npm - @middy/http-security-headers - Versions diffs - 3.0.0-alpha.1 → 3.0.0-alpha.5 - Mend

@middy/http-security-headers 3.0.0-alpha.1 → 3.0.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -36,18 +36,26 @@ To install this middleware you can use NPM:
 npm install --save @middy/http-security-headers
 ```
 ## Options
- - `dnsPrefetchControl` controls browser DNS prefetching
- - `expectCt` for handling Certificate Transparency (Future Feature)
- - `frameguard` to prevent clickjacking
- - `hidePoweredBy` to remove the Server/X-Powered-By header
- - `hsts` for HTTP Strict Transport Security
- - `ieNoOpen` sets X-Download-Options for IE8+
- - `noSniff` to keep clients from sniffing the MIME type
- - `referrerPolicy` to hide the Referer header
- - `xssFilter` adds some small XSS protections
+Setting an option to `false` to cause that rule to be ignored.
+### All Responses
+- `originAgentCluster`: Default to `{}` to include
+- `referrerPolicy`: Default to `{ policy: 'no-referrer' }`
+- `strictTransportSecurity`: Default to `{ maxAge: 15552000, includeSubDomains: true, preload: true }`
+- X-`dnsPrefetchControl`: Default to `{ allow: false }`
+- X-`downloadOptions`: Default to `{ action: 'noopen' }`
+- X-`poweredBy`: Default to `{ server: '' }` to remove `Server` and `X-Powered-By`
+- X-`contentTypeOptions`: Default to `{ action: 'nosniff' }`
+### HTML Responses
+- `contentSecurityPolicy`: Default to `{ 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }`
+- `crossOriginEmbedderPolicy`: Default to `{ policy: 'require-corp' }`
+- `crossOriginOpenerPolicy`: Default to `{ policy: 'same-origin' }`
+- `crossOriginResourcePolicy`: Default to `{ policy: 'same-origin' }`
+- `permissionsPolicy`: Default to `{ *:'', ... }` where all allowed values are set to disable
+- `reportTo`: Defaults to `{ maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' }` which won't report by default, needs setting
+- X-`frameOptions`: Default to `{ action: 'deny' }`
+- X-`xssProtection`: Defaults to `{ reportUri: '' }'`
 ## Sample usage

package/index.d.ts CHANGED Viewed

@@ -4,32 +4,28 @@ interface Options {
   dnsPrefetchControl?: {
     allow?: boolean
   }
-  expectCT?: {
-    enforce?: boolean
-    maxAge?: number
-    reportUri?: string
-  }
-  frameguard?: {
+  frameOptions?: {
     action?: string
   }
-  hidePoweredBy?: {
-    setTo: string
+  poweredBy?: {
+    server: string
   }
-  hsts?: {
+  strictTransportSecurity?: {
     maxAge?: number
     includeSubDomains?: boolean
     preload?: boolean
   }
-  ieNoOpen?: {
+  downloadOptions?: {
     action?: string
   }
-  noSniff?: {
+  contentTypeOptions?: {
     action?: string
   }
+  originAgentCluster?: boolean
   referrerPolicy?: {
     policy?: string
   }
-  xssFilter?: {
+  xssProtection?: {
     reportUri?: string
   }
 }

package/index.js CHANGED Viewed

@@ -1,65 +1,154 @@
 import { normalizeHttpResponse } from '@middy/util';
 const defaults = {
-  dnsPrefetchControl: {
-    allow: false
+  contentSecurityPolicy: {
+    'default-src': "'none'",
+    'base-uri': "'none'",
+    sandbox: '',
+    'form-action': "'none'",
+    'frame-ancestors': "'none'",
+    'navigate-to': "'none'",
+    'report-to': 'csp',
+    'require-trusted-types-for': "'script'",
+    'trusted-types': "'none'",
+    'upgrade-insecure-requests': ''
   },
-  expectCT: {
-    enforce: true,
-    maxAge: 30,
-    reportUri: ''
+  contentTypeOptions: {
+    action: 'nosniff'
   },
-  frameguard: {
-    action: 'deny'
+  crossOriginEmbedderPolicy: {
+    policy: 'require-corp'
   },
-  hidePoweredBy: {
-    setTo: null
+  crossOriginOpenerPolicy: {
+    policy: 'same-origin'
   },
-  hsts: {
-    maxAge: 180 * 24 * 60 * 60,
-    includeSubDomains: true,
-    preload: true
+  crossOriginResourcePolicy: {
+    policy: 'same-origin'
   },
-  ieNoOpen: {
+  dnsPrefetchControl: {
+    allow: false
+  },
+  downloadOptions: {
     action: 'noopen'
   },
-  noSniff: {
-    action: 'nosniff'
+  frameOptions: {
+    action: 'deny'
+  },
+  originAgentCluster: {},
+  permissionsPolicy: {
+    accelerometer: '',
+    'ambient-light-sensor': '',
+    autoplay: '',
+    battery: '',
+    camera: '',
+    'cross-origin-isolated': '',
+    'display-capture': '',
+    'document-domain': '',
+    'encrypted-media': '',
+    'execution-while-not-rendered': '',
+    'execution-while-out-of-viewport': '',
+    fullscreen: '',
+    geolocation: '',
+    gyroscope: '',
+    'keyboard-map': '',
+    magnetometer: '',
+    microphone: '',
+    midi: '',
+    'navigation-override': '',
+    payment: '',
+    'picture-in-picture': '',
+    'publickey-credentials-get': '',
+    'screen-wake-lock': '',
+    'sync-xhr': '',
+    usb: '',
+    'web-share': '',
+    'xr-spatial-tracking': '',
+    'clipboard-read': '',
+    'clipboard-write': '',
+    gamepad: '',
+    'speaker-selection': '',
+    'conversion-measurement': '',
+    'focus-without-user-activation': '',
+    hid: '',
+    'idle-detection': '',
+    'interest-cohort': '',
+    serial: '',
+    'sync-script': '',
+    'trust-token-redemption': '',
+    'window-placement': '',
+    'vertical-scroll': ''
   },
   permittedCrossDomainPolicies: {
     policy: 'none'
   },
+  poweredBy: {
+    server: ''
+  },
   referrerPolicy: {
     policy: 'no-referrer'
   },
-  xssFilter: {
-    reportUri: ''
+  reportTo: {
+    maxAge: 365 * 24 * 60 * 60,
+    default: '',
+    includeSubdomains: true,
+    csp: '',
+    staple: '',
+    xss: ''
+  },
+  strictTransportSecurity: {
+    maxAge: 180 * 24 * 60 * 60,
+    includeSubDomains: true,
+    preload: true
+  },
+  xssProtection: {
+    reportTo: 'xss'
   }
 };
 const helmet = {};
 const helmetHtmlOnly = {};
-helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
-  return headers;
+helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
+  let header = Object.keys(config).map(policy => config[policy] ? `${policy} ${config[policy]}` : '').filter(str => str).join('; ');
+  if (config.sandbox === '') {
+    header += '; sandbox';
+  }
+  if (config['upgrade-insecure-requests'] === '') {
+    header += '; upgrade-insecure-requests';
+  }
+  headers['Content-Security-Policy'] = header;
 };
-helmetHtmlOnly.frameguard = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase();
-  return headers;
+helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
+  headers['Cross-Origin-Embedder-Policy'] = config.policy;
 };
-helmet.hidePoweredBy = (headers, config) => {
-  if (config.setTo) {
-    headers['X-Powered-By'] = config.setTo;
-  } else {
-    delete headers.Server;
-    delete headers['X-Powered-By'];
-  }
+helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
+  headers['Cross-Origin-Opener-Policy'] = config.policy;
+};
+helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
+  headers['Cross-Origin-Resource-Policy'] = config.policy;
+};
-  return headers;
+helmetHtmlOnly.permissionsPolicy = (headers, config) => {
+  headers['Permissions-Policy'] = Object.keys(config).map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`).join(', ');
 };
-helmet.hsts = (headers, config) => {
+helmet.originAgentCluster = (headers, config) => {
+  headers['Origin-Agent-Cluster'] = '?1';
+};
+helmet.referrerPolicy = (headers, config) => {
+  headers['Referrer-Policy'] = config.policy;
+};
+helmetHtmlOnly.reportTo = (headers, config) => {
+  headers['Report-To'] = Object.keys(config).map(group => config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '').filter(str => str).join(', ');
+};
+helmet.strictTransportSecurity = (headers, config) => {
   let header = 'max-age=' + Math.round(config.maxAge);
   if (config.includeSubDomains) {
@@ -71,38 +160,45 @@ helmet.hsts = (headers, config) => {
   }
   headers['Strict-Transport-Security'] = header;
-  return headers;
 };
-helmet.ieNoOpen = (headers, config) => {
-  headers['X-Download-Options'] = config.action;
-  return headers;
+helmet.contentTypeOptions = (headers, config) => {
+  headers['X-Content-Type-Options'] = config.action;
 };
-helmet.noSniff = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action;
-  return headers;
+helmet.dnsPrefetchControl = (headers, config) => {
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
 };
-helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy;
-  return headers;
+helmet.downloadOptions = (headers, config) => {
+  headers['X-Download-Options'] = config.action;
+};
+helmetHtmlOnly.frameOptions = (headers, config) => {
+  headers['X-Frame-Options'] = config.action.toUpperCase();
 };
 helmet.permittedCrossDomainPolicies = (headers, config) => {
   headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
-  return headers;
 };
-helmetHtmlOnly.xssFilter = (headers, config) => {
+helmet.poweredBy = (headers, config) => {
+  if (config.server) {
+    headers['X-Powered-By'] = config.server;
+  } else {
+    delete headers.Server;
+    delete headers['X-Powered-By'];
+  }
+};
+helmetHtmlOnly.xssProtection = (headers, config) => {
   let header = '1; mode=block';
-  if (config.reportUri) {
-    header += '; report=' + config.reportUri;
+  if (config.reportTo) {
+    header += '; report=' + config.reportTo;
   }
   headers['X-XSS-Protection'] = header;
-  return headers;
 };
 const httpSecurityHeadersMiddleware = (opts = {}) => {
@@ -115,18 +211,20 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
     normalizeHttpResponse(request);
     Object.keys(helmet).forEach(key => {
+      if (!options[key]) return;
       const config = { ...defaults[key],
         ...options[key]
       };
-      request.response.headers = helmet[key](request.response.headers, config);
+      helmet[key](request.response.headers, config);
     });
     if ((_request$response$hea = request.response.headers['Content-Type']) !== null && _request$response$hea !== void 0 && _request$response$hea.includes('text/html')) {
       Object.keys(helmetHtmlOnly).forEach(key => {
+        if (!options[key]) return;
         const config = { ...defaults[key],
           ...options[key]
         };
-        request.response.headers = helmetHtmlOnly[key](request.response.headers, config);
+        helmetHtmlOnly[key](request.response.headers, config);
       });
     }
   };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "3.0.0-alpha.1",
+  "version": "3.0.0-alpha.5",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -18,7 +18,8 @@
   ],
   "scripts": {
     "test": "npm run test:unit",
-    "test:unit": "ava"
+    "test:unit": "ava",
+    "test:benchmark": "node __benchmarks__/index.js"
   },
   "license": "MIT",
   "keywords": [
@@ -49,11 +50,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "a14125c6b2e21b181824f9985a919a47f1e4711f",
+  "gitHead": "cf6a1b02a2e163bea353b10146d67e0d95ef8072",
   "dependencies": {
-    "@middy/util": "^3.0.0-alpha.1"
+    "@middy/util": "^3.0.0-alpha.5"
   },
   "devDependencies": {
-    "@middy/core": "^3.0.0-alpha.1"
+    "@middy/core": "^3.0.0-alpha.5"
   }
 }