@middy/http-security-headers 5.0.2 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +1 -43
  2. package/package.json +4 -4
package/index.js CHANGED
@@ -1,35 +1,13 @@
1
1
  import { normalizeHttpResponse } from '@middy/util';
2
- // Code and Defaults heavily based off https://helmetjs.github.io/
3
2
  const defaults = {
4
3
  contentSecurityPolicy: {
5
- // Fetch directives
6
- // 'child-src': '', // fallback default-src
7
- // 'connect-src': '', // fallback default-src
8
4
  'default-src': "'none'",
9
- // 'font-src':'', // fallback default-src
10
- // 'frame-src':'', // fallback child-src > default-src
11
- // 'img-src':'', // fallback default-src
12
- // 'manifest-src':'', // fallback default-src
13
- // 'media-src':'', // fallback default-src
14
- // 'object-src':'', // fallback default-src
15
- // 'prefetch-src':'', // fallback default-src
16
- // 'script-src':'', // fallback default-src
17
- // 'script-src-elem':'', // fallback script-src > default-src
18
- // 'script-src-attr':'', // fallback script-src > default-src
19
- // 'style-src':'', // fallback default-src
20
- // 'style-src-elem':'', // fallback style-src > default-src
21
- // 'style-src-attr':'', // fallback style-src > default-src
22
- // 'worker-src':'', // fallback child-src > script-src > default-src
23
- // Document directives
24
5
  'base-uri': "'none'",
25
6
  sandbox: '',
26
- // Navigation directives
27
7
  'form-action': "'none'",
28
8
  'frame-ancestors': "'none'",
29
9
  'navigate-to': "'none'",
30
- // Reporting directives
31
10
  'report-to': 'csp',
32
- // Other directives
33
11
  'require-trusted-types-for': "'script'",
34
12
  'trusted-types': "'none'",
35
13
  'upgrade-insecure-requests': ''
@@ -57,7 +35,6 @@ const defaults = {
57
35
  },
58
36
  originAgentCluster: {},
59
37
  permissionsPolicy: {
60
- // Standard
61
38
  accelerometer: '',
62
39
  'ambient-light-sensor': '',
63
40
  autoplay: '',
@@ -85,12 +62,10 @@ const defaults = {
85
62
  usb: '',
86
63
  'web-share': '',
87
64
  'xr-spatial-tracking': '',
88
- // Proposed
89
65
  'clipboard-read': '',
90
66
  'clipboard-write': '',
91
67
  gamepad: '',
92
68
  'speaker-selection': '',
93
- // Experimental
94
69
  'conversion-measurement': '',
95
70
  'focus-without-user-activation': '',
96
71
  hid: '',
@@ -103,7 +78,7 @@ const defaults = {
103
78
  'vertical-scroll': ''
104
79
  },
105
80
  permittedCrossDomainPolicies: {
106
- policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
81
+ policy: 'none'
107
82
  },
108
83
  poweredBy: {
109
84
  server: ''
@@ -130,8 +105,6 @@ const defaults = {
130
105
  };
131
106
  const helmet = {};
132
107
  const helmetHtmlOnly = {};
133
- // *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
134
- // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
135
108
  helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
136
109
  let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
137
110
  if (config.sandbox === '') {
@@ -142,7 +115,6 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
142
115
  }
143
116
  headers['Content-Security-Policy'] = header;
144
117
  };
145
- // crossdomain - N/A - for Adobe products
146
118
  helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
147
119
  headers['Cross-Origin-Embedder-Policy'] = config.policy;
148
120
  };
@@ -152,16 +124,12 @@ helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{
152
124
  helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{
153
125
  headers['Cross-Origin-Resource-Policy'] = config.policy;
154
126
  };
155
- // DEPRECATED: expectCt
156
- // DEPRECATED: hpkp
157
- // https://www.permissionspolicy.com/
158
127
  helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
159
128
  headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
160
129
  };
161
130
  helmet.originAgentCluster = (headers, config)=>{
162
131
  headers['Origin-Agent-Cluster'] = '?1';
163
132
  };
164
- // https://github.com/helmetjs/referrer-policy
165
133
  helmet.referrerPolicy = (headers, config)=>{
166
134
  headers['Referrer-Policy'] = config.policy;
167
135
  };
@@ -171,7 +139,6 @@ helmetHtmlOnly.reportTo = (headers, config)=>{
171
139
  return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : '';
172
140
  }).filter((str)=>str).join(', ');
173
141
  };
174
- // https://github.com/helmetjs/hsts
175
142
  helmet.strictTransportSecurity = (headers, config)=>{
176
143
  let header = 'max-age=' + Math.round(config.maxAge);
177
144
  if (config.includeSubDomains) {
@@ -182,29 +149,21 @@ helmet.strictTransportSecurity = (headers, config)=>{
182
149
  }
183
150
  headers['Strict-Transport-Security'] = header;
184
151
  };
185
- // noCache - N/A - separate middleware
186
- // X-* //
187
- // https://github.com/helmetjs/dont-sniff-mimetype
188
152
  helmet.contentTypeOptions = (headers, config)=>{
189
153
  headers['X-Content-Type-Options'] = config.action;
190
154
  };
191
- // https://github.com/helmetjs/dns-Prefetch-control
192
155
  helmet.dnsPrefetchControl = (headers, config)=>{
193
156
  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
194
157
  };
195
- // https://github.com/helmetjs/ienoopen
196
158
  helmet.downloadOptions = (headers, config)=>{
197
159
  headers['X-Download-Options'] = config.action;
198
160
  };
199
- // https://github.com/helmetjs/frameOptions
200
161
  helmetHtmlOnly.frameOptions = (headers, config)=>{
201
162
  headers['X-Frame-Options'] = config.action.toUpperCase();
202
163
  };
203
- // https://github.com/helmetjs/crossdomain
204
164
  helmet.permittedCrossDomainPolicies = (headers, config)=>{
205
165
  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
206
166
  };
207
- // https://github.com/helmetjs/hide-powered-by
208
167
  helmet.poweredBy = (headers, config)=>{
209
168
  if (config.server) {
210
169
  headers['X-Powered-By'] = config.server;
@@ -213,7 +172,6 @@ helmet.poweredBy = (headers, config)=>{
213
172
  delete headers['X-Powered-By'];
214
173
  }
215
174
  };
216
- // https://github.com/helmetjs/x-xss-protection
217
175
  helmetHtmlOnly.xssProtection = (headers, config)=>{
218
176
  let header = '1; mode=block';
219
177
  if (config.reportTo) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "5.0.2",
3
+ "version": "5.1.0",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
5
  "type": "module",
6
6
  "engines": {
@@ -62,11 +62,11 @@
62
62
  "type": "github",
63
63
  "url": "https://github.com/sponsors/willfarrell"
64
64
  },
65
- "gitHead": "6d17e155237022f2a0abd095ac7cd99ebfc7fc71",
65
+ "gitHead": "bbdaf5843914921804ba085dd58117273febe6b5",
66
66
  "dependencies": {
67
- "@middy/util": "5.0.2"
67
+ "@middy/util": "5.1.0"
68
68
  },
69
69
  "devDependencies": {
70
- "@middy/core": "5.0.2"
70
+ "@middy/core": "5.1.0"
71
71
  }
72
72
  }