@middy/http-security-headers 3.0.2 → 3.1.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/LICENSE +1 -1
  2. package/README.md +4 -3
  3. package/index.cjs +224 -1
  4. package/index.js +218 -1
  5. package/package.json +13 -7
package/LICENSE CHANGED
@@ -1,6 +1,6 @@
1
1
  MIT License
2
2
 
3
- Copyright (c) 2017-2022 Luciano Mammino, will Farrell and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
3
+ Copyright (c) 2017-2022 [Luciano Mammino](https://github.com/lmammino), [will Farrell](https://github.com/willfarrell) and the [Middy team](https://github.com/middyjs/middy/graphs/contributors)
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
package/README.md CHANGED
@@ -10,8 +10,8 @@
10
10
  <a href="https://packagephobia.com/result?p=@middy/http-security-headers">
11
11
  <img src="https://packagephobia.com/badge?p=@middy/http-security-headers" alt="npm install size" style="max-width:100%;">
12
12
  </a>
13
- <a href="https://github.com/middyjs/middy/actions">
14
- <img src="https://github.com/middyjs/middy/workflows/Tests/badge.svg" alt="GitHub Actions test status badge" style="max-width:100%;">
13
+ <a href="https://github.com/middyjs/middy/actions/workflows/tests.yml">
14
+ <img src="https://github.com/middyjs/middy/actions/workflows/tests.yml/badge.svg?branch=main&event=push" alt="GitHub Actions CI status badge" style="max-width:100%;">
15
15
  </a>
16
16
  <br/>
17
17
  <a href="https://standardjs.com/">
@@ -34,6 +34,7 @@
34
34
  <img src="https://img.shields.io/badge/StackOverflow-[middy]-yellow" alt="Ask questions on StackOverflow" style="max-width:100%;">
35
35
  </a>
36
36
  </p>
37
+ <p>You can read the documentation at: <a href="https://middy.js.org/docs/middlewares//http-security-headers">https://middy.js.org/docs/middlewares//http-security-headers</a></p>
37
38
  </div>
38
39
 
39
40
  Applies best practice security headers to responses. It's a simplified port of HelmetJS. See [HelmetJS](https://helmetjs.github.io/) documentation for more details.
@@ -95,7 +96,7 @@ Everyone is very welcome to contribute to this repository. Feel free to [raise i
95
96
 
96
97
  ## License
97
98
 
98
- Licensed under [MIT License](LICENSE). Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
99
+ Licensed under [MIT License](LICENSE). Copyright (c) 2017-2022 [Luciano Mammino](https://github.com/lmammino), [will Farrell](https://github.com/willfarrell), and the [Middy team](https://github.com/middyjs/middy/graphs/contributors).
99
100
 
100
101
  <a href="https://app.fossa.io/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy?ref=badge_large">
101
102
  <img src="https://app.fossa.io/api/projects/git%2Bgithub.com%2Fmiddyjs%2Fmiddy.svg?type=large" alt="FOSSA Status" style="max-width:100%;">
package/index.cjs CHANGED
@@ -1,3 +1,226 @@
1
- "use strict";Object.defineProperty(exports,"__esModule",{value:true});exports.default=void 0;var _util=require("@middy/util");const defaults={contentSecurityPolicy:{"default-src":"'none'","base-uri":"'none'",sandbox:"","form-action":"'none'","frame-ancestors":"'none'","navigate-to":"'none'","report-to":"csp","require-trusted-types-for":"'script'","trusted-types":"'none'","upgrade-insecure-requests":""},contentTypeOptions:{action:"nosniff"},crossOriginEmbedderPolicy:{policy:"require-corp"},crossOriginOpenerPolicy:{policy:"same-origin"},crossOriginResourcePolicy:{policy:"same-origin"},dnsPrefetchControl:{allow:false},downloadOptions:{action:"noopen"},frameOptions:{action:"deny"},originAgentCluster:{},permissionsPolicy:{accelerometer:"","ambient-light-sensor":"",autoplay:"",battery:"",camera:"","cross-origin-isolated":"","display-capture":"","document-domain":"","encrypted-media":"","execution-while-not-rendered":"","execution-while-out-of-viewport":"",fullscreen:"",geolocation:"",gyroscope:"","keyboard-map":"",magnetometer:"",microphone:"",midi:"","navigation-override":"",payment:"","picture-in-picture":"","publickey-credentials-get":"","screen-wake-lock":"","sync-xhr":"",usb:"","web-share":"","xr-spatial-tracking":"","clipboard-read":"","clipboard-write":"",gamepad:"","speaker-selection":"","conversion-measurement":"","focus-without-user-activation":"",hid:"","idle-detection":"","interest-cohort":"",serial:"","sync-script":"","trust-token-redemption":"","window-placement":"","vertical-scroll":""},permittedCrossDomainPolicies:{policy:"none"},poweredBy:{server:""},referrerPolicy:{policy:"no-referrer"},reportTo:{maxAge:365*24*60*60,default:"",includeSubdomains:true,csp:"",staple:"",xss:""},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:"xss"}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:"").filter(str=>str).join("; ");if(config.sandbox===""){header+="; sandbox"}if(config["upgrade-insecure-requests"]===""){header+="; upgrade-insecure-requests"}headers["Content-Security-Policy"]=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers["Cross-Origin-Embedder-Policy"]=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers["Cross-Origin-Opener-Policy"]=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers["Cross-Origin-Resource-Policy"]=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers["Permissions-Policy"]=Object.keys(config).map(policy=>`${policy}=${config[policy]==="*"?"*":"("+config[policy]+")"}`).join(", ")};helmet.originAgentCluster=(headers,config)=>{headers["Origin-Agent-Cluster"]="?1"};helmet.referrerPolicy=(headers,config)=>{headers["Referrer-Policy"]=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers["Report-To"]=Object.keys(config).map(group=>{const includeSubdomains=group==="default"?`, "include_subdomains": ${config.includeSubdomains}`:"";return config[group]&&group!=="includeSubdomains"?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`:""}).filter(str=>str).join(", ")};helmet.strictTransportSecurity=(headers,config)=>{let header="max-age="+Math.round(config.maxAge);if(config.includeSubDomains){header+="; includeSubDomains"}if(config.preload){header+="; preload"}headers["Strict-Transport-Security"]=header};helmet.contentTypeOptions=(headers,config)=>{headers["X-Content-Type-Options"]=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers["X-DNS-Prefetch-Control"]=config.allow?"on":"off"};helmet.downloadOptions=(headers,config)=>{headers["X-Download-Options"]=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers["X-Frame-Options"]=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers["X-Permitted-Cross-Domain-Policies"]=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers["X-Powered-By"]=config.server}else{delete headers.Server;delete headers["X-Powered-By"]}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header="1; mode=block";if(config.reportTo){header+="; report="+config.reportTo}headers["X-XSS-Protection"]=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{(0,_util).normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers["Content-Type"]?.includes("text/html")){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};var _default=httpSecurityHeadersMiddleware;exports.default=_default
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", {
3
+ value: true
4
+ });
5
+ module.exports = void 0;
6
+ var _util = require("@middy/util");
7
+ const defaults = {
8
+ contentSecurityPolicy: {
9
+ 'default-src': "'none'",
10
+ 'base-uri': "'none'",
11
+ sandbox: '',
12
+ 'form-action': "'none'",
13
+ 'frame-ancestors': "'none'",
14
+ 'navigate-to': "'none'",
15
+ 'report-to': 'csp',
16
+ 'require-trusted-types-for': "'script'",
17
+ 'trusted-types': "'none'",
18
+ 'upgrade-insecure-requests': ''
19
+ },
20
+ contentTypeOptions: {
21
+ action: 'nosniff'
22
+ },
23
+ crossOriginEmbedderPolicy: {
24
+ policy: 'require-corp'
25
+ },
26
+ crossOriginOpenerPolicy: {
27
+ policy: 'same-origin'
28
+ },
29
+ crossOriginResourcePolicy: {
30
+ policy: 'same-origin'
31
+ },
32
+ dnsPrefetchControl: {
33
+ allow: false
34
+ },
35
+ downloadOptions: {
36
+ action: 'noopen'
37
+ },
38
+ frameOptions: {
39
+ action: 'deny'
40
+ },
41
+ originAgentCluster: {},
42
+ permissionsPolicy: {
43
+ accelerometer: '',
44
+ 'ambient-light-sensor': '',
45
+ autoplay: '',
46
+ battery: '',
47
+ camera: '',
48
+ 'cross-origin-isolated': '',
49
+ 'display-capture': '',
50
+ 'document-domain': '',
51
+ 'encrypted-media': '',
52
+ 'execution-while-not-rendered': '',
53
+ 'execution-while-out-of-viewport': '',
54
+ fullscreen: '',
55
+ geolocation: '',
56
+ gyroscope: '',
57
+ 'keyboard-map': '',
58
+ magnetometer: '',
59
+ microphone: '',
60
+ midi: '',
61
+ 'navigation-override': '',
62
+ payment: '',
63
+ 'picture-in-picture': '',
64
+ 'publickey-credentials-get': '',
65
+ 'screen-wake-lock': '',
66
+ 'sync-xhr': '',
67
+ usb: '',
68
+ 'web-share': '',
69
+ 'xr-spatial-tracking': '',
70
+ 'clipboard-read': '',
71
+ 'clipboard-write': '',
72
+ gamepad: '',
73
+ 'speaker-selection': '',
74
+ 'conversion-measurement': '',
75
+ 'focus-without-user-activation': '',
76
+ hid: '',
77
+ 'idle-detection': '',
78
+ 'interest-cohort': '',
79
+ serial: '',
80
+ 'sync-script': '',
81
+ 'trust-token-redemption': '',
82
+ 'window-placement': '',
83
+ 'vertical-scroll': ''
84
+ },
85
+ permittedCrossDomainPolicies: {
86
+ policy: 'none'
87
+ },
88
+ poweredBy: {
89
+ server: ''
90
+ },
91
+ referrerPolicy: {
92
+ policy: 'no-referrer'
93
+ },
94
+ reportTo: {
95
+ maxAge: 365 * 24 * 60 * 60,
96
+ default: '',
97
+ includeSubdomains: true,
98
+ csp: '',
99
+ staple: '',
100
+ xss: ''
101
+ },
102
+ strictTransportSecurity: {
103
+ maxAge: 180 * 24 * 60 * 60,
104
+ includeSubDomains: true,
105
+ preload: true
106
+ },
107
+ xssProtection: {
108
+ reportTo: 'xss'
109
+ }
110
+ };
111
+ const helmet = {};
112
+ const helmetHtmlOnly = {};
113
+ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
114
+ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
115
+ if (config.sandbox === '') {
116
+ header += '; sandbox';
117
+ }
118
+ if (config['upgrade-insecure-requests'] === '') {
119
+ header += '; upgrade-insecure-requests';
120
+ }
121
+ headers['Content-Security-Policy'] = header;
122
+ };
123
+ helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
124
+ headers['Cross-Origin-Embedder-Policy'] = config.policy;
125
+ };
126
+ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
127
+ headers['Cross-Origin-Opener-Policy'] = config.policy;
128
+ };
129
+ helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
130
+ headers['Cross-Origin-Resource-Policy'] = config.policy;
131
+ };
132
+ helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
133
+ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
134
+ };
135
+ helmet.originAgentCluster = (headers, config)=>{
136
+ headers['Origin-Agent-Cluster'] = '?1';
137
+ };
138
+ helmet.referrerPolicy = (headers, config)=>{
139
+ headers['Referrer-Policy'] = config.policy;
140
+ };
141
+ helmetHtmlOnly.reportTo = (headers, config)=>{
142
+ headers['Report-To'] = Object.keys(config).map((group)=>{
143
+ const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
144
+ return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
145
+ }).filter((str)=>str).join(', ');
146
+ };
147
+ helmet.strictTransportSecurity = (headers, config)=>{
148
+ let header = 'max-age=' + Math.round(config.maxAge);
149
+ if (config.includeSubDomains) {
150
+ header += '; includeSubDomains';
151
+ }
152
+ if (config.preload) {
153
+ header += '; preload';
154
+ }
155
+ headers['Strict-Transport-Security'] = header;
156
+ };
157
+ helmet.contentTypeOptions = (headers, config)=>{
158
+ headers['X-Content-Type-Options'] = config.action;
159
+ };
160
+ helmet.dnsPrefetchControl = (headers, config)=>{
161
+ headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
162
+ };
163
+ helmet.downloadOptions = (headers, config)=>{
164
+ headers['X-Download-Options'] = config.action;
165
+ };
166
+ helmetHtmlOnly.frameOptions = (headers, config)=>{
167
+ headers['X-Frame-Options'] = config.action.toUpperCase();
168
+ };
169
+ helmet.permittedCrossDomainPolicies = (headers, config)=>{
170
+ headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
171
+ };
172
+ helmet.poweredBy = (headers, config)=>{
173
+ if (config.server) {
174
+ headers['X-Powered-By'] = config.server;
175
+ } else {
176
+ delete headers.Server;
177
+ delete headers['X-Powered-By'];
178
+ }
179
+ };
180
+ helmetHtmlOnly.xssProtection = (headers, config)=>{
181
+ let header = '1; mode=block';
182
+ if (config.reportTo) {
183
+ header += '; report=' + config.reportTo;
184
+ }
185
+ headers['X-XSS-Protection'] = header;
186
+ };
187
+ const httpSecurityHeadersMiddleware = (opts = {})=>{
188
+ const options = {
189
+ ...defaults,
190
+ ...opts
191
+ };
192
+ const httpSecurityHeadersMiddlewareAfter = async (request)=>{
193
+ (0, _util).normalizeHttpResponse(request);
194
+ Object.keys(helmet).forEach((key)=>{
195
+ if (!options[key]) return;
196
+ const config = {
197
+ ...defaults[key],
198
+ ...options[key]
199
+ };
200
+ helmet[key](request.response.headers, config);
201
+ });
202
+ if (request.response.headers['Content-Type']?.includes('text/html')) {
203
+ Object.keys(helmetHtmlOnly).forEach((key)=>{
204
+ if (!options[key]) return;
205
+ const config = {
206
+ ...defaults[key],
207
+ ...options[key]
208
+ };
209
+ helmetHtmlOnly[key](request.response.headers, config);
210
+ });
211
+ }
212
+ };
213
+ const httpSecurityHeadersMiddlewareOnError = async (request)=>{
214
+ if (request.response === undefined) return;
215
+ return httpSecurityHeadersMiddlewareAfter(request);
216
+ };
217
+ return {
218
+ after: httpSecurityHeadersMiddlewareAfter,
219
+ onError: httpSecurityHeadersMiddlewareOnError
220
+ };
221
+ };
222
+ var _default = httpSecurityHeadersMiddleware;
223
+ module.exports = _default;
224
+
2
225
 
3
226
  //# sourceMappingURL=index.cjs.map
package/index.js CHANGED
@@ -1,3 +1,220 @@
1
- import{normalizeHttpResponse}from"@middy/util";const defaults={contentSecurityPolicy:{"default-src":"'none'","base-uri":"'none'",sandbox:"","form-action":"'none'","frame-ancestors":"'none'","navigate-to":"'none'","report-to":"csp","require-trusted-types-for":"'script'","trusted-types":"'none'","upgrade-insecure-requests":""},contentTypeOptions:{action:"nosniff"},crossOriginEmbedderPolicy:{policy:"require-corp"},crossOriginOpenerPolicy:{policy:"same-origin"},crossOriginResourcePolicy:{policy:"same-origin"},dnsPrefetchControl:{allow:false},downloadOptions:{action:"noopen"},frameOptions:{action:"deny"},originAgentCluster:{},permissionsPolicy:{accelerometer:"","ambient-light-sensor":"",autoplay:"",battery:"",camera:"","cross-origin-isolated":"","display-capture":"","document-domain":"","encrypted-media":"","execution-while-not-rendered":"","execution-while-out-of-viewport":"",fullscreen:"",geolocation:"",gyroscope:"","keyboard-map":"",magnetometer:"",microphone:"",midi:"","navigation-override":"",payment:"","picture-in-picture":"","publickey-credentials-get":"","screen-wake-lock":"","sync-xhr":"",usb:"","web-share":"","xr-spatial-tracking":"","clipboard-read":"","clipboard-write":"",gamepad:"","speaker-selection":"","conversion-measurement":"","focus-without-user-activation":"",hid:"","idle-detection":"","interest-cohort":"",serial:"","sync-script":"","trust-token-redemption":"","window-placement":"","vertical-scroll":""},permittedCrossDomainPolicies:{policy:"none"},poweredBy:{server:""},referrerPolicy:{policy:"no-referrer"},reportTo:{maxAge:365*24*60*60,default:"",includeSubdomains:true,csp:"",staple:"",xss:""},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:"xss"}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:"").filter(str=>str).join("; ");if(config.sandbox===""){header+="; sandbox"}if(config["upgrade-insecure-requests"]===""){header+="; upgrade-insecure-requests"}headers["Content-Security-Policy"]=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers["Cross-Origin-Embedder-Policy"]=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers["Cross-Origin-Opener-Policy"]=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers["Cross-Origin-Resource-Policy"]=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers["Permissions-Policy"]=Object.keys(config).map(policy=>`${policy}=${config[policy]==="*"?"*":"("+config[policy]+")"}`).join(", ")};helmet.originAgentCluster=(headers,config)=>{headers["Origin-Agent-Cluster"]="?1"};helmet.referrerPolicy=(headers,config)=>{headers["Referrer-Policy"]=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers["Report-To"]=Object.keys(config).map(group=>{const includeSubdomains=group==="default"?`, "include_subdomains": ${config.includeSubdomains}`:"";return config[group]&&group!=="includeSubdomains"?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`:""}).filter(str=>str).join(", ")};helmet.strictTransportSecurity=(headers,config)=>{let header="max-age="+Math.round(config.maxAge);if(config.includeSubDomains){header+="; includeSubDomains"}if(config.preload){header+="; preload"}headers["Strict-Transport-Security"]=header};helmet.contentTypeOptions=(headers,config)=>{headers["X-Content-Type-Options"]=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers["X-DNS-Prefetch-Control"]=config.allow?"on":"off"};helmet.downloadOptions=(headers,config)=>{headers["X-Download-Options"]=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers["X-Frame-Options"]=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers["X-Permitted-Cross-Domain-Policies"]=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers["X-Powered-By"]=config.server}else{delete headers.Server;delete headers["X-Powered-By"]}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header="1; mode=block";if(config.reportTo){header+="; report="+config.reportTo}headers["X-XSS-Protection"]=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers["Content-Type"]?.includes("text/html")){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};export default httpSecurityHeadersMiddleware
1
+ import { normalizeHttpResponse } from '@middy/util';
2
+ const defaults = {
3
+ contentSecurityPolicy: {
4
+ 'default-src': "'none'",
5
+ 'base-uri': "'none'",
6
+ sandbox: '',
7
+ 'form-action': "'none'",
8
+ 'frame-ancestors': "'none'",
9
+ 'navigate-to': "'none'",
10
+ 'report-to': 'csp',
11
+ 'require-trusted-types-for': "'script'",
12
+ 'trusted-types': "'none'",
13
+ 'upgrade-insecure-requests': ''
14
+ },
15
+ contentTypeOptions: {
16
+ action: 'nosniff'
17
+ },
18
+ crossOriginEmbedderPolicy: {
19
+ policy: 'require-corp'
20
+ },
21
+ crossOriginOpenerPolicy: {
22
+ policy: 'same-origin'
23
+ },
24
+ crossOriginResourcePolicy: {
25
+ policy: 'same-origin'
26
+ },
27
+ dnsPrefetchControl: {
28
+ allow: false
29
+ },
30
+ downloadOptions: {
31
+ action: 'noopen'
32
+ },
33
+ frameOptions: {
34
+ action: 'deny'
35
+ },
36
+ originAgentCluster: {},
37
+ permissionsPolicy: {
38
+ accelerometer: '',
39
+ 'ambient-light-sensor': '',
40
+ autoplay: '',
41
+ battery: '',
42
+ camera: '',
43
+ 'cross-origin-isolated': '',
44
+ 'display-capture': '',
45
+ 'document-domain': '',
46
+ 'encrypted-media': '',
47
+ 'execution-while-not-rendered': '',
48
+ 'execution-while-out-of-viewport': '',
49
+ fullscreen: '',
50
+ geolocation: '',
51
+ gyroscope: '',
52
+ 'keyboard-map': '',
53
+ magnetometer: '',
54
+ microphone: '',
55
+ midi: '',
56
+ 'navigation-override': '',
57
+ payment: '',
58
+ 'picture-in-picture': '',
59
+ 'publickey-credentials-get': '',
60
+ 'screen-wake-lock': '',
61
+ 'sync-xhr': '',
62
+ usb: '',
63
+ 'web-share': '',
64
+ 'xr-spatial-tracking': '',
65
+ 'clipboard-read': '',
66
+ 'clipboard-write': '',
67
+ gamepad: '',
68
+ 'speaker-selection': '',
69
+ 'conversion-measurement': '',
70
+ 'focus-without-user-activation': '',
71
+ hid: '',
72
+ 'idle-detection': '',
73
+ 'interest-cohort': '',
74
+ serial: '',
75
+ 'sync-script': '',
76
+ 'trust-token-redemption': '',
77
+ 'window-placement': '',
78
+ 'vertical-scroll': ''
79
+ },
80
+ permittedCrossDomainPolicies: {
81
+ policy: 'none'
82
+ },
83
+ poweredBy: {
84
+ server: ''
85
+ },
86
+ referrerPolicy: {
87
+ policy: 'no-referrer'
88
+ },
89
+ reportTo: {
90
+ maxAge: 365 * 24 * 60 * 60,
91
+ default: '',
92
+ includeSubdomains: true,
93
+ csp: '',
94
+ staple: '',
95
+ xss: ''
96
+ },
97
+ strictTransportSecurity: {
98
+ maxAge: 180 * 24 * 60 * 60,
99
+ includeSubDomains: true,
100
+ preload: true
101
+ },
102
+ xssProtection: {
103
+ reportTo: 'xss'
104
+ }
105
+ };
106
+ const helmet = {};
107
+ const helmetHtmlOnly = {};
108
+ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
109
+ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
110
+ if (config.sandbox === '') {
111
+ header += '; sandbox';
112
+ }
113
+ if (config['upgrade-insecure-requests'] === '') {
114
+ header += '; upgrade-insecure-requests';
115
+ }
116
+ headers['Content-Security-Policy'] = header;
117
+ };
118
+ helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
119
+ headers['Cross-Origin-Embedder-Policy'] = config.policy;
120
+ };
121
+ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
122
+ headers['Cross-Origin-Opener-Policy'] = config.policy;
123
+ };
124
+ helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
125
+ headers['Cross-Origin-Resource-Policy'] = config.policy;
126
+ };
127
+ helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
128
+ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
129
+ };
130
+ helmet.originAgentCluster = (headers, config)=>{
131
+ headers['Origin-Agent-Cluster'] = '?1';
132
+ };
133
+ helmet.referrerPolicy = (headers, config)=>{
134
+ headers['Referrer-Policy'] = config.policy;
135
+ };
136
+ helmetHtmlOnly.reportTo = (headers, config)=>{
137
+ headers['Report-To'] = Object.keys(config).map((group)=>{
138
+ const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
139
+ return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
140
+ }).filter((str)=>str).join(', ');
141
+ };
142
+ helmet.strictTransportSecurity = (headers, config)=>{
143
+ let header = 'max-age=' + Math.round(config.maxAge);
144
+ if (config.includeSubDomains) {
145
+ header += '; includeSubDomains';
146
+ }
147
+ if (config.preload) {
148
+ header += '; preload';
149
+ }
150
+ headers['Strict-Transport-Security'] = header;
151
+ };
152
+ helmet.contentTypeOptions = (headers, config)=>{
153
+ headers['X-Content-Type-Options'] = config.action;
154
+ };
155
+ helmet.dnsPrefetchControl = (headers, config)=>{
156
+ headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
157
+ };
158
+ helmet.downloadOptions = (headers, config)=>{
159
+ headers['X-Download-Options'] = config.action;
160
+ };
161
+ helmetHtmlOnly.frameOptions = (headers, config)=>{
162
+ headers['X-Frame-Options'] = config.action.toUpperCase();
163
+ };
164
+ helmet.permittedCrossDomainPolicies = (headers, config)=>{
165
+ headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
166
+ };
167
+ helmet.poweredBy = (headers, config)=>{
168
+ if (config.server) {
169
+ headers['X-Powered-By'] = config.server;
170
+ } else {
171
+ delete headers.Server;
172
+ delete headers['X-Powered-By'];
173
+ }
174
+ };
175
+ helmetHtmlOnly.xssProtection = (headers, config)=>{
176
+ let header = '1; mode=block';
177
+ if (config.reportTo) {
178
+ header += '; report=' + config.reportTo;
179
+ }
180
+ headers['X-XSS-Protection'] = header;
181
+ };
182
+ const httpSecurityHeadersMiddleware = (opts = {})=>{
183
+ const options = {
184
+ ...defaults,
185
+ ...opts
186
+ };
187
+ const httpSecurityHeadersMiddlewareAfter = async (request)=>{
188
+ normalizeHttpResponse(request);
189
+ Object.keys(helmet).forEach((key)=>{
190
+ if (!options[key]) return;
191
+ const config = {
192
+ ...defaults[key],
193
+ ...options[key]
194
+ };
195
+ helmet[key](request.response.headers, config);
196
+ });
197
+ if (request.response.headers['Content-Type']?.includes('text/html')) {
198
+ Object.keys(helmetHtmlOnly).forEach((key)=>{
199
+ if (!options[key]) return;
200
+ const config = {
201
+ ...defaults[key],
202
+ ...options[key]
203
+ };
204
+ helmetHtmlOnly[key](request.response.headers, config);
205
+ });
206
+ }
207
+ };
208
+ const httpSecurityHeadersMiddlewareOnError = async (request)=>{
209
+ if (request.response === undefined) return;
210
+ return httpSecurityHeadersMiddlewareAfter(request);
211
+ };
212
+ return {
213
+ after: httpSecurityHeadersMiddlewareAfter,
214
+ onError: httpSecurityHeadersMiddlewareOnError
215
+ };
216
+ };
217
+ export default httpSecurityHeadersMiddleware;
218
+
2
219
 
3
220
  //# sourceMappingURL=index.js.map
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "3.0.2",
3
+ "version": "3.1.0-rc.0",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
5
  "type": "module",
6
6
  "engines": {
@@ -10,11 +10,17 @@
10
10
  "publishConfig": {
11
11
  "access": "public"
12
12
  },
13
+ "main": "./index.cjs",
13
14
  "exports": {
14
15
  ".": {
15
- "import": "./index.js",
16
- "require": "./index.cjs",
17
- "types": "./index.d.ts"
16
+ "import": {
17
+ "types": "./index.d.ts",
18
+ "default": "./index.js"
19
+ },
20
+ "require": {
21
+ "types": "./index.d.ts",
22
+ "default": "./index.cjs"
23
+ }
18
24
  }
19
25
  },
20
26
  "types": "index.d.ts",
@@ -57,11 +63,11 @@
57
63
  "url": "https://github.com/middyjs/middy/issues"
58
64
  },
59
65
  "homepage": "https://middy.js.org",
60
- "gitHead": "983649b8359ea32a786e75dfc2953aeee8ec6052",
66
+ "gitHead": "03a8794d3cdb4319eca49ba4c55420bea5d66430",
61
67
  "dependencies": {
62
- "@middy/util": "^3.0.2"
68
+ "@middy/util": "3.1.0-rc.0"
63
69
  },
64
70
  "devDependencies": {
65
- "@middy/core": "^3.0.2"
71
+ "@middy/core": "3.1.0-rc.0"
66
72
  }
67
73
  }