@middy/http-security-headers 5.0.0-alpha.0 → 5.0.0-alpha.1

package/README.md

@@ -20,8 +20,9 @@
   <a href="https://snyk.io/test/github/middyjs/middy">
     <img src="https://snyk.io/test/github/middyjs/middy/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/middyjs/middy" style="max-width:100%;">
   </a>
-  <a href="https://lgtm.com/projects/g/middyjs/middy/context:javascript">
-    <img src="https://img.shields.io/lgtm/grade/javascript/g/middyjs/middy.svg?logo=lgtm&logoWidth=18" alt="Language grade: JavaScript" style="max-width:100%;">
+  <a href="https://github.com/middyjs/middy/actions/workflows/sast.yml">
+    <img src="https://github.com/middyjs/middy/actions/workflows/sast.yml/badge.svg
+?branch=main&event=push" alt="CodeQL" style="max-width:100%;">
   </a>
   <a href="https://bestpractices.coreinfrastructure.org/projects/5280">
     <img src="https://bestpractices.coreinfrastructure.org/projects/5280/badge" alt="Core Infrastructure Initiative (CII) Best Practices"  style="max-width:100%;">

package/index.js

@@ -1,218 +1,288 @@
-import { normalizeHttpResponse } from '@middy/util';
+import { normalizeHttpResponse } from '@middy/util'
+
+// Code and Defaults heavily based off https://helmetjs.github.io/
+
 const defaults = {
-    contentSecurityPolicy: {
-        'default-src': "'none'",
-        'base-uri': "'none'",
-        sandbox: '',
-        'form-action': "'none'",
-        'frame-ancestors': "'none'",
-        'navigate-to': "'none'",
-        'report-to': 'csp',
-        'require-trusted-types-for': "'script'",
-        'trusted-types': "'none'",
-        'upgrade-insecure-requests': ''
-    },
-    contentTypeOptions: {
-        action: 'nosniff'
-    },
-    crossOriginEmbedderPolicy: {
-        policy: 'require-corp'
-    },
-    crossOriginOpenerPolicy: {
-        policy: 'same-origin'
-    },
-    crossOriginResourcePolicy: {
-        policy: 'same-origin'
-    },
-    dnsPrefetchControl: {
-        allow: false
-    },
-    downloadOptions: {
-        action: 'noopen'
-    },
-    frameOptions: {
-        action: 'deny'
-    },
-    originAgentCluster: {},
-    permissionsPolicy: {
-        accelerometer: '',
-        'ambient-light-sensor': '',
-        autoplay: '',
-        battery: '',
-        camera: '',
-        'cross-origin-isolated': '',
-        'display-capture': '',
-        'document-domain': '',
-        'encrypted-media': '',
-        'execution-while-not-rendered': '',
-        'execution-while-out-of-viewport': '',
-        fullscreen: '',
-        geolocation: '',
-        gyroscope: '',
-        'keyboard-map': '',
-        magnetometer: '',
-        microphone: '',
-        midi: '',
-        'navigation-override': '',
-        payment: '',
-        'picture-in-picture': '',
-        'publickey-credentials-get': '',
-        'screen-wake-lock': '',
-        'sync-xhr': '',
-        usb: '',
-        'web-share': '',
-        'xr-spatial-tracking': '',
-        'clipboard-read': '',
-        'clipboard-write': '',
-        gamepad: '',
-        'speaker-selection': '',
-        'conversion-measurement': '',
-        'focus-without-user-activation': '',
-        hid: '',
-        'idle-detection': '',
-        'interest-cohort': '',
-        serial: '',
-        'sync-script': '',
-        'trust-token-redemption': '',
-        'window-placement': '',
-        'vertical-scroll': ''
-    },
-    permittedCrossDomainPolicies: {
-        policy: 'none'
-    },
-    poweredBy: {
-        server: ''
-    },
-    referrerPolicy: {
-        policy: 'no-referrer'
-    },
-    reportTo: {
-        maxAge: 365 * 24 * 60 * 60,
-        default: '',
-        includeSubdomains: true,
-        csp: '',
-        staple: '',
-        xss: ''
-    },
-    strictTransportSecurity: {
-        maxAge: 180 * 24 * 60 * 60,
-        includeSubDomains: true,
-        preload: true
-    },
-    xssProtection: {
-        reportTo: 'xss'
-    }
-};
-const helmet = {};
-const helmetHtmlOnly = {};
-helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
-    let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
-    if (config.sandbox === '') {
-        header += '; sandbox';
-    }
-    if (config['upgrade-insecure-requests'] === '') {
-        header += '; upgrade-insecure-requests';
-    }
-    headers['Content-Security-Policy'] = header;
-};
-helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
-    headers['Cross-Origin-Embedder-Policy'] = config.policy;
-};
-helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
-    headers['Cross-Origin-Opener-Policy'] = config.policy;
-};
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
-    headers['Cross-Origin-Resource-Policy'] = config.policy;
-};
-helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
-    headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
-};
-helmet.originAgentCluster = (headers, config)=>{
-    headers['Origin-Agent-Cluster'] = '?1';
-};
-helmet.referrerPolicy = (headers, config)=>{
-    headers['Referrer-Policy'] = config.policy;
-};
-helmetHtmlOnly.reportTo = (headers, config)=>{
-    headers['Report-To'] = Object.keys(config).map((group)=>{
-        const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
-        return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
-    }).filter((str)=>str).join(', ');
-};
-helmet.strictTransportSecurity = (headers, config)=>{
-    let header = 'max-age=' + Math.round(config.maxAge);
-    if (config.includeSubDomains) {
-        header += '; includeSubDomains';
-    }
-    if (config.preload) {
-        header += '; preload';
-    }
-    headers['Strict-Transport-Security'] = header;
-};
-helmet.contentTypeOptions = (headers, config)=>{
-    headers['X-Content-Type-Options'] = config.action;
-};
-helmet.dnsPrefetchControl = (headers, config)=>{
-    headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
-};
-helmet.downloadOptions = (headers, config)=>{
-    headers['X-Download-Options'] = config.action;
-};
-helmetHtmlOnly.frameOptions = (headers, config)=>{
-    headers['X-Frame-Options'] = config.action.toUpperCase();
-};
-helmet.permittedCrossDomainPolicies = (headers, config)=>{
-    headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
-};
-helmet.poweredBy = (headers, config)=>{
-    if (config.server) {
-        headers['X-Powered-By'] = config.server;
-    } else {
-        delete headers.Server;
-        delete headers['X-Powered-By'];
-    }
-};
-helmetHtmlOnly.xssProtection = (headers, config)=>{
-    let header = '1; mode=block';
-    if (config.reportTo) {
-        header += '; report=' + config.reportTo;
-    }
-    headers['X-XSS-Protection'] = header;
-};
-const httpSecurityHeadersMiddleware = (opts = {})=>{
-    const options = {
-        ...defaults,
-        ...opts
-    };
-    const httpSecurityHeadersMiddlewareAfter = async (request)=>{
-        normalizeHttpResponse(request);
-        Object.keys(helmet).forEach((key)=>{
-            if (!options[key]) return;
-            const config = {
-                ...defaults[key],
-                ...options[key]
-            };
-            helmet[key](request.response.headers, config);
-        });
-        if (request.response.headers['Content-Type']?.includes('text/html')) {
-            Object.keys(helmetHtmlOnly).forEach((key)=>{
-                if (!options[key]) return;
-                const config = {
-                    ...defaults[key],
-                    ...options[key]
-                };
-                helmetHtmlOnly[key](request.response.headers, config);
-            });
-        }
-    };
-    const httpSecurityHeadersMiddlewareOnError = async (request)=>{
-        if (request.response === undefined) return;
-        return httpSecurityHeadersMiddlewareAfter(request);
-    };
-    return {
-        after: httpSecurityHeadersMiddlewareAfter,
-        onError: httpSecurityHeadersMiddlewareOnError
-    };
-};
-export default httpSecurityHeadersMiddleware;
+  contentSecurityPolicy: {
+    // Fetch directives
+    // 'child-src': '', // fallback default-src
+    // 'connect-src': '', // fallback default-src
+    'default-src': "'none'",
+    // 'font-src':'', // fallback default-src
+    // 'frame-src':'', // fallback child-src > default-src
+    // 'img-src':'', // fallback default-src
+    // 'manifest-src':'', // fallback default-src
+    // 'media-src':'', // fallback default-src
+    // 'object-src':'', // fallback default-src
+    // 'prefetch-src':'', // fallback default-src
+    // 'script-src':'', // fallback default-src
+    // 'script-src-elem':'', // fallback script-src > default-src
+    // 'script-src-attr':'', // fallback script-src > default-src
+    // 'style-src':'', // fallback default-src
+    // 'style-src-elem':'', // fallback style-src > default-src
+    // 'style-src-attr':'', // fallback style-src > default-src
+    // 'worker-src':'', // fallback child-src > script-src > default-src
+    // Document directives
+    'base-uri': "'none'",
+    sandbox: '',
+    // Navigation directives
+    'form-action': "'none'",
+    'frame-ancestors': "'none'",
+    'navigate-to': "'none'",
+    // Reporting directives
+    'report-to': 'csp',
+    // Other directives
+    'require-trusted-types-for': "'script'",
+    'trusted-types': "'none'",
+    'upgrade-insecure-requests': ''
+  },
+  contentTypeOptions: {
+    action: 'nosniff'
+  },
+  crossOriginEmbedderPolicy: {
+    policy: 'require-corp'
+  },
+  crossOriginOpenerPolicy: {
+    policy: 'same-origin'
+  },
+  crossOriginResourcePolicy: {
+    policy: 'same-origin'
+  },
+  dnsPrefetchControl: {
+    allow: false
+  },
+  downloadOptions: {
+    action: 'noopen'
+  },
+  frameOptions: {
+    action: 'deny'
+  },
+  originAgentCluster: {},
+  permissionsPolicy: {
+    // Standard
+    accelerometer: '',
+    'ambient-light-sensor': '',
+    autoplay: '',
+    battery: '',
+    camera: '',
+    'cross-origin-isolated': '',
+    'display-capture': '',
+    'document-domain': '',
+    'encrypted-media': '',
+    'execution-while-not-rendered': '',
+    'execution-while-out-of-viewport': '',
+    fullscreen: '',
+    geolocation: '',
+    gyroscope: '',
+    'keyboard-map': '',
+    magnetometer: '',
+    microphone: '',
+    midi: '',
+    'navigation-override': '',
+    payment: '',
+    'picture-in-picture': '',
+    'publickey-credentials-get': '',
+    'screen-wake-lock': '',
+    'sync-xhr': '',
+    usb: '',
+    'web-share': '',
+    'xr-spatial-tracking': '',
+    // Proposed
+    'clipboard-read': '',
+    'clipboard-write': '',
+    gamepad: '',
+    'speaker-selection': '',
+    // Experimental
+    'conversion-measurement': '',
+    'focus-without-user-activation': '',
+    hid: '',
+    'idle-detection': '',
+    'interest-cohort': '',
+    serial: '',
+    'sync-script': '',
+    'trust-token-redemption': '',
+    'window-placement': '',
+    'vertical-scroll': ''
+  },
+  permittedCrossDomainPolicies: {
+    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+  },
+  poweredBy: {
+    server: ''
+  },
+  referrerPolicy: {
+    policy: 'no-referrer'
+  },
+  reportTo: {
+    maxAge: 365 * 24 * 60 * 60,
+    default: '',
+    includeSubdomains: true,
+    csp: '',
+    staple: '',
+    xss: ''
+  },
+  strictTransportSecurity: {
+    maxAge: 180 * 24 * 60 * 60,
+    includeSubDomains: true,
+    preload: true
+  },
+  xssProtection: {
+    reportTo: 'xss'
+  }
+}
+
+const helmet = {}
+const helmetHtmlOnly = {}
+
+// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
+  let header = Object.keys(config)
+    .map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
+    .filter((str) => str)
+    .join('; ')
+  if (config.sandbox === '') {
+    header += '; sandbox'
+  }
+  if (config['upgrade-insecure-requests'] === '') {
+    header += '; upgrade-insecure-requests'
+  }
+  headers['Content-Security-Policy'] = header
+}
+// crossdomain - N/A - for Adobe products
+helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
+  headers['Cross-Origin-Embedder-Policy'] = config.policy
+}
+helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
+  headers['Cross-Origin-Opener-Policy'] = config.policy
+}
+helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
+  headers['Cross-Origin-Resource-Policy'] = config.policy
+}
+
+// DEPRECATED: expectCt
+// DEPRECATED: hpkp
+
+// https://www.permissionspolicy.com/
+helmetHtmlOnly.permissionsPolicy = (headers, config) => {
+  headers['Permissions-Policy'] = Object.keys(config)
+    .map(
+      (policy) =>
+        `${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`
+    )
+    .join(', ')
+}
+
+helmet.originAgentCluster = (headers, config) => {
+  headers['Origin-Agent-Cluster'] = '?1'
+}
+
+// https://github.com/helmetjs/referrer-policy
+helmet.referrerPolicy = (headers, config) => {
+  headers['Referrer-Policy'] = config.policy
+}
 
+helmetHtmlOnly.reportTo = (headers, config) => {
+  headers['Report-To'] = Object.keys(config)
+    .map((group) => {
+      const includeSubdomains =
+        group === 'default'
+          ? `, "include_subdomains": ${config.includeSubdomains}`
+          : ''
+      return config[group] && group !== 'includeSubdomains'
+        ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`
+        : ''
+    })
+    .filter((str) => str)
+    .join(', ')
+}
+
+// https://github.com/helmetjs/hsts
+helmet.strictTransportSecurity = (headers, config) => {
+  let header = 'max-age=' + Math.round(config.maxAge)
+  if (config.includeSubDomains) {
+    header += '; includeSubDomains'
+  }
+  if (config.preload) {
+    header += '; preload'
+  }
+  headers['Strict-Transport-Security'] = header
+}
+
+// noCache - N/A - separate middleware
+
+// X-* //
+// https://github.com/helmetjs/dont-sniff-mimetype
+helmet.contentTypeOptions = (headers, config) => {
+  headers['X-Content-Type-Options'] = config.action
+}
+
+// https://github.com/helmetjs/dns-Prefetch-control
+helmet.dnsPrefetchControl = (headers, config) => {
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
+}
+
+// https://github.com/helmetjs/ienoopen
+helmet.downloadOptions = (headers, config) => {
+  headers['X-Download-Options'] = config.action
+}
+
+// https://github.com/helmetjs/frameOptions
+helmetHtmlOnly.frameOptions = (headers, config) => {
+  headers['X-Frame-Options'] = config.action.toUpperCase()
+}
+
+// https://github.com/helmetjs/crossdomain
+helmet.permittedCrossDomainPolicies = (headers, config) => {
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
+}
+
+// https://github.com/helmetjs/hide-powered-by
+helmet.poweredBy = (headers, config) => {
+  if (config.server) {
+    headers['X-Powered-By'] = config.server
+  } else {
+    delete headers.Server
+    delete headers['X-Powered-By']
+  }
+}
+
+// https://github.com/helmetjs/x-xss-protection
+helmetHtmlOnly.xssProtection = (headers, config) => {
+  let header = '1; mode=block'
+  if (config.reportTo) {
+    header += '; report=' + config.reportTo
+  }
+  headers['X-XSS-Protection'] = header
+}
+
+const httpSecurityHeadersMiddleware = (opts = {}) => {
+  const options = { ...defaults, ...opts }
+
+  const httpSecurityHeadersMiddlewareAfter = async (request) => {
+    normalizeHttpResponse(request)
+
+    Object.keys(helmet).forEach((key) => {
+      if (!options[key]) return
+      const config = { ...defaults[key], ...options[key] }
+      helmet[key](request.response.headers, config)
+    })
+
+    if (request.response.headers['Content-Type']?.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach((key) => {
+        if (!options[key]) return
+        const config = { ...defaults[key], ...options[key] }
+        helmetHtmlOnly[key](request.response.headers, config)
+      })
+    }
+  }
+  const httpSecurityHeadersMiddlewareOnError = async (request) => {
+    if (request.response === undefined) return
+    await httpSecurityHeadersMiddlewareAfter(request)
+  }
+  return {
+    after: httpSecurityHeadersMiddlewareAfter,
+    onError: httpSecurityHeadersMiddlewareOnError
+  }
+}
+export default httpSecurityHeadersMiddleware

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "5.0.0-alpha.0",
+  "version": "5.0.0-alpha.1",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -10,24 +10,18 @@
   "publishConfig": {
     "access": "public"
   },
-  "main": "./index.cjs",
   "module": "./index.js",
   "exports": {
     ".": {
       "import": {
         "types": "./index.d.ts",
         "default": "./index.js"
-      },
-      "require": {
-        "types": "./index.d.ts",
-        "default": "./index.cjs"
       }
     }
   },
   "types": "index.d.ts",
   "files": [
     "index.js",
-    "index.cjs",
     "index.d.ts"
   ],
   "scripts": {
@@ -68,11 +62,11 @@
     "type": "github",
     "url": "https://github.com/sponsors/willfarrell"
   },
-  "gitHead": "08c35e3dba9efdad0b86666ce206ce302cc65d07",
+  "gitHead": "ebce8d5df8783077fa49ba62ee9be20e8486a7f1",
   "dependencies": {
-    "@middy/util": "5.0.0-alpha.0"
+    "@middy/util": "5.0.0-alpha.1"
   },
   "devDependencies": {
-    "@middy/core": "5.0.0-alpha.0"
+    "@middy/core": "5.0.0-alpha.1"
   }
 }

package/index.cjs

@@ -1,226 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", {
-    value: true
-});
-Object.defineProperty(module, "exports", {
-    enumerable: true,
-    get: ()=>_default
-});
-const _util = require("@middy/util");
-const defaults = {
-    contentSecurityPolicy: {
-        'default-src': "'none'",
-        'base-uri': "'none'",
-        sandbox: '',
-        'form-action': "'none'",
-        'frame-ancestors': "'none'",
-        'navigate-to': "'none'",
-        'report-to': 'csp',
-        'require-trusted-types-for': "'script'",
-        'trusted-types': "'none'",
-        'upgrade-insecure-requests': ''
-    },
-    contentTypeOptions: {
-        action: 'nosniff'
-    },
-    crossOriginEmbedderPolicy: {
-        policy: 'require-corp'
-    },
-    crossOriginOpenerPolicy: {
-        policy: 'same-origin'
-    },
-    crossOriginResourcePolicy: {
-        policy: 'same-origin'
-    },
-    dnsPrefetchControl: {
-        allow: false
-    },
-    downloadOptions: {
-        action: 'noopen'
-    },
-    frameOptions: {
-        action: 'deny'
-    },
-    originAgentCluster: {},
-    permissionsPolicy: {
-        accelerometer: '',
-        'ambient-light-sensor': '',
-        autoplay: '',
-        battery: '',
-        camera: '',
-        'cross-origin-isolated': '',
-        'display-capture': '',
-        'document-domain': '',
-        'encrypted-media': '',
-        'execution-while-not-rendered': '',
-        'execution-while-out-of-viewport': '',
-        fullscreen: '',
-        geolocation: '',
-        gyroscope: '',
-        'keyboard-map': '',
-        magnetometer: '',
-        microphone: '',
-        midi: '',
-        'navigation-override': '',
-        payment: '',
-        'picture-in-picture': '',
-        'publickey-credentials-get': '',
-        'screen-wake-lock': '',
-        'sync-xhr': '',
-        usb: '',
-        'web-share': '',
-        'xr-spatial-tracking': '',
-        'clipboard-read': '',
-        'clipboard-write': '',
-        gamepad: '',
-        'speaker-selection': '',
-        'conversion-measurement': '',
-        'focus-without-user-activation': '',
-        hid: '',
-        'idle-detection': '',
-        'interest-cohort': '',
-        serial: '',
-        'sync-script': '',
-        'trust-token-redemption': '',
-        'window-placement': '',
-        'vertical-scroll': ''
-    },
-    permittedCrossDomainPolicies: {
-        policy: 'none'
-    },
-    poweredBy: {
-        server: ''
-    },
-    referrerPolicy: {
-        policy: 'no-referrer'
-    },
-    reportTo: {
-        maxAge: 365 * 24 * 60 * 60,
-        default: '',
-        includeSubdomains: true,
-        csp: '',
-        staple: '',
-        xss: ''
-    },
-    strictTransportSecurity: {
-        maxAge: 180 * 24 * 60 * 60,
-        includeSubDomains: true,
-        preload: true
-    },
-    xssProtection: {
-        reportTo: 'xss'
-    }
-};
-const helmet = {};
-const helmetHtmlOnly = {};
-helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
-    let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
-    if (config.sandbox === '') {
-        header += '; sandbox';
-    }
-    if (config['upgrade-insecure-requests'] === '') {
-        header += '; upgrade-insecure-requests';
-    }
-    headers['Content-Security-Policy'] = header;
-};
-helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
-    headers['Cross-Origin-Embedder-Policy'] = config.policy;
-};
-helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
-    headers['Cross-Origin-Opener-Policy'] = config.policy;
-};
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
-    headers['Cross-Origin-Resource-Policy'] = config.policy;
-};
-helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
-    headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
-};
-helmet.originAgentCluster = (headers, config)=>{
-    headers['Origin-Agent-Cluster'] = '?1';
-};
-helmet.referrerPolicy = (headers, config)=>{
-    headers['Referrer-Policy'] = config.policy;
-};
-helmetHtmlOnly.reportTo = (headers, config)=>{
-    headers['Report-To'] = Object.keys(config).map((group)=>{
-        const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
-        return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
-    }).filter((str)=>str).join(', ');
-};
-helmet.strictTransportSecurity = (headers, config)=>{
-    let header = 'max-age=' + Math.round(config.maxAge);
-    if (config.includeSubDomains) {
-        header += '; includeSubDomains';
-    }
-    if (config.preload) {
-        header += '; preload';
-    }
-    headers['Strict-Transport-Security'] = header;
-};
-helmet.contentTypeOptions = (headers, config)=>{
-    headers['X-Content-Type-Options'] = config.action;
-};
-helmet.dnsPrefetchControl = (headers, config)=>{
-    headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
-};
-helmet.downloadOptions = (headers, config)=>{
-    headers['X-Download-Options'] = config.action;
-};
-helmetHtmlOnly.frameOptions = (headers, config)=>{
-    headers['X-Frame-Options'] = config.action.toUpperCase();
-};
-helmet.permittedCrossDomainPolicies = (headers, config)=>{
-    headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
-};
-helmet.poweredBy = (headers, config)=>{
-    if (config.server) {
-        headers['X-Powered-By'] = config.server;
-    } else {
-        delete headers.Server;
-        delete headers['X-Powered-By'];
-    }
-};
-helmetHtmlOnly.xssProtection = (headers, config)=>{
-    let header = '1; mode=block';
-    if (config.reportTo) {
-        header += '; report=' + config.reportTo;
-    }
-    headers['X-XSS-Protection'] = header;
-};
-const httpSecurityHeadersMiddleware = (opts = {})=>{
-    const options = {
-        ...defaults,
-        ...opts
-    };
-    const httpSecurityHeadersMiddlewareAfter = async (request)=>{
-        (0, _util.normalizeHttpResponse)(request);
-        Object.keys(helmet).forEach((key)=>{
-            if (!options[key]) return;
-            const config = {
-                ...defaults[key],
-                ...options[key]
-            };
-            helmet[key](request.response.headers, config);
-        });
-        if (request.response.headers['Content-Type']?.includes('text/html')) {
-            Object.keys(helmetHtmlOnly).forEach((key)=>{
-                if (!options[key]) return;
-                const config = {
-                    ...defaults[key],
-                    ...options[key]
-                };
-                helmetHtmlOnly[key](request.response.headers, config);
-            });
-        }
-    };
-    const httpSecurityHeadersMiddlewareOnError = async (request)=>{
-        if (request.response === undefined) return;
-        return httpSecurityHeadersMiddlewareAfter(request);
-    };
-    return {
-        after: httpSecurityHeadersMiddlewareAfter,
-        onError: httpSecurityHeadersMiddlewareOnError
-    };
-};
-const _default = httpSecurityHeadersMiddleware;
-