@rayselfs/cf-rule-engine 1.6.2 → 1.8.0

package/README.md

@@ -29,12 +29,12 @@ export default defineViewerRequest([
 **viewer-response** — security and CORS headers:
 
 ```typescript
-import { setSecurityHeaders, setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors/index'
+import { setSecurityHeaders, setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
 
 export default defineViewerResponse([
   setSecurityHeaders(),
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
 ])
 ```
 
@@ -113,6 +113,31 @@ Use `chain()` when one behavior must see the request mutations (URI rewrite, hea
 | `imageOptimize(options)` | ✅ | ✅ |
 | `verifyToken(options)` | ❌ | ✅ |
 
+### setCorsHeaders — OriginPolicy
+
+`allowedOrigins` accepts an `OriginPolicy` that controls how `Access-Control-Allow-Origin` is set:
+
+| Value | Behavior |
+|---|---|
+| `ORIGIN_WILDCARD` (`'*'`) | Static `Access-Control-Allow-Origin: *` — for fully public APIs |
+| `Origin[]` | Compare request `Origin` against the list; echo if matched, skip if not. Supports wildcard subdomains (`https://*.example.com`). |
+| `ORIGIN_ECHO` (`'echo'`) | Echo any request `Origin` if present, skip if none — use with `allowCredentials: true` |
+
+```typescript
+import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/index'
+
+// Public API
+setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD })
+
+// Restricted — echo only listed origins
+setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] })
+
+// Echo any origin (required when allowCredentials: true)
+setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true })
+```
+
+`allowedMethods` and `allowedHeaders` are optional — omit to exclude those headers from the response.
+
 ## Helpers (`@rayselfs/cf-rule-engine/helpers/index`)
 
 Helpers are pre-configured rule factories that combine multiple criteria and behaviors for common use cases.
@@ -134,9 +159,10 @@ Adds `x-cf-distribution: staging` to the response when the request carries `aws-
 
 ```typescript
 import { stagingIndicator } from '@rayselfs/cf-rule-engine/helpers/index'
+import { setCorsHeaders, ORIGIN_WILDCARD } from '@rayselfs/cf-rule-engine/behaviors/index'
 
 defineViewerResponse([
-  setCorsHeaders({ allowedOrigins: ['https://www.example.com'] }),
+  setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
   stagingIndicator(),
 ])
 ```

package/dist/adapters/lambda-edge.d.cts

@@ -1,2 +1,2 @@
 import '../core/types.cjs';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-9xiONGmR.cjs';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-D1NHYwvA.cjs';

package/dist/adapters/lambda-edge.d.ts

@@ -1,2 +1,2 @@
 import '../core/types.js';
-export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-BK3-bFx8.js';
+export { d as defineViewerRequest, a as defineViewerResponse } from '../lambda-edge-DnIvWFGe.js';

package/dist/behaviors/index.cjs

@@ -6,7 +6,7 @@ var _chunkPPUHEL4Hcjs = require('../chunk-PPUHEL4H.cjs');
 var _chunkB4WEJSEZcjs = require('../chunk-B4WEJSEZ.cjs');
 
 
-var _chunkUI6LKDJIcjs = require('../chunk-UI6LKDJI.cjs');
+var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 
 
 var _chunkMSES76XKcjs = require('../chunk-MSES76XK.cjs');
@@ -27,7 +27,7 @@ var _chunkMRPTC74Icjs = require('../chunk-MRPTC74I.cjs');
 var _chunkCV234DQTcjs = require('../chunk-CV234DQT.cjs');
 
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
+var _chunkWAKA4OJDcjs = require('../chunk-WAKA4OJD.cjs');
 
 
 var _chunkZXS23HXAcjs = require('../chunk-ZXS23HXA.cjs');
@@ -123,4 +123,4 @@ function verifyToken(options) {
 
 
 
-exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunkUI6LKDJIcjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;
+exports.constructResponse = _chunkOSGZTNTScjs.constructResponse; exports.copyHeader = _chunkJU5WX5RUcjs.copyHeader; exports.directoryIndex = _chunkLTLBEBKLcjs.directoryIndex; exports.imageOptimize = _chunkKXC6ES3Bcjs.imageOptimize; exports.redirect = _chunkWWSRNCUPcjs.redirect; exports.removeResponseHeaders = _chunkSGEBNQR2cjs.removeResponseHeaders; exports.rewriteUri = _chunkMRPTC74Icjs.rewriteUri; exports.setCacheControl = _chunkCV234DQTcjs.setCacheControl; exports.setCorsHeaders = _chunkWAKA4OJDcjs.setCorsHeaders; exports.setCsp = _chunkZXS23HXAcjs.setCsp; exports.setRequestHeader = _chunkPPUHEL4Hcjs.setRequestHeader; exports.setResponseHeader = _chunkB4WEJSEZcjs.setResponseHeader; exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders; exports.stripQueryParams = _chunkMSES76XKcjs.stripQueryParams; exports.verifyToken = verifyToken;

package/dist/behaviors/index.js

@@ -6,7 +6,7 @@ import {
 } from "../chunk-RBBKFG5J.js";
 import {
   setSecurityHeaders
-} from "../chunk-VQCRSBWL.js";
+} from "../chunk-O4SOSGAP.js";
 import {
   stripQueryParams
 } from "../chunk-XPQG5IML.js";
@@ -27,7 +27,7 @@ import {
 } from "../chunk-ZTMSH34E.js";
 import {
   setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
+} from "../chunk-SRA2DFKG.js";
 import {
   setCsp
 } from "../chunk-XUI4Y22M.js";

package/dist/behaviors/set-cors-headers.cjs

@@ -1,7 +1,11 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkGK5JX7OMcjs = require('../chunk-GK5JX7OM.cjs');
+
+
+var _chunkWAKA4OJDcjs = require('../chunk-WAKA4OJD.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setCorsHeaders = _chunkGK5JX7OMcjs.setCorsHeaders;
+
+
+exports.ORIGIN_ECHO = _chunkWAKA4OJDcjs.ORIGIN_ECHO; exports.ORIGIN_WILDCARD = _chunkWAKA4OJDcjs.ORIGIN_WILDCARD; exports.setCorsHeaders = _chunkWAKA4OJDcjs.setCorsHeaders;

package/dist/behaviors/set-cors-headers.d.cts

@@ -1,38 +1,42 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
-     */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
      * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * Omit to exclude the header.
      */
     allowedMethods?: string;
     /**
      * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Omit to exclude the header.
      */
     allowedHeaders?: string;
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +46,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
- *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
+ * Sets CORS response headers with configurable origin policy.
  *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
+ *
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.d.ts

@@ -1,38 +1,42 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
+declare const ORIGIN_WILDCARD: "*";
+type OriginWildcard = typeof ORIGIN_WILDCARD;
+declare const ORIGIN_ECHO: "echo";
+type OriginEcho = typeof ORIGIN_ECHO;
 /**
- * CORS configuration options for the `setCorsHeaders` behavior.
+ * A valid HTTP origin — must start with `https://` or `http://`.
+ * Supports wildcard subdomains (e.g. `https://*.viverse.com`).
+ */
+type Origin = `https://${string}` | `http://${string}`;
+/**
+ * Controls how `Access-Control-Allow-Origin` is set:
+ * - `ORIGIN_WILDCARD` (`'*'`) — static `*`, allows all origins without inspection
+ * - `Origin[]` — compare request `Origin` header against the list; echo if matched, skip if not
+ * - `ORIGIN_ECHO` (`'echo'`) — echo any request `Origin` if present, skip if none
+ */
+type OriginPolicy = OriginWildcard | Origin[] | OriginEcho;
+/**
+ * CORS configuration options for `setCorsHeaders` and `preflightRequest`.
  */
 interface CorsOptions {
     /**
-     * List of allowed origin patterns. Supports exact strings and wildcard `*` patterns
-     * (e.g. `'https://*.example.com'`). Use `['*']` to allow all origins.
-     * Default: `['*']`
+     * Origin policy. See `OriginPolicy` for details.
      */
-    allowedOrigins?: string[];
-    /**
-     * When `true`, reflects the incoming `Origin` request header as the
-     * `Access-Control-Allow-Origin` response value, provided it matches one of
-     * `allowedOrigins`. Required when `allowCredentials` is `true` (browsers reject
-     * `Access-Control-Allow-Origin: *` with credentials).
-     * Default: `false`
-     */
-    allowOriginEcho?: boolean;
+    allowedOrigins: OriginPolicy;
     /**
      * Value for the `Access-Control-Allow-Methods` header.
-     * Default: `'GET, POST, OPTIONS'`
+     * Omit to exclude the header.
      */
     allowedMethods?: string;
     /**
      * Value for the `Access-Control-Allow-Headers` header.
-     * Default: `'Content-Type, Cache-Control, Pragma, Range'`
+     * Omit to exclude the header.
      */
     allowedHeaders?: string;
     /**
      * When `true`, sets `Access-Control-Allow-Credentials: true`.
-     * Must be used together with `allowOriginEcho: true`; browsers reject
-     * wildcard origins when credentials are present.
-     * Default: `false`
+     * Use with `ORIGIN_ECHO` or `Origin[]` — browsers reject `*` with credentials.
      */
     allowCredentials?: boolean;
     /**
@@ -42,35 +46,32 @@ interface CorsOptions {
     maxAge?: number;
 }
 /**
- * Sets CORS response headers with configurable origin matching, methods, headers,
- * credentials, and preflight cache duration.
- *
- * Akamai equivalent: typically implemented via `modifyOutgoingResponseHeader` rules
- * for each CORS header individually.
+ * Sets CORS response headers with configurable origin policy.
  *
- * @param options - CORS configuration. All fields are optional with safe defaults.
+ * @param options - CORS configuration. `allowedOrigins` is required.
  * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
  *
  * @example
  * ```ts
- * import { setCorsHeaders } from '@rayselfs/cf-rule-engine/behaviors'
- * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
+ * import { setCorsHeaders, ORIGIN_WILDCARD, ORIGIN_ECHO } from '@rayselfs/cf-rule-engine/behaviors/set-cors-headers'
+ * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/viewer-response'
  *
- * // Allow all origins (default)
- * export default defineViewerResponse([setCorsHeaders()])
+ * // Public API — static Access-Control-Allow-Origin: *
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_WILDCARD }),
+ * ])
+ *
+ * // Restricted — echo only listed origins (supports wildcard subdomains)
+ * export default defineViewerResponse([
+ *   setCorsHeaders({ allowedOrigins: ['https://*.viverse.com', 'https://sdk-api.viverse.com'] }),
+ * ])
  *
- * // Echo origin with credentials (e.g. for authenticated API endpoints)
+ * // Echo any origin (e.g. for credentialed requests)
  * export default defineViewerResponse([
- *   setCorsHeaders({
- *     allowedOrigins: ['https://www.example.com', 'https://*.example.com'],
- *     allowOriginEcho: true,
- *     allowCredentials: true,
- *     allowedMethods: 'GET, POST, PUT, DELETE, OPTIONS',
- *     maxAge: 86400,
- *   }),
+ *   setCorsHeaders({ allowedOrigins: ORIGIN_ECHO, allowCredentials: true }),
  * ])
  * ```
  */
-declare function setCorsHeaders(options?: CorsOptions): ResponseBehaviorFn;
+declare function setCorsHeaders(options: CorsOptions): ResponseBehaviorFn;
 
-export { type CorsOptions, setCorsHeaders };
+export { type CorsOptions, ORIGIN_ECHO, ORIGIN_WILDCARD, type Origin, type OriginEcho, type OriginPolicy, type OriginWildcard, setCorsHeaders };

package/dist/behaviors/set-cors-headers.js

@@ -1,7 +1,11 @@
 import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
-} from "../chunk-SOBTD7AD.js";
+} from "../chunk-SRA2DFKG.js";
 import "../chunk-MLKGABMK.js";
 export {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD,
   setCorsHeaders
 };

package/dist/behaviors/set-security-headers.cjs

@@ -1,7 +1,7 @@
 "use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-var _chunkUI6LKDJIcjs = require('../chunk-UI6LKDJI.cjs');
+var _chunk3UXNXJ6Ncjs = require('../chunk-3UXNXJ6N.cjs');
 require('../chunk-75ZPJI57.cjs');
 
 
-exports.setSecurityHeaders = _chunkUI6LKDJIcjs.setSecurityHeaders;
+exports.setSecurityHeaders = _chunk3UXNXJ6Ncjs.setSecurityHeaders;

package/dist/behaviors/set-security-headers.d.cts

@@ -1,55 +1,71 @@
 import { ResponseBehaviorFn } from '../core/types.cjs';
 
 /**
- * Options for overriding individual security header values.
- * All fields are optional; omitted fields fall back to their secure defaults.
+ * Options for individual security header values.
+ *
+ * Only headers with a provided value are emitted — omitted fields are **not** added to the
+ * response. There are no built-in defaults; every emitted header value is explicit.
+ *
+ * Pass at least one field.
  */
 interface SecurityHeadersOptions {
     /**
      * Value for the `Strict-Transport-Security` header.
-     * Default: `'max-age=31536000; includeSubDomains'`
+     * Example: `'max-age=31536000; includeSubDomains'`
      */
     hsts?: string;
     /**
      * Value for the `X-Frame-Options` header. Controls whether the page can be
      * embedded in an iframe. Common values: `'DENY'`, `'SAMEORIGIN'`.
-     * Default: `'SAMEORIGIN'`
      */
     xFrameOptions?: string;
     /**
      * Value for the `X-Content-Type-Options` header. Set to `'nosniff'` to
      * prevent browsers from MIME-sniffing the response content type.
-     * Default: `'nosniff'`
      */
     xContentTypeOptions?: string;
+    /**
+     * Value for the `X-XSS-Protection` header.
+     * Example: `'1; mode=block'`
+     *
+     * Note: deprecated in modern browsers but still used for legacy compatibility.
+     */
+    xXssProtection?: string;
 }
 /**
- * Sets common security headers on the outgoing response.
+ * Sets security headers on the outgoing response.
+ *
+ * Only headers explicitly provided in `options` are emitted — there are **no built-in
+ * defaults**. This avoids silently overriding headers set elsewhere in the pipeline and
+ * lets Akamai-migrated properties carry their original values verbatim.
  *
- * Applied headers and their defaults:
- * - `Strict-Transport-Security`: `max-age=31536000; includeSubDomains`
- * - `X-Frame-Options`: `SAMEORIGIN`
- * - `X-Content-Type-Options`: `nosniff`
+ * Supported headers:
+ * - `Strict-Transport-Security` (`hsts`)
+ * - `X-Frame-Options` (`xFrameOptions`)
+ * - `X-Content-Type-Options` (`xContentTypeOptions`)
+ * - `X-XSS-Protection` (`xXssProtection`)
  *
- * Akamai equivalent: `httpStrictTransportSecurity` behavior (HSTS only).
+ * Akamai equivalents: `httpStrictTransportSecurity` (HSTS), `modifyOutgoingResponseHeader`
+ * (frame options, content-type options, XSS protection).
  *
- * @param options - Optional overrides for individual header values.
- * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ * @param options - Security header values to set. Pass at least one field.
+ * @returns A `ResponseBehaviorFn` to use in `defineViewerResponse` or a `ResponseRule`.
  *
  * @example
  * ```ts
  * import { setSecurityHeaders } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  *
- * // Apply defaults
- * export default defineViewerResponse([setSecurityHeaders()])
- *
- * // Override HSTS and frame options
  * export default defineViewerResponse([
- *   setSecurityHeaders({ hsts: 'max-age=63072000; includeSubDomains; preload', xFrameOptions: 'DENY' }),
+ *   setSecurityHeaders({
+ *     hsts: 'max-age=31536000; includeSubDomains',
+ *     xFrameOptions: 'SAMEORIGIN',
+ *     xContentTypeOptions: 'nosniff',
+ *     xXssProtection: '1; mode=block',
+ *   }),
  * ])
  * ```
  */
-declare function setSecurityHeaders(options?: SecurityHeadersOptions): ResponseBehaviorFn;
+declare function setSecurityHeaders(options: SecurityHeadersOptions): ResponseBehaviorFn;
 
 export { type SecurityHeadersOptions, setSecurityHeaders };

package/dist/behaviors/set-security-headers.d.ts

@@ -1,55 +1,71 @@
 import { ResponseBehaviorFn } from '../core/types.js';
 
 /**
- * Options for overriding individual security header values.
- * All fields are optional; omitted fields fall back to their secure defaults.
+ * Options for individual security header values.
+ *
+ * Only headers with a provided value are emitted — omitted fields are **not** added to the
+ * response. There are no built-in defaults; every emitted header value is explicit.
+ *
+ * Pass at least one field.
  */
 interface SecurityHeadersOptions {
     /**
      * Value for the `Strict-Transport-Security` header.
-     * Default: `'max-age=31536000; includeSubDomains'`
+     * Example: `'max-age=31536000; includeSubDomains'`
      */
     hsts?: string;
     /**
      * Value for the `X-Frame-Options` header. Controls whether the page can be
      * embedded in an iframe. Common values: `'DENY'`, `'SAMEORIGIN'`.
-     * Default: `'SAMEORIGIN'`
      */
     xFrameOptions?: string;
     /**
      * Value for the `X-Content-Type-Options` header. Set to `'nosniff'` to
      * prevent browsers from MIME-sniffing the response content type.
-     * Default: `'nosniff'`
      */
     xContentTypeOptions?: string;
+    /**
+     * Value for the `X-XSS-Protection` header.
+     * Example: `'1; mode=block'`
+     *
+     * Note: deprecated in modern browsers but still used for legacy compatibility.
+     */
+    xXssProtection?: string;
 }
 /**
- * Sets common security headers on the outgoing response.
+ * Sets security headers on the outgoing response.
+ *
+ * Only headers explicitly provided in `options` are emitted — there are **no built-in
+ * defaults**. This avoids silently overriding headers set elsewhere in the pipeline and
+ * lets Akamai-migrated properties carry their original values verbatim.
  *
- * Applied headers and their defaults:
- * - `Strict-Transport-Security`: `max-age=31536000; includeSubDomains`
- * - `X-Frame-Options`: `SAMEORIGIN`
- * - `X-Content-Type-Options`: `nosniff`
+ * Supported headers:
+ * - `Strict-Transport-Security` (`hsts`)
+ * - `X-Frame-Options` (`xFrameOptions`)
+ * - `X-Content-Type-Options` (`xContentTypeOptions`)
+ * - `X-XSS-Protection` (`xXssProtection`)
  *
- * Akamai equivalent: `httpStrictTransportSecurity` behavior (HSTS only).
+ * Akamai equivalents: `httpStrictTransportSecurity` (HSTS), `modifyOutgoingResponseHeader`
+ * (frame options, content-type options, XSS protection).
  *
- * @param options - Optional overrides for individual header values.
- * @returns A `ResponseBehaviorFn` to use directly in `defineViewerResponse` or wrapped in a `ResponseRule`.
+ * @param options - Security header values to set. Pass at least one field.
+ * @returns A `ResponseBehaviorFn` to use in `defineViewerResponse` or a `ResponseRule`.
  *
  * @example
  * ```ts
  * import { setSecurityHeaders } from '@rayselfs/cf-rule-engine/behaviors'
  * import { defineViewerResponse } from '@rayselfs/cf-rule-engine/adapters/cf-function'
  *
- * // Apply defaults
- * export default defineViewerResponse([setSecurityHeaders()])
- *
- * // Override HSTS and frame options
  * export default defineViewerResponse([
- *   setSecurityHeaders({ hsts: 'max-age=63072000; includeSubDomains; preload', xFrameOptions: 'DENY' }),
+ *   setSecurityHeaders({
+ *     hsts: 'max-age=31536000; includeSubDomains',
+ *     xFrameOptions: 'SAMEORIGIN',
+ *     xContentTypeOptions: 'nosniff',
+ *     xXssProtection: '1; mode=block',
+ *   }),
  * ])
  * ```
  */
-declare function setSecurityHeaders(options?: SecurityHeadersOptions): ResponseBehaviorFn;
+declare function setSecurityHeaders(options: SecurityHeadersOptions): ResponseBehaviorFn;
 
 export { type SecurityHeadersOptions, setSecurityHeaders };

package/dist/behaviors/set-security-headers.js

@@ -1,6 +1,6 @@
 import {
   setSecurityHeaders
-} from "../chunk-VQCRSBWL.js";
+} from "../chunk-O4SOSGAP.js";
 import "../chunk-MLKGABMK.js";
 export {
   setSecurityHeaders

package/dist/chunk-3UXNXJ6N.cjs

@@ -0,0 +1,21 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/behaviors/set-security-headers.ts
+function setSecurityHeaders(options) {
+  return (_request, response) => {
+    const extra = {};
+    if (options.hsts !== void 0)
+      extra["strict-transport-security"] = { value: options.hsts };
+    if (options.xFrameOptions !== void 0)
+      extra["x-frame-options"] = { value: options.xFrameOptions };
+    if (options.xContentTypeOptions !== void 0)
+      extra["x-content-type-options"] = { value: options.xContentTypeOptions };
+    if (options.xXssProtection !== void 0)
+      extra["x-xss-protection"] = { value: options.xXssProtection };
+    return Object.assign({}, response, {
+      headers: Object.assign({}, response.headers, extra)
+    });
+  };
+}
+
+
+
+exports.setSecurityHeaders = setSecurityHeaders;

package/dist/{chunk-H2LO6MQG.js → chunk-3VYYXEER.js}

@@ -1,6 +1,10 @@
 import {
   methodIs
 } from "./chunk-PY3JMRDG.js";
+import {
+  ORIGIN_ECHO,
+  ORIGIN_WILDCARD
+} from "./chunk-SRA2DFKG.js";
 
 // src/helpers/preflight-request.ts
 function matchesOriginPattern(origin, pattern) {
@@ -10,27 +14,33 @@ function matchesOriginPattern(origin, pattern) {
   return new RegExp(`^${escaped}$`).test(origin);
 }
 function preflightRequest(options) {
-  const allowedOrigins = options?.allowedOrigins ?? ["*"];
-  const allowedMethods = options?.allowedMethods ?? "GET, POST, OPTIONS";
-  const allowedHeaders = options?.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
-  const allowCredentials = options?.allowCredentials ?? false;
-  const maxAge = options?.maxAge;
+  const { allowedOrigins } = options;
+  const allowedMethods = options.allowedMethods ?? "GET, POST, OPTIONS";
+  const allowedHeaders = options.allowedHeaders ?? "Content-Type, Cache-Control, Pragma, Range";
+  const allowCredentials = options.allowCredentials ?? false;
+  const maxAge = options.maxAge;
   return {
     criteria: methodIs(["OPTIONS"]),
     behavior: (request) => {
       let allowOrigin;
-      if (options?.allowOriginEcho) {
-        const originHeader = request.headers["origin"]?.value;
-        allowOrigin = originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p)) ? originHeader : allowedOrigins[0] ?? "*";
+      if (allowedOrigins === ORIGIN_WILDCARD) {
+        allowOrigin = "*";
+      } else if (allowedOrigins === ORIGIN_ECHO) {
+        allowOrigin = request.headers["origin"]?.value;
       } else {
-        allowOrigin = allowedOrigins.includes("*") ? "*" : allowedOrigins[0] ?? "*";
+        const originHeader = request.headers["origin"]?.value;
+        if (originHeader && allowedOrigins.some((p) => matchesOriginPattern(originHeader, p))) {
+          allowOrigin = originHeader;
+        }
       }
       const headers = {
         "cache-control": { value: "no-store" },
-        "access-control-allow-origin": { value: allowOrigin },
         "access-control-allow-methods": { value: allowedMethods },
         "access-control-allow-headers": { value: allowedHeaders }
       };
+      if (allowOrigin !== void 0) {
+        headers["access-control-allow-origin"] = { value: allowOrigin };
+      }
       if (allowCredentials) {
         headers["access-control-allow-credentials"] = { value: "true" };
       }