-Type-Options'] = config.action;
   return headers;
-}; // https://github.com/helmetjs/referrer-policy
+};
 helmet.referrerPolicy = (headers, config) => {
   headers['Referrer-Policy'] = config.policy;
   return headers;
-}; // https://github.com/helmetjs/crossdomain
+};
 helmet.permittedCrossDomainPolicies = (headers, config) => {
   headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
   return headers;
-}; // https://github.com/helmetjs/x-xss-protection
+};
 helmetHtmlOnly.xssFilter = (headers, config) => {
   let header = '1; mode=block';
@@ -141,9 +111,9 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
   };
   const httpSecurityHeadersMiddlewareAfter = async request => {
-    var _request$response$hea, _request$response$hea2;
+    var _request$response$hea;
-    request.response = normalizeHttpResponse(request.response);
+    normalizeHttpResponse(request);
     Object.keys(helmet).forEach(key => {
       const config = { ...defaults[key],
         ...options[key]
@@ -151,7 +121,7 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
       request.response.headers = helmet[key](request.response.headers, config);
     });
-    if ((_request$response$hea = request.response.headers) !== null && _request$response$hea !== void 0 && (_request$response$hea2 = _request$response$hea['Content-Type']) !== null && _request$response$hea2 !== void 0 && _request$response$hea2.includes('text/html')) {
+    if ((_request$response$hea = request.response.headers['Content-Type']) !== null && _request$response$hea !== void 0 && _request$response$hea.includes('text/html')) {
       Object.keys(helmetHtmlOnly).forEach(key => {
         const config = { ...defaults[key],
           ...options[key]
@@ -161,11 +131,15 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
     }
   };
-  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter;
+  const httpSecurityHeadersMiddlewareOnError = async request => {
+    if (request.response === undefined) return;
+    return httpSecurityHeadersMiddlewareAfter(request);
+  };
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
   };
 };
-module.exports = httpSecurityHeadersMiddleware;
+export default httpSecurityHeadersMiddleware;

package/package.json CHANGED Viewed

@@ -1,18 +1,19 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "2.5.2",
+  "version": "3.0.0-alpha.1",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
-  "type": "commonjs",
+  "type": "module",
   "engines": {
-    "node": ">=12"
+    "node": ">=14"
   },
   "engineStrict": true,
   "publishConfig": {
     "access": "public"
   },
-  "main": "index.js",
+  "exports": "./index.js",
   "types": "index.d.ts",
   "files": [
+    "index.js",
     "index.d.ts"
   ],
   "scripts": {
@@ -48,11 +49,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "a2bb757a7a13638ae64277f8eecfcf11c1af17d4",
+  "gitHead": "a14125c6b2e21b181824f9985a919a47f1e4711f",
   "dependencies": {
-    "@middy/util": "^2.5.2"
+    "@middy/util": "^3.0.0-alpha.1"
   },
   "devDependencies": {
-    "@middy/core": "^2.5.2"
+    "@middy/core": "^3.0.0-alpha.1"
   }
 }