@middy/http-security-headers 5.5.1 → 6.0.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.d.ts +4 -3
  2. package/index.js +34 -8
  3. package/package.json +7 -4
package/index.d.ts CHANGED
@@ -29,6 +29,7 @@ interface Options {
29
29
  reportUri?: string
30
30
  }
31
31
  contentSecurityPolicy?: Record<string, string>
32
+ contentSecurityPolicyReportOnly?: boolean
32
33
  crossOriginEmbedderPolicy?: {
33
34
  policy?: string
34
35
  }
@@ -52,10 +53,10 @@ interface Options {
52
53
  }
53
54
  }
54
55
 
55
- type WithFalseValues<T> = { [K in keyof T]: T[K] | false }
56
+ type WithBoolValues<T> = { [K in keyof T]: T[K] | boolean }
56
57
 
57
- declare function httpSecurityHeaders (
58
- options?: WithFalseValues<Options>
58
+ declare function httpSecurityHeaders(
59
+ options?: WithBoolValues<Options>
59
60
  ): middy.MiddlewareObj
60
61
 
61
62
  export default httpSecurityHeaders
package/index.js CHANGED
@@ -36,6 +36,7 @@ const defaults = {
36
36
  'trusted-types': "'none'",
37
37
  'upgrade-insecure-requests': ''
38
38
  },
39
+ contentSecurityPolicyReportOnly: false,
39
40
  contentTypeOptions: {
40
41
  action: 'nosniff'
41
42
  },
@@ -113,13 +114,15 @@ const defaults = {
113
114
  referrerPolicy: {
114
115
  policy: 'no-referrer'
115
116
  },
117
+ reportingEndpoints: {},
116
118
  reportTo: {
117
119
  maxAge: 365 * 24 * 60 * 60,
118
- default: '',
119
- includeSubdomains: true,
120
- csp: '',
121
- staple: '',
122
- xss: ''
120
+ // default: '',
121
+ includeSubdomains: true
122
+ // csp: '',
123
+ // permissions: '',
124
+ // staple: '',
125
+ // xss: ''
123
126
  },
124
127
  strictTransportSecurity: {
125
128
  maxAge: 180 * 24 * 60 * 60,
@@ -136,7 +139,7 @@ const helmetHtmlOnly = {}
136
139
 
137
140
  // *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
138
141
  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
139
- helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
142
+ helmetHtmlOnly.contentSecurityPolicy = (reportOnly) => (headers, config) => {
140
143
  let header = Object.keys(config)
141
144
  .map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
142
145
  .filter((str) => str)
@@ -147,7 +150,11 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
147
150
  if (config['upgrade-insecure-requests'] === '') {
148
151
  header += '; upgrade-insecure-requests'
149
152
  }
150
- headers['Content-Security-Policy'] = header
153
+
154
+ const cspHeaderName = reportOnly
155
+ ? 'Content-Security-Policy-Report-Only'
156
+ : 'Content-Security-Policy'
157
+ headers[cspHeaderName] = header
151
158
  }
152
159
  // crossdomain - N/A - for Adobe products
153
160
  helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
@@ -182,9 +189,11 @@ helmet.referrerPolicy = (headers, config) => {
182
189
  headers['Referrer-Policy'] = config.policy
183
190
  }
184
191
 
192
+ // DEPRECATED by reportingEndpoints
185
193
  helmetHtmlOnly.reportTo = (headers, config) => {
186
194
  headers['Report-To'] = Object.keys(config)
187
195
  .map((group) => {
196
+ if (group === 'includeSubdomains' || group === 'maxAge') return ''
188
197
  const includeSubdomains =
189
198
  group === 'default'
190
199
  ? `, "include_subdomains": ${config.includeSubdomains}`
@@ -197,6 +206,16 @@ helmetHtmlOnly.reportTo = (headers, config) => {
197
206
  .join(', ')
198
207
  }
199
208
 
209
+ helmet.reportingEndpoints = (headers, config) => {
210
+ headers['Reporting-Endpoints'] = ''
211
+ const keys = Object.keys(config)
212
+ for (let i = 0, l = keys.length; i < l; i++) {
213
+ if (i) headers['Reporting-Endpoints'] += ', '
214
+ const key = keys[i]
215
+ headers['Reporting-Endpoints'] += key + '="' + config[key] + '"'
216
+ }
217
+ }
218
+
200
219
  // https://github.com/helmetjs/hsts
201
220
  helmet.strictTransportSecurity = (headers, config) => {
202
221
  let header = 'max-age=' + Math.round(config.maxAge)
@@ -274,7 +293,14 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
274
293
  Object.keys(helmetHtmlOnly).forEach((key) => {
275
294
  if (!options[key]) return
276
295
  const config = { ...defaults[key], ...options[key] }
277
- helmetHtmlOnly[key](request.response.headers, config)
296
+ if (key === 'contentSecurityPolicy') {
297
+ helmetHtmlOnly[key](options.contentSecurityPolicyReportOnly)(
298
+ request.response.headers,
299
+ config
300
+ )
301
+ } else {
302
+ helmetHtmlOnly[key](request.response.headers, config)
303
+ }
278
304
  })
279
305
  }
280
306
  }
package/package.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "name": "@middy/http-security-headers",
3
- "version": "5.5.1",
3
+ "version": "6.0.0-beta.0",
4
4
  "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
5
5
  "type": "module",
6
6
  "engines": {
7
- "node": ">=18"
7
+ "node": ">=20"
8
8
  },
9
9
  "engineStrict": true,
10
10
  "publishConfig": {
@@ -16,6 +16,9 @@
16
16
  "import": {
17
17
  "types": "./index.d.ts",
18
18
  "default": "./index.js"
19
+ },
20
+ "require": {
21
+ "default": "./index.js"
19
22
  }
20
23
  }
21
24
  },
@@ -64,9 +67,9 @@
64
67
  },
65
68
  "gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
66
69
  "dependencies": {
67
- "@middy/util": "5.5.1"
70
+ "@middy/util": "6.0.0-beta.0"
68
71
  },
69
72
  "devDependencies": {
70
- "@middy/core": "5.5.1"
73
+ "@middy/core": "6.0.0-beta.0"
71
74
  }
72
75
  }