@middy/http-security-headers 4.6.1 → 4.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.cjs +43 -1
  2. package/index.js +43 -1
  3. package/package.json +4 -4
package/index.cjs CHANGED
@@ -9,15 +9,37 @@ Object.defineProperty(module, "exports", {
9
9
  }
10
10
  });
11
11
  const _util = require("@middy/util");
12
+ // Code and Defaults heavily based off https://helmetjs.github.io/
12
13
  const defaults = {
13
14
  contentSecurityPolicy: {
15
+ // Fetch directives
16
+ // 'child-src': '', // fallback default-src
17
+ // 'connect-src': '', // fallback default-src
14
18
  'default-src': "'none'",
19
+ // 'font-src':'', // fallback default-src
20
+ // 'frame-src':'', // fallback child-src > default-src
21
+ // 'img-src':'', // fallback default-src
22
+ // 'manifest-src':'', // fallback default-src
23
+ // 'media-src':'', // fallback default-src
24
+ // 'object-src':'', // fallback default-src
25
+ // 'prefetch-src':'', // fallback default-src
26
+ // 'script-src':'', // fallback default-src
27
+ // 'script-src-elem':'', // fallback script-src > default-src
28
+ // 'script-src-attr':'', // fallback script-src > default-src
29
+ // 'style-src':'', // fallback default-src
30
+ // 'style-src-elem':'', // fallback style-src > default-src
31
+ // 'style-src-attr':'', // fallback style-src > default-src
32
+ // 'worker-src':'', // fallback child-src > script-src > default-src
33
+ // Document directives
15
34
  'base-uri': "'none'",
16
35
  sandbox: '',
36
+ // Navigation directives
17
37
  'form-action': "'none'",
18
38
  'frame-ancestors': "'none'",
19
39
  'navigate-to': "'none'",
40
+ // Reporting directives
20
41
  'report-to': 'csp',
42
+ // Other directives
21
43
  'require-trusted-types-for': "'script'",
22
44
  'trusted-types': "'none'",
23
45
  'upgrade-insecure-requests': ''
@@ -45,6 +67,7 @@ const defaults = {
45
67
  },
46
68
  originAgentCluster: {},
47
69
  permissionsPolicy: {
70
+ // Standard
48
71
  accelerometer: '',
49
72
  'ambient-light-sensor': '',
50
73
  autoplay: '',
@@ -72,10 +95,12 @@ const defaults = {
72
95
  usb: '',
73
96
  'web-share': '',
74
97
  'xr-spatial-tracking': '',
98
+ // Proposed
75
99
  'clipboard-read': '',
76
100
  'clipboard-write': '',
77
101
  gamepad: '',
78
102
  'speaker-selection': '',
103
+ // Experimental
79
104
  'conversion-measurement': '',
80
105
  'focus-without-user-activation': '',
81
106
  hid: '',
@@ -88,7 +113,7 @@ const defaults = {
88
113
  'vertical-scroll': ''
89
114
  },
90
115
  permittedCrossDomainPolicies: {
91
- policy: 'none'
116
+ policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
92
117
  },
93
118
  poweredBy: {
94
119
  server: ''
@@ -115,6 +140,8 @@ const defaults = {
115
140
  };
116
141
  const helmet = {};
117
142
  const helmetHtmlOnly = {};
143
+ // *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
144
+ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
118
145
  helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
119
146
  let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
120
147
  if (config.sandbox === '') {
@@ -125,6 +152,7 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
125
152
  }
126
153
  headers['Content-Security-Policy'] = header;
127
154
  };
155
+ // crossdomain - N/A - for Adobe products
128
156
  helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
129
157
  headers['Cross-Origin-Embedder-Policy'] = config.policy;
130
158
  };
@@ -134,12 +162,16 @@ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
134
162
  helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
135
163
  headers['Cross-Origin-Resource-Policy'] = config.policy;
136
164
  };
165
+ // DEPRECATED: expectCt
166
+ // DEPRECATED: hpkp
167
+ // https://www.permissionspolicy.com/
137
168
  helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
138
169
  headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
139
170
  };
140
171
  helmet.originAgentCluster = (headers, config)=>{
141
172
  headers['Origin-Agent-Cluster'] = '?1';
142
173
  };
174
+ // https://github.com/helmetjs/referrer-policy
143
175
  helmet.referrerPolicy = (headers, config)=>{
144
176
  headers['Referrer-Policy'] = config.policy;
145
177
  };
@@ -149,6 +181,7 @@ helmetHtmlOnly.reportTo = (headers, config)=>{
149
181
  return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
150
182
  }).filter((str)=>str).join(', ');
151
183
  };
184
+ // https://github.com/helmetjs/hsts
152
185
  helmet.strictTransportSecurity = (headers, config)=>{
153
186
  let header = 'max-age=' + Math.round(config.maxAge);
154
187
  if (config.includeSubDomains) {
@@ -159,21 +192,29 @@ helmet.strictTransportSecurity = (headers, config)=>{
159
192
  }
160
193
  headers['Strict-Transport-Security'] = header;
161
194
  };
195
+ // noCache - N/A - separate middleware
196
+ // X-* //
197
+ // https://github.com/helmetjs/dont-sniff-mimetype
162
198
  helmet.contentTypeOptions = (headers, config)=>{
163
199
  headers['X-Content-Type-Options'] = config.action;
164
200
  };
201
+ // https://github.com/helmetjs/dns-Prefetch-control
165
202
  helmet.dnsPrefetchControl = (headers, config)=>{
166
203
  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
167
204
  };
205
+ // https://github.com/helmetjs/ienoopen
168
206
  helmet.downloadOptions = (headers, config)=>{
169
207
  headers['X-Download-Options'] = config.action;
170
208
  };
209
+ // https://github.com/helmetjs/frameOptions
171
210
  helmetHtmlOnly.frameOptions = (headers, config)=>{
172
211
  headers['X-Frame-Options'] = config.action.toUpperCase();
173
212
  };
213
+ // https://github.com/helmetjs/crossdomain
174
214
  helmet.permittedCrossDomainPolicies = (headers, config)=>{
175
215
  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
176
216
  };
217
+ // https://github.com/helmetjs/hide-powered-by
177
218
  helmet.poweredBy = (headers, config)=>{
178
219
  if (config.server) {
179
220
  headers['X-Powered-By'] = config.server;
@@ -182,6 +223,7 @@ helmet.poweredBy = (headers, config)=>{
182
223
  delete headers['X-Powered-By'];
183
224
  }
184
225
  };
226
+ // https://github.com/helmetjs/x-xss-protection
185
227
  helmetHtmlOnly.xssProtection = (headers, config)=>{
186
228
  let header = '1; mode=block';
187
229
  if (config.reportTo) {
package/index.js CHANGED
@@ -1,13 +1,35 @@
1
1
  import { normalizeHttpResponse } from '@middy/util';
2
+ // Code and Defaults heavily based off https://helmetjs.github.io/
2
3
  const defaults = {
3
4
  contentSecurityPolicy: {
5
+ // Fetch directives
6
+ // 'child-src': '', // fallback default-src
7
+ // 'connect-src': '', // fallback default-src
4
8
  'default-src': "'none'",
9
+ // 'font-src':'', // fallback default-src
10
+ // 'frame-src':'', // fallback child-src > default-src
11
+ // 'img-src':'', // fallback default-src
12
+ // 'manifest-src':'', // fallback default-src
13
+ // 'media-src':'', // fallback default-src
14
+ // 'object-src':'', // fallback default-src
15
+ // 'prefetch-src':'', // fallback default-src
16
+ // 'script-src':'', // fallback default-src
17
+ // 'script-src-elem':'', // fallback script-src > default-src
18
+ // 'script-src-attr':'', // fallback script-src > default-src
19
+ // 'style-src':'', // fallback default-src
20
+ // 'style-src-elem':'', // fallback style-src > default-src
21
+ // 'style-src-attr':'', // fallback style-src > default-src
22
+ // 'worker-src':'', // fallback child-src > script-src > default-src
23
+ // Document directives
5
24
  'base-uri': "'none'",
6
25
  sandbox: '',
26
+ // Navigation directives
7
27
  'form-action': "'none'",
8
28
  'frame-ancestors': "'none'",
9
29
  'navigate-to': "'none'",
30
+ // Reporting directives
10
31
  'report-to': 'csp',
32
+ // Other directives
11
33
  'require-trusted-types-for': "'script'",
12
34
  'trusted-types': "'none'",
13
35
  'upgrade-insecure-requests': ''
@@ -35,6 +57,7 @@ const defaults = {
35
57
  },
36
58
  originAgentCluster: {},
37
59
  permissionsPolicy: {
60
+ // Standard
38
61
  accelerometer: '',
39
62
  'ambient-light-sensor': '',
40
63
  autoplay: '',
@@ -62,10 +85,12 @@ const defaults = {
62
85
  usb: '',
63
86
  'web-share': '',
64
87
  'xr-spatial-tracking': '',
88
+ // Proposed
65
89
  'clipboard-read': '',
66
90
  'clipboard-write': '',
67
91
  gamepad: '',
68
92
  'speaker-selection': '',
93
+ // Experimental
69
94
  'conversion-measurement': '',
70
95
  'focus-without-user-activation': '',
71
96
  hid: '',
@@ -78,7 +103,7 @@ const defaults = {
78
103
  'vertical-scroll': ''
79
104
  },
80
105
  permittedCrossDomainPolicies: {
81
- policy: 'none'
106
+ policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
82
107
  },
83
108
  poweredBy: {
84
109
  server: ''
@@ -105,6 +130,8 @@ const defaults = {
105
130
  };
106
131
  const helmet = {};
107
132
  const helmetHtmlOnly = {};
133
+ // *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
134
+ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
108
135
  helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
109
136
  let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
110
137
  if (config.sandbox === '') {
@@ -115,6 +142,7 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
115
142
  }
116
143
  headers['Content-Security-Policy'] = header;
117
144
  };
145
+ // crossdomain - N/A - for Adobe products
118
146
  helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
119
147
  headers['Cross-Origin-Embedder-Policy'] = config.policy;
120
148
  };
@@ -124,12 +152,16 @@ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
124
152
  helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
125
153
  headers['Cross-Origin-Resource-Policy'] = config.policy;
126
154
  };
155
+ // DEPRECATED: expectCt
156
+ // DEPRECATED: hpkp
157
+ // https://www.permissionspolicy.com/
127
158
  helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
128
159
  headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
129
160
  };
130
161
  helmet.originAgentCluster = (headers, config)=>{
131
162
  headers['Origin-Agent-Cluster'] = '?1';
132
163
  };
164
+ // https://github.com/helmetjs/referrer-policy
133
165
  helmet.referrerPolicy = (headers, config)=>{
134
166
  headers['Referrer-Policy'] = config.policy;
135
167
  };
@@ -139,6 +171,7 @@ helmetHtmlOnly.reportTo = (headers, config)=>{
139
171
  return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
140
172
  }).filter((str)=>str).join(', ');
141
173
  };
174
+ // https://github.com/helmetjs/hsts
142
175
  helmet.strictTransportSecurity = (headers, config)=>{
143
176
  let header = 'max-age=' + Math.round(config.maxAge);
144
177
  if (config.includeSubDomains) {
@@ -149,21 +182,29 @@ helmet.strictTransportSecurity = (headers, config)=>{
149
182
  }
150
183
  headers['Strict-Transport-Security'] = header;
151
184
  };
185
+ // noCache - N/A - separate middleware
186
+ // X-* //
187
+ // https://github.com/helmetjs/dont-sniff-mimetype
152
188
  helmet.contentTypeOptions = (headers, config)=>{
153
189
  headers['X-Content-Type-Options'] = config.action;
154
190
  };
191
+ // https://github.com/helmetjs/dns-Prefetch-control
155
192
  helmet.dnsPrefetchControl = (headers, config)=>{
156
193
  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
157
194
  };
195
+ // https://github.com/helmetjs/ienoopen
158
196
  helmet.downloadOptions = (headers, config)=>{
159
197
  headers['X-Download-Options'] = config.action;
160
198
  };
199
+ // https://github.com/helmetjs/frameOptions
161
200
  helmetHtmlOnly.frameOptions = (headers, config)=>{
162
201
  headers['X-Frame-Options'] = config.action.toUpperCase();
163
202
  };
203
+ // https://github.com/helmetjs/crossdomain
164
204
  helmet.permittedCrossDomainPolicies = (headers, config)=>{
165
205
  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
166
206
  };
207
+ // https://github.com/helmetjs/hide-powered-by
167
208
  helmet.poweredBy = (headers, config)=>{
168
209
  if (config.server) {
169
210
  headers['X-Powered-By'] = config.server;
@@ -172,6 +213,7 @@ helmet.poweredBy = (headers, config)=>{
172
213
  delete headers['X-Powered-By'];
173
214
  }
174
215
  };
216
+ // https://github.com/helmetjs/x-xss-protection
175
217
  helmetHtmlOnly.xssProtection = (headers, config)=>{
176
218
  let header = '1; mode=block';
177
219
  if (config.reportTo) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "4.6.1",
3
+ "version": "4.6.2",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
5
  "type": "module",
6
6
  "engines": {
@@ -68,11 +68,11 @@
68
68
  "type": "github",
69
69
  "url": "https://github.com/sponsors/willfarrell"
70
70
  },
71
- "gitHead": "253ed0e4ca95623decbade03938a07d837a1eba2",
71
+ "gitHead": "8b03a01abf5a9c08231ec5ced775e87f8be8f67d",
72
72
  "dependencies": {
73
- "@middy/util": "4.6.1"
73
+ "@middy/util": "4.6.2"
74
74
  },
75
75
  "devDependencies": {
76
- "@middy/core": "4.6.1"
76
+ "@middy/core": "4.6.2"
77
77
  }
78
78
  }