npm - @middy/http-security-headers - Versions diffs - 3.0.0-alpha.3 → 3.0.0-alpha.7 - Mend

@middy/http-security-headers 3.0.0-alpha.3 → 3.0.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,27 +1,37 @@
-# Middy http-security-headers middleware
-<div align="center">
-  <img alt="Middy logo" src="https://raw.githubusercontent.com/middyjs/middy/main/docs/img/middy-logo.png"/>
-</div>
 <div align="center">
+  <h1>Middy http-security-headers middleware</h1>
+  <img alt="Middy logo" src="https://raw.githubusercontent.com/middyjs/middy/main/docs/img/middy-logo.svg"/>
   <p><strong>HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda</strong></p>
   <p>Applies best practice security headers to responses. It's a simplified port of [HelmetJS](https://helmetjs.github.io/). See HelmetJS documentation for more details.</p>
-</div>
-<div align="center">
 <p>
-  <a href="http://badge.fury.io/js/%40middy%2Fhttp-security-headers">
+  <a href="https://www.npmjs.com/package/@middy/http-security-headers?activeTab=versions">
     <img src="https://badge.fury.io/js/%40middy%2Fhttp-security-headers.svg" alt="npm version" style="max-width:100%;">
   </a>
+  <a href="https://packagephobia.com/result?p=@middy/http-security-headers">
+    <img src="https://packagephobia.com/badge?p=@middy/http-security-headers" alt="npm install size" style="max-width:100%;">
+  </a>
+  <a href="https://github.com/middyjs/middy/actions">
+    <img src="https://github.com/middyjs/middy/workflows/Tests/badge.svg" alt="GitHub Actions test status badge" style="max-width:100%;">
+  </a>
+  <br/>
+   <a href="https://standardjs.com/">
+    <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
+  </a>
   <a href="https://snyk.io/test/github/middyjs/middy">
     <img src="https://snyk.io/test/github/middyjs/middy/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/middyjs/middy" style="max-width:100%;">
   </a>
-  <a href="https://standardjs.com/">
-    <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
+  <a href="https://lgtm.com/projects/g/middyjs/middy/context:javascript">
+    <img src="https://img.shields.io/lgtm/grade/javascript/g/middyjs/middy.svg?logo=lgtm&logoWidth=18" alt="Language grade: JavaScript" style="max-width:100%;">
+  </a>
+  <a href="https://bestpractices.coreinfrastructure.org/projects/5280">
+    <img src="https://bestpractices.coreinfrastructure.org/projects/5280/badge" alt="Core Infrastructure Initiative (CII) Best Practices"  style="max-width:100%;">
   </a>
+  <br/>
   <a href="https://gitter.im/middyjs/Lobby">
-    <img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter"  style="max-width:100%;">
+    <img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter" style="max-width:100%;">
+  </a>
+  <a href="https://stackoverflow.com/questions/tagged/middy?sort=Newest&uqlId=35052">
+    <img src="https://img.shields.io/badge/StackOverflow-[middy]-yellow" alt="Ask questions on StackOverflow" style="max-width:100%;">
   </a>
 </p>
 </div>

package/index.js CHANGED Viewed

@@ -1,280 +1,3 @@
-import { normalizeHttpResponse } from '@middy/util'
+import{normalizeHttpResponse}from'@middy/util';const defaults={contentSecurityPolicy:{'default-src':"'none'",'base-uri':"'none'",sandbox:'','form-action':"'none'",'frame-ancestors':"'none'",'navigate-to':"'none'",'report-to':'csp','require-trusted-types-for':"'script'",'trusted-types':"'none'",'upgrade-insecure-requests':''},contentTypeOptions:{action:'nosniff'},crossOriginEmbedderPolicy:{policy:'require-corp'},crossOriginOpenerPolicy:{policy:'same-origin'},crossOriginResourcePolicy:{policy:'same-origin'},dnsPrefetchControl:{allow:false},downloadOptions:{action:'noopen'},frameOptions:{action:'deny'},originAgentCluster:{},permissionsPolicy:{accelerometer:'','ambient-light-sensor':'',autoplay:'',battery:'',camera:'','cross-origin-isolated':'','display-capture':'','document-domain':'','encrypted-media':'','execution-while-not-rendered':'','execution-while-out-of-viewport':'',fullscreen:'',geolocation:'',gyroscope:'','keyboard-map':'',magnetometer:'',microphone:'',midi:'','navigation-override':'',payment:'','picture-in-picture':'','publickey-credentials-get':'','screen-wake-lock':'','sync-xhr':'',usb:'','web-share':'','xr-spatial-tracking':'','clipboard-read':'','clipboard-write':'',gamepad:'','speaker-selection':'','conversion-measurement':'','focus-without-user-activation':'',hid:'','idle-detection':'','interest-cohort':'',serial:'','sync-script':'','trust-token-redemption':'','window-placement':'','vertical-scroll':''},permittedCrossDomainPolicies:{policy:'none'},poweredBy:{server:''},referrerPolicy:{policy:'no-referrer'},reportTo:{maxAge:365*24*60*60,default:'',includeSubdomains:true,csp:'',staple:'',xss:''},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:'xss'}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:'').filter(str=>str).join('; ');if(config.sandbox===''){header+='; sandbox'}if(config['upgrade-insecure-requests']===''){header+='; upgrade-insecure-requests'}headers['Content-Security-Policy']=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers['Cross-Origin-Embedder-Policy']=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers['Cross-Origin-Opener-Policy']=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers['Cross-Origin-Resource-Policy']=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers['Permissions-Policy']=Object.keys(config).map(policy=>`${policy}=${config[policy]==='*'?'*':`(${config[policy]})`}`).join(', ')};helmet.originAgentCluster=(headers,config)=>{headers['Origin-Agent-Cluster']='?1'};helmet.referrerPolicy=(headers,config)=>{headers['Referrer-Policy']=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers['Report-To']=Object.keys(config).map(group=>config[group]&&group!=='includeSubdomains'?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group==='default'?`, "include_subdomains": ${config.includeSubdomains}`:''} }`:'').filter(str=>str).join(', ')};helmet.strictTransportSecurity=(headers,config)=>{let header='max-age='+Math.round(config.maxAge);if(config.includeSubDomains){header+='; includeSubDomains'}if(config.preload){header+='; preload'}headers['Strict-Transport-Security']=header};helmet.contentTypeOptions=(headers,config)=>{headers['X-Content-Type-Options']=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers['X-DNS-Prefetch-Control']=config.allow?'on':'off'};helmet.downloadOptions=(headers,config)=>{headers['X-Download-Options']=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers['X-Frame-Options']=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers['X-Permitted-Cross-Domain-Policies']=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers['X-Powered-By']=config.server}else{delete headers.Server;delete headers['X-Powered-By']}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header='1; mode=block';if(config.reportTo){header+='; report='+config.reportTo}headers['X-XSS-Protection']=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers['Content-Type']?.includes('text/html')){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};export default httpSecurityHeadersMiddleware
-// Code and Defaults heavily based off https://helmetjs.github.io/
-const defaults = {
-  contentSecurityPolicy: {
-    // Fetch directives
-    // 'child-src': '', // fallback default-src
-    // 'connect-src': '', // fallback default-src
-    'default-src': "'none'",
-    // 'font-src':'', // fallback default-src
-    // 'frame-src':'', // fallback child-src > default-src
-    // 'img-src':'', // fallback default-src
-    // 'manifest-src':'', // fallback default-src
-    // 'media-src':'', // fallback default-src
-    // 'object-src':'', // fallback default-src
-    // 'prefetch-src':'', // fallback default-src
-    // 'script-src':'', // fallback default-src
-    // 'script-src-elem':'', // fallback script-src > default-src
-    // 'script-src-attr':'', // fallback script-src > default-src
-    // 'style-src':'', // fallback default-src
-    // 'style-src-elem':'', // fallback style-src > default-src
-    // 'style-src-attr':'', // fallback style-src > default-src
-    // 'worker-src':'', // fallback child-src > script-src > default-src
-    // Document directives
-    'base-uri': "'none'",
-    sandbox: '',
-    // Navigation directives
-    'form-action': "'none'",
-    'frame-ancestors': "'none'",
-    'navigate-to': "'none'",
-    // Reporting directives
-    'report-to': 'csp',
-    // Other directives
-    'require-trusted-types-for': "'script'",
-    'trusted-types': "'none'",
-    'upgrade-insecure-requests': ''
-  },
-  contentTypeOptions: {
-    action: 'nosniff'
-  },
-  crossOriginEmbedderPolicy: {
-    policy: 'require-corp'
-  },
-  crossOriginOpenerPolicy: {
-    policy: 'same-origin'
-  },
-  crossOriginResourcePolicy: {
-    policy: 'same-origin'
-  },
-  dnsPrefetchControl: {
-    allow: false
-  },
-  downloadOptions: {
-    action: 'noopen'
-  },
-  frameOptions: {
-    action: 'deny'
-  },
-  originAgentCluster: {},
-  permissionsPolicy: {
-    // Standard
-    accelerometer: '',
-    'ambient-light-sensor': '',
-    autoplay: '',
-    battery: '',
-    camera: '',
-    'cross-origin-isolated': '',
-    'display-capture': '',
-    'document-domain': '',
-    'encrypted-media': '',
-    'execution-while-not-rendered': '',
-    'execution-while-out-of-viewport': '',
-    fullscreen: '',
-    geolocation: '',
-    gyroscope: '',
-    'keyboard-map': '',
-    magnetometer: '',
-    microphone: '',
-    midi: '',
-    'navigation-override': '',
-    payment: '',
-    'picture-in-picture': '',
-    'publickey-credentials-get': '',
-    'screen-wake-lock': '',
-    'sync-xhr': '',
-    usb: '',
-    'web-share': '',
-    'xr-spatial-tracking': '',
-    // Proposed
-    'clipboard-read': '',
-    'clipboard-write': '',
-    gamepad: '',
-    'speaker-selection': '',
-    // Experimental
-    'conversion-measurement': '',
-    'focus-without-user-activation': '',
-    hid: '',
-    'idle-detection': '',
-    'interest-cohort': '',
-    serial: '',
-    'sync-script': '',
-    'trust-token-redemption': '',
-    'window-placement': '',
-    'vertical-scroll': ''
-  },
-  permittedCrossDomainPolicies: {
-    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
-  },
-  poweredBy: {
-    server: ''
-  },
-  referrerPolicy: {
-    policy: 'no-referrer'
-  },
-  reportTo: {
-    maxAge: 365 * 24 * 60 * 60,
-    default: '',
-    includeSubdomains: true,
-    csp: '',
-    staple: '',
-    xss: ''
-  },
-  strictTransportSecurity: {
-    maxAge: 180 * 24 * 60 * 60,
-    includeSubDomains: true,
-    preload: true
-  },
-  xssProtection: {
-    reportTo: 'xss'
-  }
-}
-const helmet = {}
-const helmetHtmlOnly = {}
-// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
-  let header = Object.keys(config)
-    .map(policy => config[policy] ? `${policy} ${config[policy]}` : '')
-    .filter(str => str)
-    .join('; ')
-  if (config.sandbox === '') {
-    header += '; sandbox'
-  }
-  if (config['upgrade-insecure-requests'] === '') {
-    header += '; upgrade-insecure-requests'
-  }
-  headers['Content-Security-Policy'] = header
-}
-// crossdomain - N/A - for Adobe products
-helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
-  headers['Cross-Origin-Embedder-Policy'] = config.policy
-}
-helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
-  headers['Cross-Origin-Opener-Policy'] = config.policy
-}
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
-  headers['Cross-Origin-Resource-Policy'] = config.policy
-}
-// expectCt - DEPRECATED
-// hpkp - DEPRECATED
-// https://www.permissionspolicy.com/
-helmetHtmlOnly.permissionsPolicy = (headers, config) => {
-  headers['Permissions-Policy'] = Object.keys(config)
-    .map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`)
-    .join(', ')
-}
-helmet.originAgentCluster = (headers, config) => {
-  headers['Origin-Agent-Cluster'] = '?1'
-}
-// https://github.com/helmetjs/referrer-policy
-helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-}
-helmetHtmlOnly.reportTo = (headers, config) => {
-  headers['Report-To'] = Object.keys(config)
-    .map(group => (config[group] && group !== 'includeSubdomains') ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '')
-    .filter(str => str)
-    .join(', ')
-}
-// https://github.com/helmetjs/hsts
-helmet.strictTransportSecurity = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
-  if (config.includeSubDomains) {
-    header += '; includeSubDomains'
-  }
-  if (config.preload) {
-    header += '; preload'
-  }
-  headers['Strict-Transport-Security'] = header
-}
-// noCache - N/A - separate middleware
-// X-* //
-// https://github.com/helmetjs/dont-sniff-mimetype
-helmet.contentTypeOptions = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-}
-// https://github.com/helmetjs/dns-Prefetch-control
-helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-}
-// https://github.com/helmetjs/ienoopen
-helmet.downloadOptions = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-}
-// https://github.com/helmetjs/frameOptions
-helmetHtmlOnly.frameOptions = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-}
-// https://github.com/helmetjs/crossdomain
-helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-}
-// https://github.com/helmetjs/hide-powered-by
-helmet.poweredBy = (headers, config) => {
-  if (config.server) {
-    headers['X-Powered-By'] = config.server
-  } else {
-    delete headers.Server
-    delete headers['X-Powered-By']
-  }
-}
-// https://github.com/helmetjs/x-xss-protection
-helmetHtmlOnly.xssProtection = (headers, config) => {
-  let header = '1; mode=block'
-  if (config.reportTo) {
-    header += '; report=' + config.reportTo
-  }
-  headers['X-XSS-Protection'] = header
-}
-const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    normalizeHttpResponse(request)
-    Object.keys(helmet).forEach((key) => {
-      if (!options[key]) return
-      const config = { ...defaults[key], ...options[key] }
-      helmet[key](request.response.headers, config)
-    })
-    if (request.response.headers['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        if (!options[key]) return
-        const config = { ...defaults[key], ...options[key] }
-        helmetHtmlOnly[key](
-          request.response.headers,
-          config
-        )
-      })
-    }
-  }
-  const httpSecurityHeadersMiddlewareOnError = async (request) => {
-    if (request.response === undefined) return
-    return httpSecurityHeadersMiddlewareAfter(request)
-  }
-  return {
-    after: httpSecurityHeadersMiddlewareAfter,
-    onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-export default httpSecurityHeadersMiddleware
+//# sourceMappingURL=index.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "3.0.0-alpha.3",
+  "version": "3.0.0-alpha.7",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -50,11 +50,11 @@
     "url": "https://github.com/middyjs/middy/issues"
   },
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "1441158711580313765e6d156046ef0fade0d156",
+  "gitHead": "5cef39ebe49c201f97d71bb0680004de4b82cb91",
   "dependencies": {
-    "@middy/util": "^3.0.0-alpha.3"
+    "@middy/util": "^3.0.0-alpha.7"
   },
   "devDependencies": {
-    "@middy/core": "^3.0.0-alpha.3"
+    "@middy/core": "^3.0.0-alpha.7"
   }
 }