@middy/http-security-headers 6.0.0-alpha.0 → 6.0.0-beta.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.d.ts +4 -3
- package/index.js +34 -8
- package/package.json +3 -3
package/index.d.ts
CHANGED
|
@@ -29,6 +29,7 @@ interface Options {
|
|
|
29
29
|
reportUri?: string
|
|
30
30
|
}
|
|
31
31
|
contentSecurityPolicy?: Record<string, string>
|
|
32
|
+
contentSecurityPolicyReportOnly?: boolean
|
|
32
33
|
crossOriginEmbedderPolicy?: {
|
|
33
34
|
policy?: string
|
|
34
35
|
}
|
|
@@ -52,10 +53,10 @@ interface Options {
|
|
|
52
53
|
}
|
|
53
54
|
}
|
|
54
55
|
|
|
55
|
-
type
|
|
56
|
+
type WithBoolValues<T> = { [K in keyof T]: T[K] | boolean }
|
|
56
57
|
|
|
57
|
-
declare function httpSecurityHeaders
|
|
58
|
-
options?:
|
|
58
|
+
declare function httpSecurityHeaders(
|
|
59
|
+
options?: WithBoolValues<Options>
|
|
59
60
|
): middy.MiddlewareObj
|
|
60
61
|
|
|
61
62
|
export default httpSecurityHeaders
|
package/index.js
CHANGED
|
@@ -36,6 +36,7 @@ const defaults = {
|
|
|
36
36
|
'trusted-types': "'none'",
|
|
37
37
|
'upgrade-insecure-requests': ''
|
|
38
38
|
},
|
|
39
|
+
contentSecurityPolicyReportOnly: false,
|
|
39
40
|
contentTypeOptions: {
|
|
40
41
|
action: 'nosniff'
|
|
41
42
|
},
|
|
@@ -113,13 +114,15 @@ const defaults = {
|
|
|
113
114
|
referrerPolicy: {
|
|
114
115
|
policy: 'no-referrer'
|
|
115
116
|
},
|
|
117
|
+
reportingEndpoints: {},
|
|
116
118
|
reportTo: {
|
|
117
119
|
maxAge: 365 * 24 * 60 * 60,
|
|
118
|
-
default: '',
|
|
119
|
-
includeSubdomains: true
|
|
120
|
-
csp: '',
|
|
121
|
-
|
|
122
|
-
|
|
120
|
+
// default: '',
|
|
121
|
+
includeSubdomains: true
|
|
122
|
+
// csp: '',
|
|
123
|
+
// permissions: '',
|
|
124
|
+
// staple: '',
|
|
125
|
+
// xss: ''
|
|
123
126
|
},
|
|
124
127
|
strictTransportSecurity: {
|
|
125
128
|
maxAge: 180 * 24 * 60 * 60,
|
|
@@ -136,7 +139,7 @@ const helmetHtmlOnly = {}
|
|
|
136
139
|
|
|
137
140
|
// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
|
|
138
141
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|
139
|
-
helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
|
|
142
|
+
helmetHtmlOnly.contentSecurityPolicy = (reportOnly) => (headers, config) => {
|
|
140
143
|
let header = Object.keys(config)
|
|
141
144
|
.map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
|
|
142
145
|
.filter((str) => str)
|
|
@@ -147,7 +150,11 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
|
|
|
147
150
|
if (config['upgrade-insecure-requests'] === '') {
|
|
148
151
|
header += '; upgrade-insecure-requests'
|
|
149
152
|
}
|
|
150
|
-
|
|
153
|
+
|
|
154
|
+
const cspHeaderName = reportOnly
|
|
155
|
+
? 'Content-Security-Policy-Report-Only'
|
|
156
|
+
: 'Content-Security-Policy'
|
|
157
|
+
headers[cspHeaderName] = header
|
|
151
158
|
}
|
|
152
159
|
// crossdomain - N/A - for Adobe products
|
|
153
160
|
helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
|
|
@@ -182,9 +189,11 @@ helmet.referrerPolicy = (headers, config) => {
|
|
|
182
189
|
headers['Referrer-Policy'] = config.policy
|
|
183
190
|
}
|
|
184
191
|
|
|
192
|
+
// DEPRECATED by reportingEndpoints
|
|
185
193
|
helmetHtmlOnly.reportTo = (headers, config) => {
|
|
186
194
|
headers['Report-To'] = Object.keys(config)
|
|
187
195
|
.map((group) => {
|
|
196
|
+
if (group === 'includeSubdomains' || group === 'maxAge') return ''
|
|
188
197
|
const includeSubdomains =
|
|
189
198
|
group === 'default'
|
|
190
199
|
? `, "include_subdomains": ${config.includeSubdomains}`
|
|
@@ -197,6 +206,16 @@ helmetHtmlOnly.reportTo = (headers, config) => {
|
|
|
197
206
|
.join(', ')
|
|
198
207
|
}
|
|
199
208
|
|
|
209
|
+
helmet.reportingEndpoints = (headers, config) => {
|
|
210
|
+
headers['Reporting-Endpoints'] = ''
|
|
211
|
+
const keys = Object.keys(config)
|
|
212
|
+
for (let i = 0, l = keys.length; i < l; i++) {
|
|
213
|
+
if (i) headers['Reporting-Endpoints'] += ', '
|
|
214
|
+
const key = keys[i]
|
|
215
|
+
headers['Reporting-Endpoints'] += key + '="' + config[key] + '"'
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
|
|
200
219
|
// https://github.com/helmetjs/hsts
|
|
201
220
|
helmet.strictTransportSecurity = (headers, config) => {
|
|
202
221
|
let header = 'max-age=' + Math.round(config.maxAge)
|
|
@@ -274,7 +293,14 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
|
|
|
274
293
|
Object.keys(helmetHtmlOnly).forEach((key) => {
|
|
275
294
|
if (!options[key]) return
|
|
276
295
|
const config = { ...defaults[key], ...options[key] }
|
|
277
|
-
|
|
296
|
+
if (key === 'contentSecurityPolicy') {
|
|
297
|
+
helmetHtmlOnly[key](options.contentSecurityPolicyReportOnly)(
|
|
298
|
+
request.response.headers,
|
|
299
|
+
config
|
|
300
|
+
)
|
|
301
|
+
} else {
|
|
302
|
+
helmetHtmlOnly[key](request.response.headers, config)
|
|
303
|
+
}
|
|
278
304
|
})
|
|
279
305
|
}
|
|
280
306
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@middy/http-security-headers",
|
|
3
|
-
"version": "6.0.0-
|
|
3
|
+
"version": "6.0.0-beta.0",
|
|
4
4
|
"description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"engines": {
|
|
@@ -67,9 +67,9 @@
|
|
|
67
67
|
},
|
|
68
68
|
"gitHead": "7a6c0fbb8ab71d6a2171e678697de9f237568431",
|
|
69
69
|
"dependencies": {
|
|
70
|
-
"@middy/util": "6.0.0-
|
|
70
|
+
"@middy/util": "6.0.0-beta.0"
|
|
71
71
|
},
|
|
72
72
|
"devDependencies": {
|
|
73
|
-
"@middy/core": "6.0.0-
|
|
73
|
+
"@middy/core": "6.0.0-beta.0"
|
|
74
74
|
}
|
|
75
75
|
}
|