@react-foundry/fastify-harden 0.1.0

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (C) 2019-2025 Crown Copyright
+Copyright (C) 2019-2026 Daniel A.C. Martin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,62 @@
+React Foundry - Fastify Harden
+==============================
+
+Fastify plugin for extra cyber-security hardening.
+
+This adds extra HTTP headers to tell the browser to run in a stricter fashion in
+order to prevent a variety of exploits. It also censors error messages on any
+_Internal Server Errors_ that occur in production (they can still be found in
+the logs.
+
+
+Using this package
+------------------
+
+First install the package into your project:
+
+```shell
+npm install -S @react-foundry/fastify-harden
+```
+
+Then use it in your code as follows:
+
+```js
+import Fastify from 'fastify';
+import fastifyHarden from '@react-foundry/fastify-harden';
+
+const httpd = Fastify({});
+
+await httpd.register(fastifyHarden, {
+});
+
+await httpd.listen({ port: 8080 });
+```
+
+
+Working on this package
+-----------------------
+
+Before working on this package you must install its dependencies using
+the following command:
+
+```shell
+pnpm install
+```
+
+
+### Building
+
+Build the package by compiling the source code.
+
+```shell
+npm run build
+```
+
+
+### Clean-up
+
+Remove any previously built files.
+
+```shell
+npm run clean
+```

package/dist/common.d.ts

@@ -0,0 +1,3 @@
+export type Maybe<T> = T | undefined;
+export declare const id: <T>(v: T) => T;
+export declare const isDefined: (v: any) => boolean;

package/dist/common.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isDefined = exports.id = void 0;
+const id = (v) => v;
+exports.id = id;
+const isDefined = (v) => (v !== undefined && v !== '');
+exports.isDefined = isDefined;

package/dist/common.mjs

@@ -0,0 +1,2 @@
+export const id = (v) => v;
+export const isDefined = (v) => (v !== undefined && v !== '');

package/dist/content-security-policy.d.ts

@@ -0,0 +1,19 @@
+export type Source = '\'none\'' | '\'self\'' | string;
+export type Sources = Source | Source[];
+export type CSPOptions = {
+    dev?: boolean;
+    formAction?: Sources;
+    frameAncestors?: Sources;
+    nonce?: string;
+};
+export type CSPResult = {
+    policy: string;
+    frameOptions?: string;
+};
+type CSP = (x: CSPOptions) => CSPResult;
+export declare const none: Source;
+export declare const self: Source;
+export declare const unsafeEval: Source;
+export declare const unsafeInline: Source;
+export declare const contentSecurityPolicy: CSP;
+export {};

package/dist/content-security-policy.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.contentSecurityPolicy = exports.unsafeInline = exports.unsafeEval = exports.self = exports.none = void 0;
+const common_1 = require("./common");
+exports.none = "'none'";
+exports.self = "'self'";
+exports.unsafeEval = "'unsafe-eval'";
+exports.unsafeInline = "'unsafe-inline'";
+const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
+    const formAction = (Array.isArray(_formAction)
+        ? _formAction
+        : [_formAction]).filter(common_1.id);
+    const frameAncestors = (Array.isArray(_frameAncestors)
+        ? _frameAncestors
+        : [_frameAncestors]).filter(common_1.id);
+    const frameAncestor = (frameAncestors.length > 1
+        ? 'multiple'
+        : frameAncestors[0]) || exports.none;
+    const frameOptions = (frameAncestor === 'multiple'
+        ? undefined
+        : (frameAncestor === exports.self
+            ? 'SAMEORIGIN'
+            : 'DENY'));
+    const nonce = _nonce && `'nonce-${_nonce}'`;
+    const cspObject = {
+        'default-src': exports.none,
+        'connect-src': (dev
+            ? [exports.self, 'ws://localhost:*']
+            : exports.self),
+        'font-src': exports.self,
+        'frame-src': exports.self,
+        'img-src': exports.self,
+        'manifest-src': exports.self,
+        'media-src': exports.self,
+        'script-src': [exports.self, nonce],
+        'style-src': [exports.self, exports.unsafeInline],
+        'form-action': formAction.length && formAction || exports.self,
+        'frame-ancestors': frameAncestors.length && frameAncestors || exports.none
+    };
+    const cspString = (Object.keys(cspObject)
+        .map(directive => {
+        const _valueArr = cspObject[directive];
+        const valueArr = (Array.isArray(_valueArr)
+            ? _valueArr
+            : [_valueArr]);
+        const values = (valueArr
+            .filter(common_1.isDefined)
+            .map(v => `${v}`)
+            .join(' '));
+        return (values === ''
+            ? undefined
+            : `${directive} ${values}`);
+    })
+        .filter(common_1.isDefined)
+        .join('; '));
+    return {
+        policy: cspString,
+        frameOptions
+    };
+};
+exports.contentSecurityPolicy = contentSecurityPolicy;

package/dist/content-security-policy.mjs

@@ -0,0 +1,57 @@
+import { id, isDefined } from './common';
+export const none = "'none'";
+export const self = "'self'";
+export const unsafeEval = "'unsafe-eval'";
+export const unsafeInline = "'unsafe-inline'";
+export const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
+    const formAction = (Array.isArray(_formAction)
+        ? _formAction
+        : [_formAction]).filter(id);
+    const frameAncestors = (Array.isArray(_frameAncestors)
+        ? _frameAncestors
+        : [_frameAncestors]).filter(id);
+    const frameAncestor = (frameAncestors.length > 1
+        ? 'multiple'
+        : frameAncestors[0]) || none;
+    const frameOptions = (frameAncestor === 'multiple'
+        ? undefined
+        : (frameAncestor === self
+            ? 'SAMEORIGIN'
+            : 'DENY'));
+    const nonce = _nonce && `'nonce-${_nonce}'`;
+    const cspObject = {
+        'default-src': none,
+        'connect-src': (dev
+            ? [self, 'ws://localhost:*']
+            : self),
+        'font-src': self,
+        'frame-src': self,
+        'img-src': self,
+        'manifest-src': self,
+        'media-src': self,
+        'script-src': [self, nonce],
+        'style-src': [self, unsafeInline],
+        'form-action': formAction.length && formAction || self,
+        'frame-ancestors': frameAncestors.length && frameAncestors || none
+    };
+    const cspString = (Object.keys(cspObject)
+        .map(directive => {
+        const _valueArr = cspObject[directive];
+        const valueArr = (Array.isArray(_valueArr)
+            ? _valueArr
+            : [_valueArr]);
+        const values = (valueArr
+            .filter(isDefined)
+            .map(v => `${v}`)
+            .join(' '));
+        return (values === ''
+            ? undefined
+            : `${directive} ${values}`);
+    })
+        .filter(isDefined)
+        .join('; '));
+    return {
+        policy: cspString,
+        frameOptions
+    };
+};

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+import type { FastifyPluginCallback, FastifyReply as _FastifyReply } from 'fastify';
+import type { CSPOptions } from './content-security-policy';
+import type { PPOptions } from './permissions-policy';
+type FastifyHardenPluginOptions = {
+    contentSecurityPolicy?: Omit<CSPOptions, 'dev' | 'nonce'>;
+    dev?: boolean;
+    permissionsPolicy?: PPOptions;
+};
+export type FastifyReply = _FastifyReply & {
+    cspNonce?: string;
+};
+export declare const fastifyHarden: FastifyPluginCallback<FastifyHardenPluginOptions>;
+export default fastifyHarden;
+export type { FastifyHardenPluginOptions as FastifyHardenOptions };

package/dist/index.js

@@ -0,0 +1,56 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fastifyHarden = void 0;
+const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
+const permissions_policy_1 = require("./permissions-policy");
+const content_security_policy_1 = require("./content-security-policy");
+const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
+    if (!dev) {
+        fastify.setErrorHandler((error, req, reply) => {
+            const statusCode = error && error.statusCode;
+            if (!statusCode || statusCode === 500) {
+                error.message = 'An unexpected error occurred.';
+            }
+            reply.send(error);
+        });
+    }
+    fastify.addHook('preHandler', async (_req, reply) => {
+        const nonce = (Math.random()
+            .toString(36)
+            .slice(2));
+        reply.cspNonce = nonce;
+    });
+    fastify.addHook('onSend', async (_req, reply, payload) => {
+        const nonce = reply.cspNonce;
+        const headers = reply.getHeaders();
+        const { policy: pp } = (0, permissions_policy_1.permissionsPolicy)(ppOptions);
+        const { policy: csp, frameOptions } = (0, content_security_policy_1.contentSecurityPolicy)({
+            ...cspOptions,
+            dev,
+            nonce
+        });
+        if (!headers['cache-control']) {
+            reply.header('Cache-Control', 'no-cache, no-store, must-revalidate, private');
+            reply.header('Pragma', 'no-cache');
+            reply.header('Expires', '0');
+            reply.header('Cross-Origin-Embedder-Policy', 'require-corp');
+            reply.header('Cross-Origin-Resource-Policy', 'same-origin');
+            reply.header('Cross-Origin-Opener-Policy', 'same-origin');
+        }
+        reply.header('X-Content-Type-Options', 'nosniff');
+        if (frameOptions) {
+            reply.header('X-Frame-Options', frameOptions);
+        }
+        reply.header('Content-Security-Policy', csp);
+        reply.header('Permissions-Policy', pp);
+        return payload;
+    });
+};
+exports.fastifyHarden = (0, fastify_plugin_1.default)(fastifyHardenPlugin, {
+    fastify: '5.x',
+    name: 'harden',
+});
+exports.default = exports.fastifyHarden;

package/dist/index.mjs

@@ -0,0 +1,50 @@
+import fp from 'fastify-plugin';
+import { permissionsPolicy } from './permissions-policy';
+import { contentSecurityPolicy } from './content-security-policy';
+const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
+    if (!dev) {
+        fastify.setErrorHandler((error, req, reply) => {
+            const statusCode = error && error.statusCode;
+            if (!statusCode || statusCode === 500) {
+                error.message = 'An unexpected error occurred.';
+            }
+            reply.send(error);
+        });
+    }
+    fastify.addHook('preHandler', async (_req, reply) => {
+        const nonce = (Math.random()
+            .toString(36)
+            .slice(2));
+        reply.cspNonce = nonce;
+    });
+    fastify.addHook('onSend', async (_req, reply, payload) => {
+        const nonce = reply.cspNonce;
+        const headers = reply.getHeaders();
+        const { policy: pp } = permissionsPolicy(ppOptions);
+        const { policy: csp, frameOptions } = contentSecurityPolicy({
+            ...cspOptions,
+            dev,
+            nonce
+        });
+        if (!headers['cache-control']) {
+            reply.header('Cache-Control', 'no-cache, no-store, must-revalidate, private');
+            reply.header('Pragma', 'no-cache');
+            reply.header('Expires', '0');
+            reply.header('Cross-Origin-Embedder-Policy', 'require-corp');
+            reply.header('Cross-Origin-Resource-Policy', 'same-origin');
+            reply.header('Cross-Origin-Opener-Policy', 'same-origin');
+        }
+        reply.header('X-Content-Type-Options', 'nosniff');
+        if (frameOptions) {
+            reply.header('X-Frame-Options', frameOptions);
+        }
+        reply.header('Content-Security-Policy', csp);
+        reply.header('Permissions-Policy', pp);
+        return payload;
+    });
+};
+export const fastifyHarden = fp(fastifyHardenPlugin, {
+    fastify: '5.x',
+    name: 'harden',
+});
+export default fastifyHarden;

package/dist/permissions-policy.d.ts

@@ -0,0 +1,4 @@
+export type PPOptions = {};
+export declare const permissionsPolicy: (_options: PPOptions) => {
+    policy: string;
+};

package/dist/permissions-policy.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.permissionsPolicy = void 0;
+const common_1 = require("./common");
+const keywords = [
+    'self',
+    'src'
+];
+const ppObj = {
+    'accelerometer': 'self',
+    'ambient-light-sensor': 'self',
+    'attribution-reporting': 'self',
+    'autoplay': 'self',
+    'battery': 'self',
+    'bluetooth': 'self',
+    'browsing-topics': 'self',
+    'camera': 'self',
+    'clipboard-read': 'self',
+    'clipboard-write': 'self',
+    'compute-pressure': 'self',
+    'conversion-measurement': 'self',
+    'cross-origin-isolated': 'self',
+    'display-capture': 'self',
+    'document-domain': 'self',
+    'encrypted-media': 'self',
+    'execution-while-not-rendered': 'self',
+    'execution-while-out-of-viewport': 'self',
+    'focus-without-user-activation': 'self',
+    'fullscreen': 'self',
+    'gamepad': 'self',
+    'geolocation': 'self',
+    'gyroscope': 'self',
+    'keyboard-map': 'self',
+    'hid': 'self',
+    'identity-credentials-get': 'self',
+    'idle-detection': 'self',
+    'interest-cohort': 'self',
+    'local-fonts': 'self',
+    'magnetometer': 'self',
+    'microphone': 'self',
+    'midi': 'self',
+    'navigation-override': 'self',
+    'otp-credentials': 'self',
+    'payment': 'self',
+    'picture-in-picture': 'self',
+    'publickey-credentials-create': 'self',
+    'publickey-credentials-get': 'self',
+    'screen-wake-lock': 'self',
+    'serial': 'self',
+    'speaker-selection': 'self',
+    'storage-access': 'self',
+    'sync-script': 'self',
+    'sync-xhr': 'self',
+    'trust-token-redemption': 'self',
+    'unload': 'self',
+    'usb': 'self',
+    'web-share': 'self',
+    'window-management': 'self',
+    'window-placement': 'self',
+    'vertical-scroll': 'self',
+    'xr-spatial-tracking': 'self'
+};
+const permissionsPolicy = (_options) => ({
+    policy: Object.keys(ppObj)
+        .map(directive => {
+        const _valueArr = ppObj[directive];
+        const valueArr = (Array.isArray(_valueArr)
+            ? _valueArr
+            : [_valueArr]);
+        const values = (valueArr
+            .filter(common_1.isDefined)
+            .map(v => (keywords.includes(v)
+            ? v
+            : `"${v}"`))
+            .join(' '));
+        return (values === ''
+            ? undefined
+            : `${directive}=(${values})`);
+    })
+        .filter(common_1.isDefined)
+        .join(', ')
+});
+exports.permissionsPolicy = permissionsPolicy;

package/dist/permissions-policy.mjs

@@ -0,0 +1,79 @@
+import { isDefined } from './common';
+const keywords = [
+    'self',
+    'src'
+];
+const ppObj = {
+    'accelerometer': 'self',
+    'ambient-light-sensor': 'self',
+    'attribution-reporting': 'self',
+    'autoplay': 'self',
+    'battery': 'self',
+    'bluetooth': 'self',
+    'browsing-topics': 'self',
+    'camera': 'self',
+    'clipboard-read': 'self',
+    'clipboard-write': 'self',
+    'compute-pressure': 'self',
+    'conversion-measurement': 'self',
+    'cross-origin-isolated': 'self',
+    'display-capture': 'self',
+    'document-domain': 'self',
+    'encrypted-media': 'self',
+    'execution-while-not-rendered': 'self',
+    'execution-while-out-of-viewport': 'self',
+    'focus-without-user-activation': 'self',
+    'fullscreen': 'self',
+    'gamepad': 'self',
+    'geolocation': 'self',
+    'gyroscope': 'self',
+    'keyboard-map': 'self',
+    'hid': 'self',
+    'identity-credentials-get': 'self',
+    'idle-detection': 'self',
+    'interest-cohort': 'self',
+    'local-fonts': 'self',
+    'magnetometer': 'self',
+    'microphone': 'self',
+    'midi': 'self',
+    'navigation-override': 'self',
+    'otp-credentials': 'self',
+    'payment': 'self',
+    'picture-in-picture': 'self',
+    'publickey-credentials-create': 'self',
+    'publickey-credentials-get': 'self',
+    'screen-wake-lock': 'self',
+    'serial': 'self',
+    'speaker-selection': 'self',
+    'storage-access': 'self',
+    'sync-script': 'self',
+    'sync-xhr': 'self',
+    'trust-token-redemption': 'self',
+    'unload': 'self',
+    'usb': 'self',
+    'web-share': 'self',
+    'window-management': 'self',
+    'window-placement': 'self',
+    'vertical-scroll': 'self',
+    'xr-spatial-tracking': 'self'
+};
+export const permissionsPolicy = (_options) => ({
+    policy: Object.keys(ppObj)
+        .map(directive => {
+        const _valueArr = ppObj[directive];
+        const valueArr = (Array.isArray(_valueArr)
+            ? _valueArr
+            : [_valueArr]);
+        const values = (valueArr
+            .filter(isDefined)
+            .map(v => (keywords.includes(v)
+            ? v
+            : `"${v}"`))
+            .join(' '));
+        return (values === ''
+            ? undefined
+            : `${directive}=(${values})`);
+    })
+        .filter(isDefined)
+        .join(', ')
+});

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@react-foundry/fastify-harden",
+  "version": "0.1.0",
+  "description": "Fastify plugin for extra cyber-security hardening.",
+  "main": "dist/index.js",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js",
+      "default": "./dist/index.mjs"
+    }
+  },
+  "files": [
+    "/dist"
+  ],
+  "author": "Daniel A.C. Martin <npm@daniel-martin.co.uk> (http://daniel-martin.co.uk/)",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "fastify-plugin": "^5.1.0"
+  },
+  "devDependencies": {
+    "fastify": "5.7.1",
+    "jest": "30.2.0",
+    "jest-environment-jsdom": "30.2.0",
+    "ts-jest": "29.4.6",
+    "typescript": "5.9.3"
+  },
+  "scripts": {
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest",
+    "build": "npm run build:esm && npm run build:cjs",
+    "build:esm": "tsc -m es2022 && find dist -name '*.js' -exec sh -c 'mv \"$0\" \"${0%.js}.mjs\"' {} \\;",
+    "build:cjs": "tsc",
+    "clean": "rm -rf dist tsconfig.tsbuildinfo"
+  },
+  "module": "dist/index.mjs",
+  "typings": "dist/index.d.ts"
+}