npm - @middy/http-security-headers - Versions diffs - 4.6.1 → 4.6.3 - Mend

@middy/http-security-headers 4.6.1 → 4.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.cjs CHANGED Viewed

@@ -9,15 +9,37 @@ Object.defineProperty(module, "exports", {
     }
 });
 const _util = require("@middy/util");
+// Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
     contentSecurityPolicy: {
+        // Fetch directives
+        // 'child-src': '', // fallback default-src
+        // 'connect-src': '', // fallback default-src
         'default-src': "'none'",
+        // 'font-src':'', // fallback default-src
+        // 'frame-src':'', // fallback child-src > default-src
+        // 'img-src':'', // fallback default-src
+        // 'manifest-src':'', // fallback default-src
+        // 'media-src':'', // fallback default-src
+        // 'object-src':'', // fallback default-src
+        // 'prefetch-src':'', // fallback default-src
+        // 'script-src':'', // fallback default-src
+        // 'script-src-elem':'', // fallback script-src > default-src
+        // 'script-src-attr':'', // fallback script-src > default-src
+        // 'style-src':'', // fallback default-src
+        // 'style-src-elem':'', // fallback style-src > default-src
+        // 'style-src-attr':'', // fallback style-src > default-src
+        // 'worker-src':'', // fallback child-src > script-src > default-src
+        // Document directives
         'base-uri': "'none'",
         sandbox: '',
+        // Navigation directives
         'form-action': "'none'",
         'frame-ancestors': "'none'",
         'navigate-to': "'none'",
+        // Reporting directives
         'report-to': 'csp',
+        // Other directives
         'require-trusted-types-for': "'script'",
         'trusted-types': "'none'",
         'upgrade-insecure-requests': ''
@@ -45,6 +67,7 @@ const defaults = {
     },
     originAgentCluster: {},
     permissionsPolicy: {
+        // Standard
         accelerometer: '',
         'ambient-light-sensor': '',
         autoplay: '',
@@ -72,10 +95,12 @@ const defaults = {
         usb: '',
         'web-share': '',
         'xr-spatial-tracking': '',
+        // Proposed
         'clipboard-read': '',
         'clipboard-write': '',
         gamepad: '',
         'speaker-selection': '',
+        // Experimental
         'conversion-measurement': '',
         'focus-without-user-activation': '',
         hid: '',
@@ -88,7 +113,7 @@ const defaults = {
         'vertical-scroll': ''
     },
     permittedCrossDomainPolicies: {
-        policy: 'none'
+        policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
     },
     poweredBy: {
         server: ''
@@ -115,6 +140,8 @@ const defaults = {
 };
 const helmet = {};
 const helmetHtmlOnly = {};
+// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
     let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
     if (config.sandbox === '') {
@@ -125,6 +152,7 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
     }
     headers['Content-Security-Policy'] = header;
 };
+// crossdomain - N/A - for Adobe products
 helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
     headers['Cross-Origin-Embedder-Policy'] = config.policy;
 };
@@ -134,12 +162,16 @@ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
 helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
     headers['Cross-Origin-Resource-Policy'] = config.policy;
 };
+// DEPRECATED: expectCt
+// DEPRECATED: hpkp
+// https://www.permissionspolicy.com/
 helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
     headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
 };
 helmet.originAgentCluster = (headers, config)=>{
     headers['Origin-Agent-Cluster'] = '?1';
 };
+// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config)=>{
     headers['Referrer-Policy'] = config.policy;
 };
@@ -149,6 +181,7 @@ helmetHtmlOnly.reportTo = (headers, config)=>{
         return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
     }).filter((str)=>str).join(', ');
 };
+// https://github.com/helmetjs/hsts
 helmet.strictTransportSecurity = (headers, config)=>{
     let header = 'max-age=' + Math.round(config.maxAge);
     if (config.includeSubDomains) {
@@ -159,21 +192,29 @@ helmet.strictTransportSecurity = (headers, config)=>{
     }
     headers['Strict-Transport-Security'] = header;
 };
+// noCache - N/A - separate middleware
+// X-* //
+// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.contentTypeOptions = (headers, config)=>{
     headers['X-Content-Type-Options'] = config.action;
 };
+// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config)=>{
     headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
 };
+// https://github.com/helmetjs/ienoopen
 helmet.downloadOptions = (headers, config)=>{
     headers['X-Download-Options'] = config.action;
 };
+// https://github.com/helmetjs/frameOptions
 helmetHtmlOnly.frameOptions = (headers, config)=>{
     headers['X-Frame-Options'] = config.action.toUpperCase();
 };
+// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config)=>{
     headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
 };
+// https://github.com/helmetjs/hide-powered-by
 helmet.poweredBy = (headers, config)=>{
     if (config.server) {
         headers['X-Powered-By'] = config.server;
@@ -182,6 +223,7 @@ helmet.poweredBy = (headers, config)=>{
         delete headers['X-Powered-By'];
     }
 };
+// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssProtection = (headers, config)=>{
     let header = '1; mode=block';
     if (config.reportTo) {

package/index.js CHANGED Viewed

@@ -1,13 +1,35 @@
 import { normalizeHttpResponse } from '@middy/util';
+// Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
     contentSecurityPolicy: {
+        // Fetch directives
+        // 'child-src': '', // fallback default-src
+        // 'connect-src': '', // fallback default-src
         'default-src': "'none'",
+        // 'font-src':'', // fallback default-src
+        // 'frame-src':'', // fallback child-src > default-src
+        // 'img-src':'', // fallback default-src
+        // 'manifest-src':'', // fallback default-src
+        // 'media-src':'', // fallback default-src
+        // 'object-src':'', // fallback default-src
+        // 'prefetch-src':'', // fallback default-src
+        // 'script-src':'', // fallback default-src
+        // 'script-src-elem':'', // fallback script-src > default-src
+        // 'script-src-attr':'', // fallback script-src > default-src
+        // 'style-src':'', // fallback default-src
+        // 'style-src-elem':'', // fallback style-src > default-src
+        // 'style-src-attr':'', // fallback style-src > default-src
+        // 'worker-src':'', // fallback child-src > script-src > default-src
+        // Document directives
         'base-uri': "'none'",
         sandbox: '',
+        // Navigation directives
         'form-action': "'none'",
         'frame-ancestors': "'none'",
         'navigate-to': "'none'",
+        // Reporting directives
         'report-to': 'csp',
+        // Other directives
         'require-trusted-types-for': "'script'",
         'trusted-types': "'none'",
         'upgrade-insecure-requests': ''
@@ -35,6 +57,7 @@ const defaults = {
     },
     originAgentCluster: {},
     permissionsPolicy: {
+        // Standard
         accelerometer: '',
         'ambient-light-sensor': '',
         autoplay: '',
@@ -62,10 +85,12 @@ const defaults = {
         usb: '',
         'web-share': '',
         'xr-spatial-tracking': '',
+        // Proposed
         'clipboard-read': '',
         'clipboard-write': '',
         gamepad: '',
         'speaker-selection': '',
+        // Experimental
         'conversion-measurement': '',
         'focus-without-user-activation': '',
         hid: '',
@@ -78,7 +103,7 @@ const defaults = {
         'vertical-scroll': ''
     },
     permittedCrossDomainPolicies: {
-        policy: 'none'
+        policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
     },
     poweredBy: {
         server: ''
@@ -105,6 +130,8 @@ const defaults = {
 };
 const helmet = {};
 const helmetHtmlOnly = {};
+// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
     let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
     if (config.sandbox === '') {
@@ -115,6 +142,7 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
     }
     headers['Content-Security-Policy'] = header;
 };
+// crossdomain - N/A - for Adobe products
 helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
     headers['Cross-Origin-Embedder-Policy'] = config.policy;
 };
@@ -124,12 +152,16 @@ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
 helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
     headers['Cross-Origin-Resource-Policy'] = config.policy;
 };
+// DEPRECATED: expectCt
+// DEPRECATED: hpkp
+// https://www.permissionspolicy.com/
 helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
     headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
 };
 helmet.originAgentCluster = (headers, config)=>{
     headers['Origin-Agent-Cluster'] = '?1';
 };
+// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config)=>{
     headers['Referrer-Policy'] = config.policy;
 };
@@ -139,6 +171,7 @@ helmetHtmlOnly.reportTo = (headers, config)=>{
         return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
     }).filter((str)=>str).join(', ');
 };
+// https://github.com/helmetjs/hsts
 helmet.strictTransportSecurity = (headers, config)=>{
     let header = 'max-age=' + Math.round(config.maxAge);
     if (config.includeSubDomains) {
@@ -149,21 +182,29 @@ helmet.strictTransportSecurity = (headers, config)=>{
     }
     headers['Strict-Transport-Security'] = header;
 };
+// noCache - N/A - separate middleware
+// X-* //
+// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.contentTypeOptions = (headers, config)=>{
     headers['X-Content-Type-Options'] = config.action;
 };
+// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config)=>{
     headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
 };
+// https://github.com/helmetjs/ienoopen
 helmet.downloadOptions = (headers, config)=>{
     headers['X-Download-Options'] = config.action;
 };
+// https://github.com/helmetjs/frameOptions
 helmetHtmlOnly.frameOptions = (headers, config)=>{
     headers['X-Frame-Options'] = config.action.toUpperCase();
 };
+// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config)=>{
     headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
 };
+// https://github.com/helmetjs/hide-powered-by
 helmet.poweredBy = (headers, config)=>{
     if (config.server) {
         headers['X-Powered-By'] = config.server;
@@ -172,6 +213,7 @@ helmet.poweredBy = (headers, config)=>{
         delete headers['X-Powered-By'];
     }
 };
+// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssProtection = (headers, config)=>{
     let header = '1; mode=block';
     if (config.reportTo) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "4.6.1",
+  "version": "4.6.3",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -68,11 +68,11 @@
     "type": "github",
     "url": "https://github.com/sponsors/willfarrell"
   },
-  "gitHead": "253ed0e4ca95623decbade03938a07d837a1eba2",
+  "gitHead": "4873f6e64cc4a7dbe8739ed3e45ef458dfe0dba1",
   "dependencies": {
-    "@middy/util": "4.6.1"
+    "@middy/util": "4.6.3"
   },
   "devDependencies": {
-    "@middy/core": "4.6.1"
+    "@middy/core": "4.6.3"
   }
 }