npm - @middy/http-security-headers - Versions diffs - 2.5.6 → 3.0.0-alpha.3 - Mend

@middy/http-security-headers 2.5.6 → 3.0.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2017-2021 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
+Copyright (c) 2017-2022 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md CHANGED Viewed

@@ -36,18 +36,26 @@ To install this middleware you can use NPM:
 npm install --save @middy/http-security-headers
 ```
 ## Options
- - `dnsPrefetchControl` controls browser DNS prefetching
- - `expectCt` for handling Certificate Transparency (Future Feature)
- - `frameguard` to prevent clickjacking
- - `hidePoweredBy` to remove the Server/X-Powered-By header
- - `hsts` for HTTP Strict Transport Security
- - `ieNoOpen` sets X-Download-Options for IE8+
- - `noSniff` to keep clients from sniffing the MIME type
- - `referrerPolicy` to hide the Referer header
- - `xssFilter` adds some small XSS protections
+Setting an option to `false` to cause that rule to be ignored.
+### All Responses
+- `originAgentCluster`: Default to `{}` to include
+- `referrerPolicy`: Default to `{ policy: 'no-referrer' }`
+- `strictTransportSecurity`: Default to `{ maxAge: 15552000, includeSubDomains: true, preload: true }`
+- X-`dnsPrefetchControl`: Default to `{ allow: false }`
+- X-`downloadOptions`: Default to `{ action: 'noopen' }`
+- X-`poweredBy`: Default to `{ server: '' }` to remove `Server` and `X-Powered-By`
+- X-`contentTypeOptions`: Default to `{ action: 'nosniff' }`
+### HTML Responses
+- `contentSecurityPolicy`: Default to `{ 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }`
+- `crossOriginEmbedderPolicy`: Default to `{ policy: 'require-corp' }`
+- `crossOriginOpenerPolicy`: Default to `{ policy: 'same-origin' }`
+- `crossOriginResourcePolicy`: Default to `{ policy: 'same-origin' }`
+- `permissionsPolicy`: Default to `{ *:'', ... }` where all allowed values are set to disable
+- `reportTo`: Defaults to `{ maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' }` which won't report by default, needs setting
+- X-`frameOptions`: Default to `{ action: 'deny' }`
+- X-`xssProtection`: Defaults to `{ reportUri: '' }'`
 ## Sample usage
@@ -77,7 +85,7 @@ Everyone is very welcome to contribute to this repository. Feel free to [raise i
 ## License
-Licensed under [MIT License](LICENSE). Copyright (c) 2017-2021 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
+Licensed under [MIT License](LICENSE). Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
 <a href="https://app.fossa.io/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy?ref=badge_large">
   <img src="https://app.fossa.io/api/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy.svg?type=large" alt="FOSSA Status"  style="max-width:100%;">

package/index.d.ts CHANGED Viewed

@@ -4,32 +4,28 @@ interface Options {
   dnsPrefetchControl?: {
     allow?: boolean
   }
-  expectCT?: {
-    enforce?: boolean
-    maxAge?: number
-    reportUri?: string
-  }
-  frameguard?: {
+  frameOptions?: {
     action?: string
   }
-  hidePoweredBy?: {
-    setTo: string
+  poweredBy?: {
+    server: string
   }
-  hsts?: {
+  strictTransportSecurity?: {
     maxAge?: number
     includeSubDomains?: boolean
     preload?: boolean
   }
-  ieNoOpen?: {
+  downloadOptions?: {
     action?: string
   }
-  noSniff?: {
+  contentTypeOptions?: {
     action?: string
   }
+  originAgentCluster?: boolean
   referrerPolicy?: {
     policy?: string
   }
-  xssFilter?: {
+  xssProtection?: {
     reportUri?: string
   }
 }

package/index.js CHANGED Viewed

@@ -1,91 +1,193 @@
-const { normalizeHttpResponse } = require('@middy/util')
+import { normalizeHttpResponse } from '@middy/util'
 // Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
-  // contentDisposition: {
-  //   filename: undefined
-  // },
-  dnsPrefetchControl: {
-    allow: false
+  contentSecurityPolicy: {
+    // Fetch directives
+    // 'child-src': '', // fallback default-src
+    // 'connect-src': '', // fallback default-src
+    'default-src': "'none'",
+    // 'font-src':'', // fallback default-src
+    // 'frame-src':'', // fallback child-src > default-src
+    // 'img-src':'', // fallback default-src
+    // 'manifest-src':'', // fallback default-src
+    // 'media-src':'', // fallback default-src
+    // 'object-src':'', // fallback default-src
+    // 'prefetch-src':'', // fallback default-src
+    // 'script-src':'', // fallback default-src
+    // 'script-src-elem':'', // fallback script-src > default-src
+    // 'script-src-attr':'', // fallback script-src > default-src
+    // 'style-src':'', // fallback default-src
+    // 'style-src-elem':'', // fallback style-src > default-src
+    // 'style-src-attr':'', // fallback style-src > default-src
+    // 'worker-src':'', // fallback child-src > script-src > default-src
+    // Document directives
+    'base-uri': "'none'",
+    sandbox: '',
+    // Navigation directives
+    'form-action': "'none'",
+    'frame-ancestors': "'none'",
+    'navigate-to': "'none'",
+    // Reporting directives
+    'report-to': 'csp',
+    // Other directives
+    'require-trusted-types-for': "'script'",
+    'trusted-types': "'none'",
+    'upgrade-insecure-requests': ''
   },
-  expectCT: {
-    enforce: true,
-    maxAge: 30,
-    reportUri: ''
+  contentTypeOptions: {
+    action: 'nosniff'
   },
-  frameguard: {
-    action: 'deny'
+  crossOriginEmbedderPolicy: {
+    policy: 'require-corp'
   },
-  hidePoweredBy: {
-    setTo: null
+  crossOriginOpenerPolicy: {
+    policy: 'same-origin'
   },
-  hsts: {
-    maxAge: 180 * 24 * 60 * 60,
-    includeSubDomains: true,
-    preload: true
+  crossOriginResourcePolicy: {
+    policy: 'same-origin'
+  },
+  dnsPrefetchControl: {
+    allow: false
   },
-  ieNoOpen: {
+  downloadOptions: {
     action: 'noopen'
   },
-  noSniff: {
-    action: 'nosniff'
+  frameOptions: {
+    action: 'deny'
+  },
+  originAgentCluster: {},
+  permissionsPolicy: {
+    // Standard
+    accelerometer: '',
+    'ambient-light-sensor': '',
+    autoplay: '',
+    battery: '',
+    camera: '',
+    'cross-origin-isolated': '',
+    'display-capture': '',
+    'document-domain': '',
+    'encrypted-media': '',
+    'execution-while-not-rendered': '',
+    'execution-while-out-of-viewport': '',
+    fullscreen: '',
+    geolocation: '',
+    gyroscope: '',
+    'keyboard-map': '',
+    magnetometer: '',
+    microphone: '',
+    midi: '',
+    'navigation-override': '',
+    payment: '',
+    'picture-in-picture': '',
+    'publickey-credentials-get': '',
+    'screen-wake-lock': '',
+    'sync-xhr': '',
+    usb: '',
+    'web-share': '',
+    'xr-spatial-tracking': '',
+    // Proposed
+    'clipboard-read': '',
+    'clipboard-write': '',
+    gamepad: '',
+    'speaker-selection': '',
+    // Experimental
+    'conversion-measurement': '',
+    'focus-without-user-activation': '',
+    hid: '',
+    'idle-detection': '',
+    'interest-cohort': '',
+    serial: '',
+    'sync-script': '',
+    'trust-token-redemption': '',
+    'window-placement': '',
+    'vertical-scroll': ''
   },
   permittedCrossDomainPolicies: {
     policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
   },
+  poweredBy: {
+    server: ''
+  },
   referrerPolicy: {
     policy: 'no-referrer'
   },
-  xssFilter: {
-    reportUri: ''
+  reportTo: {
+    maxAge: 365 * 24 * 60 * 60,
+    default: '',
+    includeSubdomains: true,
+    csp: '',
+    staple: '',
+    xss: ''
+  },
+  strictTransportSecurity: {
+    maxAge: 180 * 24 * 60 * 60,
+    includeSubDomains: true,
+    preload: true
+  },
+  xssProtection: {
+    reportTo: 'xss'
   }
 }
 const helmet = {}
 const helmetHtmlOnly = {}
-// OWASP ASVS 14.4.2
-// API Gateway strips out this header :(
-// helmet.content = (headers, config) => {
-//   const filename = config.filename ?? `api.${headers?.['Content-Type'].split(/[/;]/)[1] ?? 'json'}`
-//   headers['Content-Disposition'] = `attachment; filename="${filename}"`
-// }
-// contentSecurityPolicy - N/A - no HTML
-// featurePolicy - N/A - no HTML
+// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
+  let header = Object.keys(config)
+    .map(policy => config[policy] ? `${policy} ${config[policy]}` : '')
+    .filter(str => str)
+    .join('; ')
+  if (config.sandbox === '') {
+    header += '; sandbox'
+  }
+  if (config['upgrade-insecure-requests'] === '') {
+    header += '; upgrade-insecure-requests'
+  }
+  headers['Content-Security-Policy'] = header
+}
+// crossdomain - N/A - for Adobe products
+helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
+  headers['Cross-Origin-Embedder-Policy'] = config.policy
+}
+helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
+  headers['Cross-Origin-Opener-Policy'] = config.policy
+}
+helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
+  headers['Cross-Origin-Resource-Policy'] = config.policy
+}
-// crossdomain - N/A - For Adobe products
+// expectCt - DEPRECATED
+// hpkp - DEPRECATED
-// https://github.com/helmetjs/dns-Prefetch-control
-helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-  return headers
+// https://www.permissionspolicy.com/
+helmetHtmlOnly.permissionsPolicy = (headers, config) => {
+  headers['Permissions-Policy'] = Object.keys(config)
+    .map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`)
+    .join(', ')
 }
-// expectCt - in-progress spec
-// https://github.com/helmetjs/frameguard
-helmetHtmlOnly.frameguard = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-  return headers
+helmet.originAgentCluster = (headers, config) => {
+  headers['Origin-Agent-Cluster'] = '?1'
 }
-// https://github.com/helmetjs/hide-powered-by
-helmet.hidePoweredBy = (headers, config) => {
-  if (config.setTo) {
-    headers['X-Powered-By'] = config.setTo
-  } else {
-    Reflect.deleteProperty(headers, 'Server')
-    Reflect.deleteProperty(headers, 'X-Powered-By')
-  }
-  return headers
+// https://github.com/helmetjs/referrer-policy
+helmet.referrerPolicy = (headers, config) => {
+  headers['Referrer-Policy'] = config.policy
 }
-// hpkp - deprecated
+helmetHtmlOnly.reportTo = (headers, config) => {
+  headers['Report-To'] = Object.keys(config)
+    .map(group => (config[group] && group !== 'includeSubdomains') ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '')
+    .filter(str => str)
+    .join(', ')
+}
 // https://github.com/helmetjs/hsts
-helmet.hsts = (headers, config) => {
+helmet.strictTransportSecurity = (headers, config) => {
   let header = 'max-age=' + Math.round(config.maxAge)
   if (config.includeSubDomains) {
     header += '; includeSubDomains'
@@ -94,72 +196,85 @@ helmet.hsts = (headers, config) => {
     header += '; preload'
   }
   headers['Strict-Transport-Security'] = header
-  return headers
-}
-// https://github.com/helmetjs/ienoopen
-helmet.ieNoOpen = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-  return headers
 }
 // noCache - N/A - separate middleware
+// X-* //
 // https://github.com/helmetjs/dont-sniff-mimetype
-helmet.noSniff = (headers, config) => {
+helmet.contentTypeOptions = (headers, config) => {
   headers['X-Content-Type-Options'] = config.action
-  return headers
 }
-// https://github.com/helmetjs/referrer-policy
-helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-  return headers
+// https://github.com/helmetjs/dns-Prefetch-control
+helmet.dnsPrefetchControl = (headers, config) => {
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
+}
+// https://github.com/helmetjs/ienoopen
+helmet.downloadOptions = (headers, config) => {
+  headers['X-Download-Options'] = config.action
+}
+// https://github.com/helmetjs/frameOptions
+helmetHtmlOnly.frameOptions = (headers, config) => {
+  headers['X-Frame-Options'] = config.action.toUpperCase()
 }
 // https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config) => {
   headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-  return headers
+}
+// https://github.com/helmetjs/hide-powered-by
+helmet.poweredBy = (headers, config) => {
+  if (config.server) {
+    headers['X-Powered-By'] = config.server
+  } else {
+    delete headers.Server
+    delete headers['X-Powered-By']
+  }
 }
 // https://github.com/helmetjs/x-xss-protection
-helmetHtmlOnly.xssFilter = (headers, config) => {
+helmetHtmlOnly.xssProtection = (headers, config) => {
   let header = '1; mode=block'
-  if (config.reportUri) {
-    header += '; report=' + config.reportUri
+  if (config.reportTo) {
+    header += '; report=' + config.reportTo
   }
   headers['X-XSS-Protection'] = header
-  return headers
 }
 const httpSecurityHeadersMiddleware = (opts = {}) => {
   const options = { ...defaults, ...opts }
   const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    request.response = normalizeHttpResponse(request.response)
+    normalizeHttpResponse(request)
     Object.keys(helmet).forEach((key) => {
+      if (!options[key]) return
       const config = { ...defaults[key], ...options[key] }
-      request.response.headers = helmet[key](request.response.headers, config)
+      helmet[key](request.response.headers, config)
     })
-    if (request.response.headers?.['Content-Type']?.includes('text/html')) {
+    if (request.response.headers['Content-Type']?.includes('text/html')) {
       Object.keys(helmetHtmlOnly).forEach((key) => {
+        if (!options[key]) return
         const config = { ...defaults[key], ...options[key] }
-        request.response.headers = helmetHtmlOnly[key](
+        helmetHtmlOnly[key](
           request.response.headers,
           config
         )
       })
     }
   }
-  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter
+  const httpSecurityHeadersMiddlewareOnError = async (request) => {
+    if (request.response === undefined) return
+    return httpSecurityHeadersMiddlewareAfter(request)
+  }
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
   }
 }
-module.exports = httpSecurityHeadersMiddleware
+export default httpSecurityHeadersMiddleware

package/package.json CHANGED Viewed

@@ -1,23 +1,25 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "2.5.6",
+  "version": "3.0.0-alpha.3",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
-  "type": "commonjs",
+  "type": "module",
   "engines": {
-    "node": ">=12"
+    "node": ">=14"
   },
   "engineStrict": true,
   "publishConfig": {
     "access": "public"
   },
-  "main": "index.js",
+  "exports": "./index.js",
   "types": "index.d.ts",
   "files": [
+    "index.js",
     "index.d.ts"
   ],
   "scripts": {
     "test": "npm run test:unit",
-    "test:unit": "ava"
+    "test:unit": "ava",
+    "test:benchmark": "node __benchmarks__/index.js"
   },
   "license": "MIT",
   "keywords": [
@@ -48,11 +50,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "0c789f55b4adf691f977b0d9904d1a805bb3bb2b",
+  "gitHead": "1441158711580313765e6d156046ef0fade0d156",
   "dependencies": {
-    "@middy/util": "^2.5.6"
+    "@middy/util": "^3.0.0-alpha.3"
   },
   "devDependencies": {
-    "@middy/core": "^2.5.6"
+    "@middy/core": "^3.0.0-alpha.3"
   }
 }