@middy/http-security-headers 3.0.3 → 3.1.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.cjs +224 -1
  2. package/index.js +218 -1
  3. package/package.json +13 -7
package/index.cjs CHANGED
@@ -1,3 +1,226 @@
1
- "use strict";Object.defineProperty(exports,"__esModule",{value:true});module.exports=void 0;var _util=require("@middy/util");const defaults={contentSecurityPolicy:{"default-src":"'none'","base-uri":"'none'",sandbox:"","form-action":"'none'","frame-ancestors":"'none'","navigate-to":"'none'","report-to":"csp","require-trusted-types-for":"'script'","trusted-types":"'none'","upgrade-insecure-requests":""},contentTypeOptions:{action:"nosniff"},crossOriginEmbedderPolicy:{policy:"require-corp"},crossOriginOpenerPolicy:{policy:"same-origin"},crossOriginResourcePolicy:{policy:"same-origin"},dnsPrefetchControl:{allow:false},downloadOptions:{action:"noopen"},frameOptions:{action:"deny"},originAgentCluster:{},permissionsPolicy:{accelerometer:"","ambient-light-sensor":"",autoplay:"",battery:"",camera:"","cross-origin-isolated":"","display-capture":"","document-domain":"","encrypted-media":"","execution-while-not-rendered":"","execution-while-out-of-viewport":"",fullscreen:"",geolocation:"",gyroscope:"","keyboard-map":"",magnetometer:"",microphone:"",midi:"","navigation-override":"",payment:"","picture-in-picture":"","publickey-credentials-get":"","screen-wake-lock":"","sync-xhr":"",usb:"","web-share":"","xr-spatial-tracking":"","clipboard-read":"","clipboard-write":"",gamepad:"","speaker-selection":"","conversion-measurement":"","focus-without-user-activation":"",hid:"","idle-detection":"","interest-cohort":"",serial:"","sync-script":"","trust-token-redemption":"","window-placement":"","vertical-scroll":""},permittedCrossDomainPolicies:{policy:"none"},poweredBy:{server:""},referrerPolicy:{policy:"no-referrer"},reportTo:{maxAge:365*24*60*60,default:"",includeSubdomains:true,csp:"",staple:"",xss:""},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:"xss"}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:"").filter(str=>str).join("; ");if(config.sandbox===""){header+="; sandbox"}if(config["upgrade-insecure-requests"]===""){header+="; upgrade-insecure-requests"}headers["Content-Security-Policy"]=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers["Cross-Origin-Embedder-Policy"]=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers["Cross-Origin-Opener-Policy"]=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers["Cross-Origin-Resource-Policy"]=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers["Permissions-Policy"]=Object.keys(config).map(policy=>`${policy}=${config[policy]==="*"?"*":"("+config[policy]+")"}`).join(", ")};helmet.originAgentCluster=(headers,config)=>{headers["Origin-Agent-Cluster"]="?1"};helmet.referrerPolicy=(headers,config)=>{headers["Referrer-Policy"]=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers["Report-To"]=Object.keys(config).map(group=>{const includeSubdomains=group==="default"?`, "include_subdomains": ${config.includeSubdomains}`:"";return config[group]&&group!=="includeSubdomains"?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`:""}).filter(str=>str).join(", ")};helmet.strictTransportSecurity=(headers,config)=>{let header="max-age="+Math.round(config.maxAge);if(config.includeSubDomains){header+="; includeSubDomains"}if(config.preload){header+="; preload"}headers["Strict-Transport-Security"]=header};helmet.contentTypeOptions=(headers,config)=>{headers["X-Content-Type-Options"]=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers["X-DNS-Prefetch-Control"]=config.allow?"on":"off"};helmet.downloadOptions=(headers,config)=>{headers["X-Download-Options"]=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers["X-Frame-Options"]=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers["X-Permitted-Cross-Domain-Policies"]=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers["X-Powered-By"]=config.server}else{delete headers.Server;delete headers["X-Powered-By"]}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header="1; mode=block";if(config.reportTo){header+="; report="+config.reportTo}headers["X-XSS-Protection"]=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{(0,_util).normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers["Content-Type"]?.includes("text/html")){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};var _default=httpSecurityHeadersMiddleware;module.exports=_default
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", {
3
+ value: true
4
+ });
5
+ module.exports = void 0;
6
+ var _util = require("@middy/util");
7
+ const defaults = {
8
+ contentSecurityPolicy: {
9
+ 'default-src': "'none'",
10
+ 'base-uri': "'none'",
11
+ sandbox: '',
12
+ 'form-action': "'none'",
13
+ 'frame-ancestors': "'none'",
14
+ 'navigate-to': "'none'",
15
+ 'report-to': 'csp',
16
+ 'require-trusted-types-for': "'script'",
17
+ 'trusted-types': "'none'",
18
+ 'upgrade-insecure-requests': ''
19
+ },
20
+ contentTypeOptions: {
21
+ action: 'nosniff'
22
+ },
23
+ crossOriginEmbedderPolicy: {
24
+ policy: 'require-corp'
25
+ },
26
+ crossOriginOpenerPolicy: {
27
+ policy: 'same-origin'
28
+ },
29
+ crossOriginResourcePolicy: {
30
+ policy: 'same-origin'
31
+ },
32
+ dnsPrefetchControl: {
33
+ allow: false
34
+ },
35
+ downloadOptions: {
36
+ action: 'noopen'
37
+ },
38
+ frameOptions: {
39
+ action: 'deny'
40
+ },
41
+ originAgentCluster: {},
42
+ permissionsPolicy: {
43
+ accelerometer: '',
44
+ 'ambient-light-sensor': '',
45
+ autoplay: '',
46
+ battery: '',
47
+ camera: '',
48
+ 'cross-origin-isolated': '',
49
+ 'display-capture': '',
50
+ 'document-domain': '',
51
+ 'encrypted-media': '',
52
+ 'execution-while-not-rendered': '',
53
+ 'execution-while-out-of-viewport': '',
54
+ fullscreen: '',
55
+ geolocation: '',
56
+ gyroscope: '',
57
+ 'keyboard-map': '',
58
+ magnetometer: '',
59
+ microphone: '',
60
+ midi: '',
61
+ 'navigation-override': '',
62
+ payment: '',
63
+ 'picture-in-picture': '',
64
+ 'publickey-credentials-get': '',
65
+ 'screen-wake-lock': '',
66
+ 'sync-xhr': '',
67
+ usb: '',
68
+ 'web-share': '',
69
+ 'xr-spatial-tracking': '',
70
+ 'clipboard-read': '',
71
+ 'clipboard-write': '',
72
+ gamepad: '',
73
+ 'speaker-selection': '',
74
+ 'conversion-measurement': '',
75
+ 'focus-without-user-activation': '',
76
+ hid: '',
77
+ 'idle-detection': '',
78
+ 'interest-cohort': '',
79
+ serial: '',
80
+ 'sync-script': '',
81
+ 'trust-token-redemption': '',
82
+ 'window-placement': '',
83
+ 'vertical-scroll': ''
84
+ },
85
+ permittedCrossDomainPolicies: {
86
+ policy: 'none'
87
+ },
88
+ poweredBy: {
89
+ server: ''
90
+ },
91
+ referrerPolicy: {
92
+ policy: 'no-referrer'
93
+ },
94
+ reportTo: {
95
+ maxAge: 365 * 24 * 60 * 60,
96
+ default: '',
97
+ includeSubdomains: true,
98
+ csp: '',
99
+ staple: '',
100
+ xss: ''
101
+ },
102
+ strictTransportSecurity: {
103
+ maxAge: 180 * 24 * 60 * 60,
104
+ includeSubDomains: true,
105
+ preload: true
106
+ },
107
+ xssProtection: {
108
+ reportTo: 'xss'
109
+ }
110
+ };
111
+ const helmet = {};
112
+ const helmetHtmlOnly = {};
113
+ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
114
+ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
115
+ if (config.sandbox === '') {
116
+ header += '; sandbox';
117
+ }
118
+ if (config['upgrade-insecure-requests'] === '') {
119
+ header += '; upgrade-insecure-requests';
120
+ }
121
+ headers['Content-Security-Policy'] = header;
122
+ };
123
+ helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
124
+ headers['Cross-Origin-Embedder-Policy'] = config.policy;
125
+ };
126
+ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
127
+ headers['Cross-Origin-Opener-Policy'] = config.policy;
128
+ };
129
+ helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
130
+ headers['Cross-Origin-Resource-Policy'] = config.policy;
131
+ };
132
+ helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
133
+ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
134
+ };
135
+ helmet.originAgentCluster = (headers, config)=>{
136
+ headers['Origin-Agent-Cluster'] = '?1';
137
+ };
138
+ helmet.referrerPolicy = (headers, config)=>{
139
+ headers['Referrer-Policy'] = config.policy;
140
+ };
141
+ helmetHtmlOnly.reportTo = (headers, config)=>{
142
+ headers['Report-To'] = Object.keys(config).map((group)=>{
143
+ const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
144
+ return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
145
+ }).filter((str)=>str).join(', ');
146
+ };
147
+ helmet.strictTransportSecurity = (headers, config)=>{
148
+ let header = 'max-age=' + Math.round(config.maxAge);
149
+ if (config.includeSubDomains) {
150
+ header += '; includeSubDomains';
151
+ }
152
+ if (config.preload) {
153
+ header += '; preload';
154
+ }
155
+ headers['Strict-Transport-Security'] = header;
156
+ };
157
+ helmet.contentTypeOptions = (headers, config)=>{
158
+ headers['X-Content-Type-Options'] = config.action;
159
+ };
160
+ helmet.dnsPrefetchControl = (headers, config)=>{
161
+ headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
162
+ };
163
+ helmet.downloadOptions = (headers, config)=>{
164
+ headers['X-Download-Options'] = config.action;
165
+ };
166
+ helmetHtmlOnly.frameOptions = (headers, config)=>{
167
+ headers['X-Frame-Options'] = config.action.toUpperCase();
168
+ };
169
+ helmet.permittedCrossDomainPolicies = (headers, config)=>{
170
+ headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
171
+ };
172
+ helmet.poweredBy = (headers, config)=>{
173
+ if (config.server) {
174
+ headers['X-Powered-By'] = config.server;
175
+ } else {
176
+ delete headers.Server;
177
+ delete headers['X-Powered-By'];
178
+ }
179
+ };
180
+ helmetHtmlOnly.xssProtection = (headers, config)=>{
181
+ let header = '1; mode=block';
182
+ if (config.reportTo) {
183
+ header += '; report=' + config.reportTo;
184
+ }
185
+ headers['X-XSS-Protection'] = header;
186
+ };
187
+ const httpSecurityHeadersMiddleware = (opts = {})=>{
188
+ const options = {
189
+ ...defaults,
190
+ ...opts
191
+ };
192
+ const httpSecurityHeadersMiddlewareAfter = async (request)=>{
193
+ (0, _util).normalizeHttpResponse(request);
194
+ Object.keys(helmet).forEach((key)=>{
195
+ if (!options[key]) return;
196
+ const config = {
197
+ ...defaults[key],
198
+ ...options[key]
199
+ };
200
+ helmet[key](request.response.headers, config);
201
+ });
202
+ if (request.response.headers['Content-Type']?.includes('text/html')) {
203
+ Object.keys(helmetHtmlOnly).forEach((key)=>{
204
+ if (!options[key]) return;
205
+ const config = {
206
+ ...defaults[key],
207
+ ...options[key]
208
+ };
209
+ helmetHtmlOnly[key](request.response.headers, config);
210
+ });
211
+ }
212
+ };
213
+ const httpSecurityHeadersMiddlewareOnError = async (request)=>{
214
+ if (request.response === undefined) return;
215
+ return httpSecurityHeadersMiddlewareAfter(request);
216
+ };
217
+ return {
218
+ after: httpSecurityHeadersMiddlewareAfter,
219
+ onError: httpSecurityHeadersMiddlewareOnError
220
+ };
221
+ };
222
+ var _default = httpSecurityHeadersMiddleware;
223
+ module.exports = _default;
224
+
2
225
 
3
226
  //# sourceMappingURL=index.cjs.map
package/index.js CHANGED
@@ -1,3 +1,220 @@
1
- import{normalizeHttpResponse}from"@middy/util";const defaults={contentSecurityPolicy:{"default-src":"'none'","base-uri":"'none'",sandbox:"","form-action":"'none'","frame-ancestors":"'none'","navigate-to":"'none'","report-to":"csp","require-trusted-types-for":"'script'","trusted-types":"'none'","upgrade-insecure-requests":""},contentTypeOptions:{action:"nosniff"},crossOriginEmbedderPolicy:{policy:"require-corp"},crossOriginOpenerPolicy:{policy:"same-origin"},crossOriginResourcePolicy:{policy:"same-origin"},dnsPrefetchControl:{allow:false},downloadOptions:{action:"noopen"},frameOptions:{action:"deny"},originAgentCluster:{},permissionsPolicy:{accelerometer:"","ambient-light-sensor":"",autoplay:"",battery:"",camera:"","cross-origin-isolated":"","display-capture":"","document-domain":"","encrypted-media":"","execution-while-not-rendered":"","execution-while-out-of-viewport":"",fullscreen:"",geolocation:"",gyroscope:"","keyboard-map":"",magnetometer:"",microphone:"",midi:"","navigation-override":"",payment:"","picture-in-picture":"","publickey-credentials-get":"","screen-wake-lock":"","sync-xhr":"",usb:"","web-share":"","xr-spatial-tracking":"","clipboard-read":"","clipboard-write":"",gamepad:"","speaker-selection":"","conversion-measurement":"","focus-without-user-activation":"",hid:"","idle-detection":"","interest-cohort":"",serial:"","sync-script":"","trust-token-redemption":"","window-placement":"","vertical-scroll":""},permittedCrossDomainPolicies:{policy:"none"},poweredBy:{server:""},referrerPolicy:{policy:"no-referrer"},reportTo:{maxAge:365*24*60*60,default:"",includeSubdomains:true,csp:"",staple:"",xss:""},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:"xss"}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:"").filter(str=>str).join("; ");if(config.sandbox===""){header+="; sandbox"}if(config["upgrade-insecure-requests"]===""){header+="; upgrade-insecure-requests"}headers["Content-Security-Policy"]=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers["Cross-Origin-Embedder-Policy"]=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers["Cross-Origin-Opener-Policy"]=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers["Cross-Origin-Resource-Policy"]=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers["Permissions-Policy"]=Object.keys(config).map(policy=>`${policy}=${config[policy]==="*"?"*":"("+config[policy]+")"}`).join(", ")};helmet.originAgentCluster=(headers,config)=>{headers["Origin-Agent-Cluster"]="?1"};helmet.referrerPolicy=(headers,config)=>{headers["Referrer-Policy"]=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers["Report-To"]=Object.keys(config).map(group=>{const includeSubdomains=group==="default"?`, "include_subdomains": ${config.includeSubdomains}`:"";return config[group]&&group!=="includeSubdomains"?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`:""}).filter(str=>str).join(", ")};helmet.strictTransportSecurity=(headers,config)=>{let header="max-age="+Math.round(config.maxAge);if(config.includeSubDomains){header+="; includeSubDomains"}if(config.preload){header+="; preload"}headers["Strict-Transport-Security"]=header};helmet.contentTypeOptions=(headers,config)=>{headers["X-Content-Type-Options"]=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers["X-DNS-Prefetch-Control"]=config.allow?"on":"off"};helmet.downloadOptions=(headers,config)=>{headers["X-Download-Options"]=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers["X-Frame-Options"]=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers["X-Permitted-Cross-Domain-Policies"]=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers["X-Powered-By"]=config.server}else{delete headers.Server;delete headers["X-Powered-By"]}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header="1; mode=block";if(config.reportTo){header+="; report="+config.reportTo}headers["X-XSS-Protection"]=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers["Content-Type"]?.includes("text/html")){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};export default httpSecurityHeadersMiddleware
1
+ import { normalizeHttpResponse } from '@middy/util';
2
+ const defaults = {
3
+ contentSecurityPolicy: {
4
+ 'default-src': "'none'",
5
+ 'base-uri': "'none'",
6
+ sandbox: '',
7
+ 'form-action': "'none'",
8
+ 'frame-ancestors': "'none'",
9
+ 'navigate-to': "'none'",
10
+ 'report-to': 'csp',
11
+ 'require-trusted-types-for': "'script'",
12
+ 'trusted-types': "'none'",
13
+ 'upgrade-insecure-requests': ''
14
+ },
15
+ contentTypeOptions: {
16
+ action: 'nosniff'
17
+ },
18
+ crossOriginEmbedderPolicy: {
19
+ policy: 'require-corp'
20
+ },
21
+ crossOriginOpenerPolicy: {
22
+ policy: 'same-origin'
23
+ },
24
+ crossOriginResourcePolicy: {
25
+ policy: 'same-origin'
26
+ },
27
+ dnsPrefetchControl: {
28
+ allow: false
29
+ },
30
+ downloadOptions: {
31
+ action: 'noopen'
32
+ },
33
+ frameOptions: {
34
+ action: 'deny'
35
+ },
36
+ originAgentCluster: {},
37
+ permissionsPolicy: {
38
+ accelerometer: '',
39
+ 'ambient-light-sensor': '',
40
+ autoplay: '',
41
+ battery: '',
42
+ camera: '',
43
+ 'cross-origin-isolated': '',
44
+ 'display-capture': '',
45
+ 'document-domain': '',
46
+ 'encrypted-media': '',
47
+ 'execution-while-not-rendered': '',
48
+ 'execution-while-out-of-viewport': '',
49
+ fullscreen: '',
50
+ geolocation: '',
51
+ gyroscope: '',
52
+ 'keyboard-map': '',
53
+ magnetometer: '',
54
+ microphone: '',
55
+ midi: '',
56
+ 'navigation-override': '',
57
+ payment: '',
58
+ 'picture-in-picture': '',
59
+ 'publickey-credentials-get': '',
60
+ 'screen-wake-lock': '',
61
+ 'sync-xhr': '',
62
+ usb: '',
63
+ 'web-share': '',
64
+ 'xr-spatial-tracking': '',
65
+ 'clipboard-read': '',
66
+ 'clipboard-write': '',
67
+ gamepad: '',
68
+ 'speaker-selection': '',
69
+ 'conversion-measurement': '',
70
+ 'focus-without-user-activation': '',
71
+ hid: '',
72
+ 'idle-detection': '',
73
+ 'interest-cohort': '',
74
+ serial: '',
75
+ 'sync-script': '',
76
+ 'trust-token-redemption': '',
77
+ 'window-placement': '',
78
+ 'vertical-scroll': ''
79
+ },
80
+ permittedCrossDomainPolicies: {
81
+ policy: 'none'
82
+ },
83
+ poweredBy: {
84
+ server: ''
85
+ },
86
+ referrerPolicy: {
87
+ policy: 'no-referrer'
88
+ },
89
+ reportTo: {
90
+ maxAge: 365 * 24 * 60 * 60,
91
+ default: '',
92
+ includeSubdomains: true,
93
+ csp: '',
94
+ staple: '',
95
+ xss: ''
96
+ },
97
+ strictTransportSecurity: {
98
+ maxAge: 180 * 24 * 60 * 60,
99
+ includeSubDomains: true,
100
+ preload: true
101
+ },
102
+ xssProtection: {
103
+ reportTo: 'xss'
104
+ }
105
+ };
106
+ const helmet = {};
107
+ const helmetHtmlOnly = {};
108
+ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
109
+ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
110
+ if (config.sandbox === '') {
111
+ header += '; sandbox';
112
+ }
113
+ if (config['upgrade-insecure-requests'] === '') {
114
+ header += '; upgrade-insecure-requests';
115
+ }
116
+ headers['Content-Security-Policy'] = header;
117
+ };
118
+ helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
119
+ headers['Cross-Origin-Embedder-Policy'] = config.policy;
120
+ };
121
+ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
122
+ headers['Cross-Origin-Opener-Policy'] = config.policy;
123
+ };
124
+ helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
125
+ headers['Cross-Origin-Resource-Policy'] = config.policy;
126
+ };
127
+ helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
128
+ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
129
+ };
130
+ helmet.originAgentCluster = (headers, config)=>{
131
+ headers['Origin-Agent-Cluster'] = '?1';
132
+ };
133
+ helmet.referrerPolicy = (headers, config)=>{
134
+ headers['Referrer-Policy'] = config.policy;
135
+ };
136
+ helmetHtmlOnly.reportTo = (headers, config)=>{
137
+ headers['Report-To'] = Object.keys(config).map((group)=>{
138
+ const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
139
+ return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
140
+ }).filter((str)=>str).join(', ');
141
+ };
142
+ helmet.strictTransportSecurity = (headers, config)=>{
143
+ let header = 'max-age=' + Math.round(config.maxAge);
144
+ if (config.includeSubDomains) {
145
+ header += '; includeSubDomains';
146
+ }
147
+ if (config.preload) {
148
+ header += '; preload';
149
+ }
150
+ headers['Strict-Transport-Security'] = header;
151
+ };
152
+ helmet.contentTypeOptions = (headers, config)=>{
153
+ headers['X-Content-Type-Options'] = config.action;
154
+ };
155
+ helmet.dnsPrefetchControl = (headers, config)=>{
156
+ headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
157
+ };
158
+ helmet.downloadOptions = (headers, config)=>{
159
+ headers['X-Download-Options'] = config.action;
160
+ };
161
+ helmetHtmlOnly.frameOptions = (headers, config)=>{
162
+ headers['X-Frame-Options'] = config.action.toUpperCase();
163
+ };
164
+ helmet.permittedCrossDomainPolicies = (headers, config)=>{
165
+ headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
166
+ };
167
+ helmet.poweredBy = (headers, config)=>{
168
+ if (config.server) {
169
+ headers['X-Powered-By'] = config.server;
170
+ } else {
171
+ delete headers.Server;
172
+ delete headers['X-Powered-By'];
173
+ }
174
+ };
175
+ helmetHtmlOnly.xssProtection = (headers, config)=>{
176
+ let header = '1; mode=block';
177
+ if (config.reportTo) {
178
+ header += '; report=' + config.reportTo;
179
+ }
180
+ headers['X-XSS-Protection'] = header;
181
+ };
182
+ const httpSecurityHeadersMiddleware = (opts = {})=>{
183
+ const options = {
184
+ ...defaults,
185
+ ...opts
186
+ };
187
+ const httpSecurityHeadersMiddlewareAfter = async (request)=>{
188
+ normalizeHttpResponse(request);
189
+ Object.keys(helmet).forEach((key)=>{
190
+ if (!options[key]) return;
191
+ const config = {
192
+ ...defaults[key],
193
+ ...options[key]
194
+ };
195
+ helmet[key](request.response.headers, config);
196
+ });
197
+ if (request.response.headers['Content-Type']?.includes('text/html')) {
198
+ Object.keys(helmetHtmlOnly).forEach((key)=>{
199
+ if (!options[key]) return;
200
+ const config = {
201
+ ...defaults[key],
202
+ ...options[key]
203
+ };
204
+ helmetHtmlOnly[key](request.response.headers, config);
205
+ });
206
+ }
207
+ };
208
+ const httpSecurityHeadersMiddlewareOnError = async (request)=>{
209
+ if (request.response === undefined) return;
210
+ return httpSecurityHeadersMiddlewareAfter(request);
211
+ };
212
+ return {
213
+ after: httpSecurityHeadersMiddlewareAfter,
214
+ onError: httpSecurityHeadersMiddlewareOnError
215
+ };
216
+ };
217
+ export default httpSecurityHeadersMiddleware;
218
+
2
219
 
3
220
  //# sourceMappingURL=index.js.map
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "3.0.3",
3
+ "version": "3.1.0-rc.1",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
5
  "type": "module",
6
6
  "engines": {
@@ -10,11 +10,17 @@
10
10
  "publishConfig": {
11
11
  "access": "public"
12
12
  },
13
+ "main": "./index.cjs",
13
14
  "exports": {
14
15
  ".": {
15
- "import": "./index.js",
16
- "require": "./index.cjs",
17
- "types": "./index.d.ts"
16
+ "import": {
17
+ "types": "./index.d.ts",
18
+ "default": "./index.js"
19
+ },
20
+ "require": {
21
+ "types": "./index.d.ts",
22
+ "default": "./index.cjs"
23
+ }
18
24
  }
19
25
  },
20
26
  "types": "index.d.ts",
@@ -57,11 +63,11 @@
57
63
  "url": "https://github.com/middyjs/middy/issues"
58
64
  },
59
65
  "homepage": "https://middy.js.org",
60
- "gitHead": "ea9e5e8cce754d0c467c7dd3ac9a7601149efea2",
66
+ "gitHead": "044c397e7a2b1de516b4b5c21ece2baffdbfa771",
61
67
  "dependencies": {
62
- "@middy/util": "3.0.3"
68
+ "@middy/util": "3.1.0-rc.1"
63
69
  },
64
70
  "devDependencies": {
65
- "@middy/core": "3.0.3"
71
+ "@middy/core": "3.1.0-rc.1"
66
72
  }
67
73
  }