npm - @middy/http-security-headers - Versions diffs - 2.5.5 → 2.5.6 - Mend

@middy/http-security-headers 2.5.5 → 2.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +80 -86
package/package.json +4 -4

package/index.js CHANGED Viewed

@@ -1,9 +1,6 @@
-"use strict";
-const {
-  normalizeHttpResponse
-} = require('@middy/util'); // Code and Defaults heavily based off https://helmetjs.github.io/
+const { normalizeHttpResponse } = require('@middy/util')
+// Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
   // contentDisposition: {
@@ -36,7 +33,6 @@ const defaults = {
   },
   permittedCrossDomainPolicies: {
     policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
   },
   referrerPolicy: {
     policy: 'no-referrer'
@@ -44,128 +40,126 @@ const defaults = {
   xssFilter: {
     reportUri: ''
   }
-};
-const helmet = {};
-const helmetHtmlOnly = {}; // OWASP ASVS 14.4.2
+}
+const helmet = {}
+const helmetHtmlOnly = {}
+// OWASP ASVS 14.4.2
 // API Gateway strips out this header :(
 // helmet.content = (headers, config) => {
 //   const filename = config.filename ?? `api.${headers?.['Content-Type'].split(/[/;]/)[1] ?? 'json'}`
 //   headers['Content-Disposition'] = `attachment; filename="${filename}"`
 // }
 // contentSecurityPolicy - N/A - no HTML
 // featurePolicy - N/A - no HTML
 // crossdomain - N/A - For Adobe products
-// https://github.com/helmetjs/dns-Prefetch-control
+// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
-  return headers;
-}; // expectCt - in-progress spec
-// https://github.com/helmetjs/frameguard
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
+  return headers
+}
+// expectCt - in-progress spec
+// https://github.com/helmetjs/frameguard
 helmetHtmlOnly.frameguard = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase();
-  return headers;
-}; // https://github.com/helmetjs/hide-powered-by
+  headers['X-Frame-Options'] = config.action.toUpperCase()
+  return headers
+}
+// https://github.com/helmetjs/hide-powered-by
 helmet.hidePoweredBy = (headers, config) => {
   if (config.setTo) {
-    headers['X-Powered-By'] = config.setTo;
+    headers['X-Powered-By'] = config.setTo
   } else {
-    Reflect.deleteProperty(headers, 'Server');
-    Reflect.deleteProperty(headers, 'X-Powered-By');
+    Reflect.deleteProperty(headers, 'Server')
+    Reflect.deleteProperty(headers, 'X-Powered-By')
   }
+  return headers
+}
-  return headers;
-}; // hpkp - deprecated
-// https://github.com/helmetjs/hsts
+// hpkp - deprecated
+// https://github.com/helmetjs/hsts
 helmet.hsts = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge);
+  let header = 'max-age=' + Math.round(config.maxAge)
   if (config.includeSubDomains) {
-    header += '; includeSubDomains';
+    header += '; includeSubDomains'
   }
   if (config.preload) {
-    header += '; preload';
+    header += '; preload'
   }
+  headers['Strict-Transport-Security'] = header
+  return headers
+}
-  headers['Strict-Transport-Security'] = header;
-  return headers;
-}; // https://github.com/helmetjs/ienoopen
+// https://github.com/helmetjs/ienoopen
 helmet.ieNoOpen = (headers, config) => {
-  headers['X-Download-Options'] = config.action;
-  return headers;
-}; // noCache - N/A - separate middleware
-// https://github.com/helmetjs/dont-sniff-mimetype
+  headers['X-Download-Options'] = config.action
+  return headers
+}
+// noCache - N/A - separate middleware
+// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.noSniff = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action;
-  return headers;
-}; // https://github.com/helmetjs/referrer-policy
+  headers['X-Content-Type-Options'] = config.action
+  return headers
+}
+// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy;
-  return headers;
-}; // https://github.com/helmetjs/crossdomain
+  headers['Referrer-Policy'] = config.policy
+  return headers
+}
+// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
-  return headers;
-}; // https://github.com/helmetjs/x-xss-protection
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
+  return headers
+}
+// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssFilter = (headers, config) => {
-  let header = '1; mode=block';
+  let header = '1; mode=block'
   if (config.reportUri) {
-    header += '; report=' + config.reportUri;
+    header += '; report=' + config.reportUri
   }
-  headers['X-XSS-Protection'] = header;
-  return headers;
-};
+  headers['X-XSS-Protection'] = header
+  return headers
+}
 const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults,
-    ...opts
-  };
-  const httpSecurityHeadersMiddlewareAfter = async request => {
-    var _request$response$hea, _request$response$hea2;
-    request.response = normalizeHttpResponse(request.response);
-    Object.keys(helmet).forEach(key => {
-      const config = { ...defaults[key],
-        ...options[key]
-      };
-      request.response.headers = helmet[key](request.response.headers, config);
-    });
-    if ((_request$response$hea = request.response.headers) !== null && _request$response$hea !== void 0 && (_request$response$hea2 = _request$response$hea['Content-Type']) !== null && _request$response$hea2 !== void 0 && _request$response$hea2.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach(key => {
-        const config = { ...defaults[key],
-          ...options[key]
-        };
-        request.response.headers = helmetHtmlOnly[key](request.response.headers, config);
-      });
+  const options = { ...defaults, ...opts }
+  const httpSecurityHeadersMiddlewareAfter = async (request) => {
+    request.response = normalizeHttpResponse(request.response)
+    Object.keys(helmet).forEach((key) => {
+      const config = { ...defaults[key], ...options[key] }
+      request.response.headers = helmet[key](request.response.headers, config)
+    })
+    if (request.response.headers?.['Content-Type']?.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach((key) => {
+        const config = { ...defaults[key], ...options[key] }
+        request.response.headers = helmetHtmlOnly[key](
+          request.response.headers,
+          config
+        )
+      })
     }
-  };
+  }
+  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter
-  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter;
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
-  };
-};
-module.exports = httpSecurityHeadersMiddleware;
+  }
+}
+module.exports = httpSecurityHeadersMiddleware

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "2.5.5",
+  "version": "2.5.6",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "commonjs",
   "engines": {
@@ -48,11 +48,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "b84840ec8afd289f6decfd0d645be4899051792d",
+  "gitHead": "0c789f55b4adf691f977b0d9904d1a805bb3bb2b",
   "dependencies": {
-    "@middy/util": "^2.5.5"
+    "@middy/util": "^2.5.6"
   },
   "devDependencies": {
-    "@middy/core": "^2.5.5"
+    "@middy/core": "^2.5.6"
   }
 }