npm - @middy/http-security-headers - Versions diffs - 5.0.0-alpha.1 → 5.0.0-alpha.2 - Mend

@middy/http-security-headers 5.0.0-alpha.1 → 5.0.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +240 -268
package/package.json +3 -3

package/index.js CHANGED Viewed

@@ -1,288 +1,260 @@
-import { normalizeHttpResponse } from '@middy/util'
+import { normalizeHttpResponse } from '@middy/util';
 // Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
-  contentSecurityPolicy: {
-    // Fetch directives
-    // 'child-src': '', // fallback default-src
-    // 'connect-src': '', // fallback default-src
-    'default-src': "'none'",
-    // 'font-src':'', // fallback default-src
-    // 'frame-src':'', // fallback child-src > default-src
-    // 'img-src':'', // fallback default-src
-    // 'manifest-src':'', // fallback default-src
-    // 'media-src':'', // fallback default-src
-    // 'object-src':'', // fallback default-src
-    // 'prefetch-src':'', // fallback default-src
-    // 'script-src':'', // fallback default-src
-    // 'script-src-elem':'', // fallback script-src > default-src
-    // 'script-src-attr':'', // fallback script-src > default-src
-    // 'style-src':'', // fallback default-src
-    // 'style-src-elem':'', // fallback style-src > default-src
-    // 'style-src-attr':'', // fallback style-src > default-src
-    // 'worker-src':'', // fallback child-src > script-src > default-src
-    // Document directives
-    'base-uri': "'none'",
-    sandbox: '',
-    // Navigation directives
-    'form-action': "'none'",
-    'frame-ancestors': "'none'",
-    'navigate-to': "'none'",
-    // Reporting directives
-    'report-to': 'csp',
-    // Other directives
-    'require-trusted-types-for': "'script'",
-    'trusted-types': "'none'",
-    'upgrade-insecure-requests': ''
-  },
-  contentTypeOptions: {
-    action: 'nosniff'
-  },
-  crossOriginEmbedderPolicy: {
-    policy: 'require-corp'
-  },
-  crossOriginOpenerPolicy: {
-    policy: 'same-origin'
-  },
-  crossOriginResourcePolicy: {
-    policy: 'same-origin'
-  },
-  dnsPrefetchControl: {
-    allow: false
-  },
-  downloadOptions: {
-    action: 'noopen'
-  },
-  frameOptions: {
-    action: 'deny'
-  },
-  originAgentCluster: {},
-  permissionsPolicy: {
-    // Standard
-    accelerometer: '',
-    'ambient-light-sensor': '',
-    autoplay: '',
-    battery: '',
-    camera: '',
-    'cross-origin-isolated': '',
-    'display-capture': '',
-    'document-domain': '',
-    'encrypted-media': '',
-    'execution-while-not-rendered': '',
-    'execution-while-out-of-viewport': '',
-    fullscreen: '',
-    geolocation: '',
-    gyroscope: '',
-    'keyboard-map': '',
-    magnetometer: '',
-    microphone: '',
-    midi: '',
-    'navigation-override': '',
-    payment: '',
-    'picture-in-picture': '',
-    'publickey-credentials-get': '',
-    'screen-wake-lock': '',
-    'sync-xhr': '',
-    usb: '',
-    'web-share': '',
-    'xr-spatial-tracking': '',
-    // Proposed
-    'clipboard-read': '',
-    'clipboard-write': '',
-    gamepad: '',
-    'speaker-selection': '',
-    // Experimental
-    'conversion-measurement': '',
-    'focus-without-user-activation': '',
-    hid: '',
-    'idle-detection': '',
-    'interest-cohort': '',
-    serial: '',
-    'sync-script': '',
-    'trust-token-redemption': '',
-    'window-placement': '',
-    'vertical-scroll': ''
-  },
-  permittedCrossDomainPolicies: {
-    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
-  },
-  poweredBy: {
-    server: ''
-  },
-  referrerPolicy: {
-    policy: 'no-referrer'
-  },
-  reportTo: {
-    maxAge: 365 * 24 * 60 * 60,
-    default: '',
-    includeSubdomains: true,
-    csp: '',
-    staple: '',
-    xss: ''
-  },
-  strictTransportSecurity: {
-    maxAge: 180 * 24 * 60 * 60,
-    includeSubDomains: true,
-    preload: true
-  },
-  xssProtection: {
-    reportTo: 'xss'
-  }
-}
-const helmet = {}
-const helmetHtmlOnly = {}
+    contentSecurityPolicy: {
+        // Fetch directives
+        // 'child-src': '', // fallback default-src
+        // 'connect-src': '', // fallback default-src
+        'default-src': "'none'",
+        // 'font-src':'', // fallback default-src
+        // 'frame-src':'', // fallback child-src > default-src
+        // 'img-src':'', // fallback default-src
+        // 'manifest-src':'', // fallback default-src
+        // 'media-src':'', // fallback default-src
+        // 'object-src':'', // fallback default-src
+        // 'prefetch-src':'', // fallback default-src
+        // 'script-src':'', // fallback default-src
+        // 'script-src-elem':'', // fallback script-src > default-src
+        // 'script-src-attr':'', // fallback script-src > default-src
+        // 'style-src':'', // fallback default-src
+        // 'style-src-elem':'', // fallback style-src > default-src
+        // 'style-src-attr':'', // fallback style-src > default-src
+        // 'worker-src':'', // fallback child-src > script-src > default-src
+        // Document directives
+        'base-uri': "'none'",
+        sandbox: '',
+        // Navigation directives
+        'form-action': "'none'",
+        'frame-ancestors': "'none'",
+        'navigate-to': "'none'",
+        // Reporting directives
+        'report-to': 'csp',
+        // Other directives
+        'require-trusted-types-for': "'script'",
+        'trusted-types': "'none'",
+        'upgrade-insecure-requests': ''
+    },
+    contentTypeOptions: {
+        action: 'nosniff'
+    },
+    crossOriginEmbedderPolicy: {
+        policy: 'require-corp'
+    },
+    crossOriginOpenerPolicy: {
+        policy: 'same-origin'
+    },
+    crossOriginResourcePolicy: {
+        policy: 'same-origin'
+    },
+    dnsPrefetchControl: {
+        allow: false
+    },
+    downloadOptions: {
+        action: 'noopen'
+    },
+    frameOptions: {
+        action: 'deny'
+    },
+    originAgentCluster: {},
+    permissionsPolicy: {
+        // Standard
+        accelerometer: '',
+        'ambient-light-sensor': '',
+        autoplay: '',
+        battery: '',
+        camera: '',
+        'cross-origin-isolated': '',
+        'display-capture': '',
+        'document-domain': '',
+        'encrypted-media': '',
+        'execution-while-not-rendered': '',
+        'execution-while-out-of-viewport': '',
+        fullscreen: '',
+        geolocation: '',
+        gyroscope: '',
+        'keyboard-map': '',
+        magnetometer: '',
+        microphone: '',
+        midi: '',
+        'navigation-override': '',
+        payment: '',
+        'picture-in-picture': '',
+        'publickey-credentials-get': '',
+        'screen-wake-lock': '',
+        'sync-xhr': '',
+        usb: '',
+        'web-share': '',
+        'xr-spatial-tracking': '',
+        // Proposed
+        'clipboard-read': '',
+        'clipboard-write': '',
+        gamepad: '',
+        'speaker-selection': '',
+        // Experimental
+        'conversion-measurement': '',
+        'focus-without-user-activation': '',
+        hid: '',
+        'idle-detection': '',
+        'interest-cohort': '',
+        serial: '',
+        'sync-script': '',
+        'trust-token-redemption': '',
+        'window-placement': '',
+        'vertical-scroll': ''
+    },
+    permittedCrossDomainPolicies: {
+        policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+    },
+    poweredBy: {
+        server: ''
+    },
+    referrerPolicy: {
+        policy: 'no-referrer'
+    },
+    reportTo: {
+        maxAge: 365 * 24 * 60 * 60,
+        default: '',
+        includeSubdomains: true,
+        csp: '',
+        staple: '',
+        xss: ''
+    },
+    strictTransportSecurity: {
+        maxAge: 180 * 24 * 60 * 60,
+        includeSubDomains: true,
+        preload: true
+    },
+    xssProtection: {
+        reportTo: 'xss'
+    }
+};
+const helmet = {};
+const helmetHtmlOnly = {};
 // *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
-  let header = Object.keys(config)
-    .map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
-    .filter((str) => str)
-    .join('; ')
-  if (config.sandbox === '') {
-    header += '; sandbox'
-  }
-  if (config['upgrade-insecure-requests'] === '') {
-    header += '; upgrade-insecure-requests'
-  }
-  headers['Content-Security-Policy'] = header
-}
+helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
+    let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
+    if (config.sandbox === '') {
+        header += '; sandbox';
+    }
+    if (config['upgrade-insecure-requests'] === '') {
+        header += '; upgrade-insecure-requests';
+    }
+    headers['Content-Security-Policy'] = header;
+};
 // crossdomain - N/A - for Adobe products
-helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
-  headers['Cross-Origin-Embedder-Policy'] = config.policy
-}
-helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
-  headers['Cross-Origin-Opener-Policy'] = config.policy
-}
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
-  headers['Cross-Origin-Resource-Policy'] = config.policy
-}
+helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
+    headers['Cross-Origin-Embedder-Policy'] = config.policy;
+};
+helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
+    headers['Cross-Origin-Opener-Policy'] = config.policy;
+};
+helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
+    headers['Cross-Origin-Resource-Policy'] = config.policy;
+};
 // DEPRECATED: expectCt
 // DEPRECATED: hpkp
 // https://www.permissionspolicy.com/
-helmetHtmlOnly.permissionsPolicy = (headers, config) => {
-  headers['Permissions-Policy'] = Object.keys(config)
-    .map(
-      (policy) =>
-        `${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`
-    )
-    .join(', ')
-}
-helmet.originAgentCluster = (headers, config) => {
-  headers['Origin-Agent-Cluster'] = '?1'
-}
+helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
+    headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
+};
+helmet.originAgentCluster = (headers, config)=>{
+    headers['Origin-Agent-Cluster'] = '?1';
+};
 // https://github.com/helmetjs/referrer-policy
-helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-}
-helmetHtmlOnly.reportTo = (headers, config) => {
-  headers['Report-To'] = Object.keys(config)
-    .map((group) => {
-      const includeSubdomains =
-        group === 'default'
-          ? `, "include_subdomains": ${config.includeSubdomains}`
-          : ''
-      return config[group] && group !== 'includeSubdomains'
-        ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }`
-        : ''
-    })
-    .filter((str) => str)
-    .join(', ')
-}
+helmet.referrerPolicy = (headers, config)=>{
+    headers['Referrer-Policy'] = config.policy;
+};
+helmetHtmlOnly.reportTo = (headers, config)=>{
+    headers['Report-To'] = Object.keys(config).map((group)=>{
+        const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : '';
+        return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
+    }).filter((str)=>str).join(', ');
+};
 // https://github.com/helmetjs/hsts
-helmet.strictTransportSecurity = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
-  if (config.includeSubDomains) {
-    header += '; includeSubDomains'
-  }
-  if (config.preload) {
-    header += '; preload'
-  }
-  headers['Strict-Transport-Security'] = header
-}
+helmet.strictTransportSecurity = (headers, config)=>{
+    let header = 'max-age=' + Math.round(config.maxAge);
+    if (config.includeSubDomains) {
+        header += '; includeSubDomains';
+    }
+    if (config.preload) {
+        header += '; preload';
+    }
+    headers['Strict-Transport-Security'] = header;
+};
 // noCache - N/A - separate middleware
 // X-* //
 // https://github.com/helmetjs/dont-sniff-mimetype
-helmet.contentTypeOptions = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-}
+helmet.contentTypeOptions = (headers, config)=>{
+    headers['X-Content-Type-Options'] = config.action;
+};
 // https://github.com/helmetjs/dns-Prefetch-control
-helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-}
+helmet.dnsPrefetchControl = (headers, config)=>{
+    headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
+};
 // https://github.com/helmetjs/ienoopen
-helmet.downloadOptions = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-}
+helmet.downloadOptions = (headers, config)=>{
+    headers['X-Download-Options'] = config.action;
+};
 // https://github.com/helmetjs/frameOptions
-helmetHtmlOnly.frameOptions = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-}
+helmetHtmlOnly.frameOptions = (headers, config)=>{
+    headers['X-Frame-Options'] = config.action.toUpperCase();
+};
 // https://github.com/helmetjs/crossdomain
-helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-}
+helmet.permittedCrossDomainPolicies = (headers, config)=>{
+    headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
+};
 // https://github.com/helmetjs/hide-powered-by
-helmet.poweredBy = (headers, config) => {
-  if (config.server) {
-    headers['X-Powered-By'] = config.server
-  } else {
-    delete headers.Server
-    delete headers['X-Powered-By']
-  }
-}
+helmet.poweredBy = (headers, config)=>{
+    if (config.server) {
+        headers['X-Powered-By'] = config.server;
+    } else {
+        delete headers.Server;
+        delete headers['X-Powered-By'];
+    }
+};
 // https://github.com/helmetjs/x-xss-protection
-helmetHtmlOnly.xssProtection = (headers, config) => {
-  let header = '1; mode=block'
-  if (config.reportTo) {
-    header += '; report=' + config.reportTo
-  }
-  headers['X-XSS-Protection'] = header
-}
-const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    normalizeHttpResponse(request)
-    Object.keys(helmet).forEach((key) => {
-      if (!options[key]) return
-      const config = { ...defaults[key], ...options[key] }
-      helmet[key](request.response.headers, config)
-    })
-    if (request.response.headers['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        if (!options[key]) return
-        const config = { ...defaults[key], ...options[key] }
-        helmetHtmlOnly[key](request.response.headers, config)
-      })
+helmetHtmlOnly.xssProtection = (headers, config)=>{
+    let header = '1; mode=block';
+    if (config.reportTo) {
+        header += '; report=' + config.reportTo;
     }
-  }
-  const httpSecurityHeadersMiddlewareOnError = async (request) => {
-    if (request.response === undefined) return
-    await httpSecurityHeadersMiddlewareAfter(request)
-  }
-  return {
-    after: httpSecurityHeadersMiddlewareAfter,
-    onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-export default httpSecurityHeadersMiddleware
+    headers['X-XSS-Protection'] = header;
+};
+const httpSecurityHeadersMiddleware = (opts = {})=>{
+    const options = {
+        ...defaults,
+        ...opts
+    };
+    const httpSecurityHeadersMiddlewareAfter = async (request)=>{
+        normalizeHttpResponse(request);
+        Object.keys(helmet).forEach((key)=>{
+            if (!options[key]) return;
+            const config = {
+                ...defaults[key],
+                ...options[key]
+            };
+            helmet[key](request.response.headers, config);
+        });
+        if (request.response.headers['Content-Type']?.includes('text/html')) {
+            Object.keys(helmetHtmlOnly).forEach((key)=>{
+                if (!options[key]) return;
+                const config = {
+                    ...defaults[key],
+                    ...options[key]
+                };
+                helmetHtmlOnly[key](request.response.headers, config);
+            });
+        }
+    };
+    const httpSecurityHeadersMiddlewareOnError = async (request)=>{
+        if (request.response === undefined) return;
+        await httpSecurityHeadersMiddlewareAfter(request);
+    };
+    return {
+        after: httpSecurityHeadersMiddlewareAfter,
+        onError: httpSecurityHeadersMiddlewareOnError
+    };
+};
+export default httpSecurityHeadersMiddleware;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@middy/http-security-headers",
-  "version": "5.0.0-alpha.1",
+  "version": "5.0.0-alpha.2",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
   "type": "module",
   "engines": {
@@ -64,9 +64,9 @@
   },
   "gitHead": "ebce8d5df8783077fa49ba62ee9be20e8486a7f1",
   "dependencies": {
-    "@middy/util": "5.0.0-alpha.1"
+    "@middy/util": "5.0.0-alpha.2"
   },
   "devDependencies": {
-    "@middy/core": "5.0.0-alpha.1"
+    "@middy/core": "5.0.0-alpha.2"
   }
 }