npm - @middy/http-security-headers - Versions diffs - 3.0.0-alpha.3 → 3.0.0-alpha.4 - Mend

@middy/http-security-headers 3.0.0-alpha.3 → 3.0.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +91 -128
package/package.json +4 -4

package/index.js CHANGED Viewed

@@ -1,37 +1,13 @@
-import { normalizeHttpResponse } from '@middy/util'
-// Code and Defaults heavily based off https://helmetjs.github.io/
+import { normalizeHttpResponse } from '@middy/util';
 const defaults = {
   contentSecurityPolicy: {
-    // Fetch directives
-    // 'child-src': '', // fallback default-src
-    // 'connect-src': '', // fallback default-src
     'default-src': "'none'",
-    // 'font-src':'', // fallback default-src
-    // 'frame-src':'', // fallback child-src > default-src
-    // 'img-src':'', // fallback default-src
-    // 'manifest-src':'', // fallback default-src
-    // 'media-src':'', // fallback default-src
-    // 'object-src':'', // fallback default-src
-    // 'prefetch-src':'', // fallback default-src
-    // 'script-src':'', // fallback default-src
-    // 'script-src-elem':'', // fallback script-src > default-src
-    // 'script-src-attr':'', // fallback script-src > default-src
-    // 'style-src':'', // fallback default-src
-    // 'style-src-elem':'', // fallback style-src > default-src
-    // 'style-src-attr':'', // fallback style-src > default-src
-    // 'worker-src':'', // fallback child-src > script-src > default-src
-    // Document directives
     'base-uri': "'none'",
     sandbox: '',
-    // Navigation directives
     'form-action': "'none'",
     'frame-ancestors': "'none'",
     'navigate-to': "'none'",
-    // Reporting directives
     'report-to': 'csp',
-    // Other directives
     'require-trusted-types-for': "'script'",
     'trusted-types': "'none'",
     'upgrade-insecure-requests': ''
@@ -59,7 +35,6 @@ const defaults = {
   },
   originAgentCluster: {},
   permissionsPolicy: {
-    // Standard
     accelerometer: '',
     'ambient-light-sensor': '',
     autoplay: '',
@@ -87,12 +62,10 @@ const defaults = {
     usb: '',
     'web-share': '',
     'xr-spatial-tracking': '',
-    // Proposed
     'clipboard-read': '',
     'clipboard-write': '',
     gamepad: '',
     'speaker-selection': '',
-    // Experimental
     'conversion-measurement': '',
     'focus-without-user-activation': '',
     hid: '',
@@ -105,7 +78,7 @@ const defaults = {
     'vertical-scroll': ''
   },
   permittedCrossDomainPolicies: {
-    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+    policy: 'none'
   },
   poweredBy: {
     server: ''
@@ -129,152 +102,142 @@ const defaults = {
   xssProtection: {
     reportTo: 'xss'
   }
-}
-const helmet = {}
-const helmetHtmlOnly = {}
+};
+const helmet = {};
+const helmetHtmlOnly = {};
-// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
-  let header = Object.keys(config)
-    .map(policy => config[policy] ? `${policy} ${config[policy]}` : '')
-    .filter(str => str)
-    .join('; ')
+  let header = Object.keys(config).map(policy => config[policy] ? `${policy} ${config[policy]}` : '').filter(str => str).join('; ');
   if (config.sandbox === '') {
-    header += '; sandbox'
+    header += '; sandbox';
   }
   if (config['upgrade-insecure-requests'] === '') {
-    header += '; upgrade-insecure-requests'
+    header += '; upgrade-insecure-requests';
   }
-  headers['Content-Security-Policy'] = header
-}
-// crossdomain - N/A - for Adobe products
+  headers['Content-Security-Policy'] = header;
+};
 helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
-  headers['Cross-Origin-Embedder-Policy'] = config.policy
-}
+  headers['Cross-Origin-Embedder-Policy'] = config.policy;
+};
 helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
-  headers['Cross-Origin-Opener-Policy'] = config.policy
-}
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
-  headers['Cross-Origin-Resource-Policy'] = config.policy
-}
+  headers['Cross-Origin-Opener-Policy'] = config.policy;
+};
-// expectCt - DEPRECATED
-// hpkp - DEPRECATED
+helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
+  headers['Cross-Origin-Resource-Policy'] = config.policy;
+};
-// https://www.permissionspolicy.com/
 helmetHtmlOnly.permissionsPolicy = (headers, config) => {
-  headers['Permissions-Policy'] = Object.keys(config)
-    .map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`)
-    .join(', ')
-}
+  headers['Permissions-Policy'] = Object.keys(config).map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`).join(', ');
+};
 helmet.originAgentCluster = (headers, config) => {
-  headers['Origin-Agent-Cluster'] = '?1'
-}
+  headers['Origin-Agent-Cluster'] = '?1';
+};
-// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-}
+  headers['Referrer-Policy'] = config.policy;
+};
 helmetHtmlOnly.reportTo = (headers, config) => {
-  headers['Report-To'] = Object.keys(config)
-    .map(group => (config[group] && group !== 'includeSubdomains') ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '')
-    .filter(str => str)
-    .join(', ')
-}
+  headers['Report-To'] = Object.keys(config).map(group => config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '').filter(str => str).join(', ');
+};
-// https://github.com/helmetjs/hsts
 helmet.strictTransportSecurity = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
+  let header = 'max-age=' + Math.round(config.maxAge);
   if (config.includeSubDomains) {
-    header += '; includeSubDomains'
+    header += '; includeSubDomains';
   }
   if (config.preload) {
-    header += '; preload'
+    header += '; preload';
   }
-  headers['Strict-Transport-Security'] = header
-}
-// noCache - N/A - separate middleware
+  headers['Strict-Transport-Security'] = header;
+};
-// X-* //
-// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.contentTypeOptions = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-}
+  headers['X-Content-Type-Options'] = config.action;
+};
-// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-}
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
+};
-// https://github.com/helmetjs/ienoopen
 helmet.downloadOptions = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-}
+  headers['X-Download-Options'] = config.action;
+};
-// https://github.com/helmetjs/frameOptions
 helmetHtmlOnly.frameOptions = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-}
+  headers['X-Frame-Options'] = config.action.toUpperCase();
+};
-// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-}
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
+};
-// https://github.com/helmetjs/hide-powered-by
 helmet.poweredBy = (headers, config) => {
   if (config.server) {
-    headers['X-Powered-By'] = config.server
+    headers['X-Powered-By'] = config.server;
   } else {
-    delete headers.Server
-    delete headers['X-Powered-By']
+    delete headers.Server;
+    delete headers['X-Powered-By'];
   }
-}
+};
-// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssProtection = (headers, config) => {
-  let header = '1; mode=block'
+  let header = '1; mode=block';
   if (config.reportTo) {
-    header += '; report=' + config.reportTo
+    header += '; report=' + config.reportTo;
   }
-  headers['X-XSS-Protection'] = header
-}
-const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
+  headers['X-XSS-Protection'] = header;
+};
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    normalizeHttpResponse(request)
+const httpSecurityHeadersMiddleware = (opts = {}) => {
+  const options = { ...defaults,
+    ...opts
+  };
+  const httpSecurityHeadersMiddlewareAfter = async request => {
+    var _request$response$hea;
+    normalizeHttpResponse(request);
+    Object.keys(helmet).forEach(key => {
+      if (!options[key]) return;
+      const config = { ...defaults[key],
+        ...options[key]
+      };
+      helmet[key](request.response.headers, config);
+    });
+    if ((_request$response$hea = request.response.headers['Content-Type']) !== null && _request$response$hea !== void 0 && _request$response$hea.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach(key => {
+        if (!options[key]) return;
+        const config = { ...defaults[key],
+          ...options[key]
+        };
+        helmetHtmlOnly[key](request.response.headers, config);
+      });
+    }
+  };
-    Object.keys(helmet).forEach((key) => {
-      if (!options[key]) return
-      const config = { ...defaults[key], ...options[key] }
-      helmet[key](request.response.headers, config)
-    })
+  const httpSecurityHeadersMiddlewareOnError = async request => {
+    if (request.response === undefined) return;
+    return httpSecurityHeadersMiddlewareAfter(request);
+  };
-    if (request.response.headers['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        if (!options[key]) return
-        const config = { ...defaults[key], ...options[key] }
-        helmetHtmlOnly[key](
-          request.response.headers,
-          config
-        )
-      })
-    }
-  }
-  const httpSecurityHeadersMiddlewareOnError = async (request) => {
-    if (request.response === undefined) return
-    return httpSecurityHeadersMiddlewareAfter(request)
-  }
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-export default httpSecurityHeadersMiddleware
+  };
+};
+export default httpSecurityHeadersMiddleware;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "3.0.0-alpha.3",
+  "version": "3.0.0-alpha.4",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -50,11 +50,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "1441158711580313765e6d156046ef0fade0d156",
+  "gitHead": "d4bea7f4e21f6a9bbb1f6f6908361169598b9e53",
   "dependencies": {
-    "@middy/util": "^3.0.0-alpha.3"
+    "@middy/util": "^3.0.0-alpha.4"
   },
   "devDependencies": {
-    "@middy/core": "^3.0.0-alpha.3"
+    "@middy/core": "^3.0.0-alpha.4"
   }
 }