@middy/http-security-headers 2.5.6 → 2.5.7

package/index.js

@@ -1,6 +1,9 @@
-const { normalizeHttpResponse } = require('@middy/util')
+"use strict";
+
+const {
+  normalizeHttpResponse
+} = require('@middy/util'); // Code and Defaults heavily based off https://helmetjs.github.io/
 
-// Code and Defaults heavily based off https://helmetjs.github.io/
 
 const defaults = {
   // contentDisposition: {
@@ -33,6 +36,7 @@ const defaults = {
   },
   permittedCrossDomainPolicies: {
     policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+
   },
   referrerPolicy: {
     policy: 'no-referrer'
@@ -40,126 +44,128 @@ const defaults = {
   xssFilter: {
     reportUri: ''
   }
-}
-
-const helmet = {}
-const helmetHtmlOnly = {}
-
-// OWASP ASVS 14.4.2
+};
+const helmet = {};
+const helmetHtmlOnly = {}; // OWASP ASVS 14.4.2
 // API Gateway strips out this header :(
 // helmet.content = (headers, config) => {
 //   const filename = config.filename ?? `api.${headers?.['Content-Type'].split(/[/;]/)[1] ?? 'json'}`
 //   headers['Content-Disposition'] = `attachment; filename="${filename}"`
 // }
-
 // contentSecurityPolicy - N/A - no HTML
 // featurePolicy - N/A - no HTML
-
 // crossdomain - N/A - For Adobe products
-
 // https://github.com/helmetjs/dns-Prefetch-control
+
 helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-  return headers
-}
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
+  return headers;
+}; // expectCt - in-progress spec
+// https://github.com/helmetjs/frameguard
 
-// expectCt - in-progress spec
 
-// https://github.com/helmetjs/frameguard
 helmetHtmlOnly.frameguard = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-  return headers
-}
+  headers['X-Frame-Options'] = config.action.toUpperCase();
+  return headers;
+}; // https://github.com/helmetjs/hide-powered-by
+
 
-// https://github.com/helmetjs/hide-powered-by
 helmet.hidePoweredBy = (headers, config) => {
   if (config.setTo) {
-    headers['X-Powered-By'] = config.setTo
+    headers['X-Powered-By'] = config.setTo;
   } else {
-    Reflect.deleteProperty(headers, 'Server')
-    Reflect.deleteProperty(headers, 'X-Powered-By')
+    Reflect.deleteProperty(headers, 'Server');
+    Reflect.deleteProperty(headers, 'X-Powered-By');
   }
-  return headers
-}
-
-// hpkp - deprecated
 
+  return headers;
+}; // hpkp - deprecated
 // https://github.com/helmetjs/hsts
+
+
 helmet.hsts = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
+  let header = 'max-age=' + Math.round(config.maxAge);
+
   if (config.includeSubDomains) {
-    header += '; includeSubDomains'
+    header += '; includeSubDomains';
   }
+
   if (config.preload) {
-    header += '; preload'
+    header += '; preload';
   }
-  headers['Strict-Transport-Security'] = header
-  return headers
-}
 
-// https://github.com/helmetjs/ienoopen
-helmet.ieNoOpen = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-  return headers
-}
+  headers['Strict-Transport-Security'] = header;
+  return headers;
+}; // https://github.com/helmetjs/ienoopen
 
-// noCache - N/A - separate middleware
 
+helmet.ieNoOpen = (headers, config) => {
+  headers['X-Download-Options'] = config.action;
+  return headers;
+}; // noCache - N/A - separate middleware
 // https://github.com/helmetjs/dont-sniff-mimetype
+
+
 helmet.noSniff = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-  return headers
-}
+  headers['X-Content-Type-Options'] = config.action;
+  return headers;
+}; // https://github.com/helmetjs/referrer-policy
+
 
-// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-  return headers
-}
+  headers['Referrer-Policy'] = config.policy;
+  return headers;
+}; // https://github.com/helmetjs/crossdomain
+
 
-// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-  return headers
-}
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
+  return headers;
+}; // https://github.com/helmetjs/x-xss-protection
+
 
-// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssFilter = (headers, config) => {
-  let header = '1; mode=block'
+  let header = '1; mode=block';
+
   if (config.reportUri) {
-    header += '; report=' + config.reportUri
+    header += '; report=' + config.reportUri;
   }
-  headers['X-XSS-Protection'] = header
-  return headers
-}
+
+  headers['X-XSS-Protection'] = header;
+  return headers;
+};
 
 const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
-
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    request.response = normalizeHttpResponse(request.response)
-
-    Object.keys(helmet).forEach((key) => {
-      const config = { ...defaults[key], ...options[key] }
-      request.response.headers = helmet[key](request.response.headers, config)
-    })
-
-    if (request.response.headers?.['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        const config = { ...defaults[key], ...options[key] }
-        request.response.headers = helmetHtmlOnly[key](
-          request.response.headers,
-          config
-        )
-      })
+  const options = { ...defaults,
+    ...opts
+  };
+
+  const httpSecurityHeadersMiddlewareAfter = async request => {
+    var _request$response$hea, _request$response$hea2;
+
+    request.response = normalizeHttpResponse(request.response);
+    Object.keys(helmet).forEach(key => {
+      const config = { ...defaults[key],
+        ...options[key]
+      };
+      request.response.headers = helmet[key](request.response.headers, config);
+    });
+
+    if ((_request$response$hea = request.response.headers) !== null && _request$response$hea !== void 0 && (_request$response$hea2 = _request$response$hea['Content-Type']) !== null && _request$response$hea2 !== void 0 && _request$response$hea2.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach(key => {
+        const config = { ...defaults[key],
+          ...options[key]
+        };
+        request.response.headers = helmetHtmlOnly[key](request.response.headers, config);
+      });
     }
-  }
-
-  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter
+  };
 
+  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter;
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-module.exports = httpSecurityHeadersMiddleware
+  };
+};
+
+module.exports = httpSecurityHeadersMiddleware;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "2.5.6",
+  "version": "2.5.7",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "commonjs",
   "engines": {
@@ -48,11 +48,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "0c789f55b4adf691f977b0d9904d1a805bb3bb2b",
+  "gitHead": "3983c4b138e1a4d7fcb3ed805d3b8832fff06fc1",
   "dependencies": {
-    "@middy/util": "^2.5.6"
+    "@middy/util": "^2.5.7"
   },
   "devDependencies": {
-    "@middy/core": "^2.5.6"
+    "@middy/core": "^2.5.7"
   }
 }