npm - @sourceregistry/node-webserver - Versions diffs - 1.3.1 → 1.4.0 - Mend

@sourceregistry/node-webserver 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +111 -60
package/dist/app.d.ts +1 -0
package/dist/index.cjs.js +2 -2
package/dist/index.cjs.js.map +1 -1
package/dist/index.es.js +251 -123
package/dist/index.es.js.map +1 -1
package/dist/middlewares/index.d.ts +3 -0
package/dist/middlewares/requestid/index.d.ts +16 -0
package/dist/middlewares/security/index.d.ts +39 -0
package/dist/middlewares/timeout/index.d.ts +22 -0
package/dist/types/router.d.ts +0 -1
package/dist/types/server.d.ts +30 -3
package/examples/public-baseline.ts +75 -0
package/package.json +1 -1

package/dist/index.es.js CHANGED Viewed

@@ -1,36 +1,37 @@
-import { createServer as e } from "http";
-import { createServer as t } from "https";
-import { TLSSocket as n } from "tls";
-import { Readable as r, Transform as i, Writable as a } from "stream";
-import { WebSocket as o, WebSocketServer as s } from "ws";
-import { parse as c, serialize as l } from "cookie";
-import { createReadStream as u } from "node:fs";
-import { lstat as d, realpath as f, stat as p } from "node:fs/promises";
-import { extname as m, isAbsolute as h, relative as g, resolve as _, sep as v } from "node:path";
-import { Readable as y } from "node:stream";
+import { randomUUID as e } from "node:crypto";
+import { createServer as t } from "http";
+import { createServer as n } from "https";
+import { TLSSocket as r } from "tls";
+import { Readable as i, Transform as a, Writable as o } from "stream";
+import { WebSocket as s, WebSocketServer as c } from "ws";
+import { parse as l, serialize as u } from "cookie";
+import { createReadStream as d } from "node:fs";
+import { lstat as f, realpath as p, stat as m } from "node:fs/promises";
+import { extname as h, isAbsolute as g, relative as _, resolve as v, sep as y } from "node:path";
+import { Readable as b } from "node:stream";
 //#region \0rolldown/runtime.js
-var b = Object.defineProperty, x = (e, t) => {
+var x = Object.defineProperty, S = (e, t) => {
 	let n = {};
-	for (var r in e) b(n, r, {
+	for (var r in e) x(n, r, {
 		get: e[r],
 		enumerable: !0
 	});
-	return t || b(n, Symbol.toStringTag, { value: "Module" }), n;
+	return t || x(n, Symbol.toStringTag, { value: "Module" }), n;
 };
 //#endregion
 //#region src/utils.ts
-function S(e) {
-	return w(e) && e.status >= 400 && e.status < 600;
-}
 function C(e) {
-	return w(e) && e.status >= 300 && e.status < 400;
+	return T(e) && e.status >= 400 && e.status < 600;
 }
 function w(e) {
+	return T(e) && e.status >= 300 && e.status < 400;
+}
+function T(e) {
 	return e instanceof Response;
 }
 //#endregion
 //#region src/middlewares/ratelimiter/InMemory.ts
-var T = class {
+var E = class {
 	constructor(e) {
 		this.data = /* @__PURE__ */ new Map(), this.windowMs = e.windowMs, this.startCleanup();
 	}
@@ -56,9 +57,9 @@ var T = class {
 	async resetAll() {
 		this.data.clear();
 	}
-}, E = /* @__PURE__ */ x({ fixedWindowLimit: () => D });
-function D(e) {
-	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new T({ windowMs: t }) } = e;
+}, D = /* @__PURE__ */ S({ fixedWindowLimit: () => O });
+function O(e) {
+	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new E({ windowMs: t }) } = e;
 	return async (e, t) => {
 		let l = `rl:${r(e)}`, { current: u, reset: d } = await c.incr(l), f = Math.ceil((d - Date.now()) / 1e3);
 		if (u > n) {
@@ -98,7 +99,7 @@ function D(e) {
 }
 //#endregion
 //#region src/middlewares/cros/index.ts
-var O = /* @__PURE__ */ x({ policy: () => P }), k = [
+var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
 	"GET",
 	"POST",
 	"PUT",
@@ -106,13 +107,13 @@ var O = /* @__PURE__ */ x({ policy: () => P }), k = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], A = [
+], ne = [
 	"Accept",
 	"Accept-Language",
 	"Content-Language",
 	"Content-Type",
 	"Range"
-], j = [
+], k = [
 	"Authorization",
 	"X-Auth-Token",
 	"X-Requested-With",
@@ -122,21 +123,21 @@ var O = /* @__PURE__ */ x({ policy: () => P }), k = [
 	"X-Real-IP",
 	"X-Custom-Header"
 ];
-function M(e, t) {
-	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => M(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
+function A(e, t) {
+	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => A(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
 }
-function N(e, t) {
+function j(e, t) {
 	let { origin: n = "*" } = t;
-	return e ? n === "*" ? t.credentials ? e : "*" : M(e, n) ? e : null : n === "*" ? "*" : null;
+	return e ? n === "*" ? t.credentials ? e : "*" : A(e, n) ? e : null : n === "*" ? "*" : null;
 }
-function P(e = {}) {
-	let { methods: t = k, allowedHeaders: n = j, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...A, ...n].join(","), l = [
+function M(e = {}) {
+	let { methods: t = te, allowedHeaders: n = k, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...ne, ...n].join(","), l = [
 		["Vary", "Origin,Access-Control-Request-Method,Access-Control-Request-Headers"],
 		["Access-Control-Allow-Methods", s],
 		["Access-Control-Allow-Headers", c]
 	];
 	return r && l.push(["Access-Control-Expose-Headers", r.join(",")]), i && l.push(["Access-Control-Allow-Credentials", "true"]), a && l.push(["Access-Control-Max-Age", a.toString()]), async (t, n) => {
-		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = N(i, e);
+		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = j(i, e);
 		if (a) {
 			if (!s) return new Response(null, { status: 403 });
 			let e = new Response(null, { status: 204 });
@@ -158,8 +159,83 @@ function P(e = {}) {
 	};
 }
 //#endregion
+//#region src/middlewares/security/index.ts
+var N = /* @__PURE__ */ S({ headers: () => F }), P = {
+	contentSecurityPolicy: "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'",
+	frameOptions: "DENY",
+	referrerPolicy: "no-referrer",
+	permissionsPolicy: "geolocation=(), microphone=(), camera=()",
+	crossOriginOpenerPolicy: "same-origin",
+	crossOriginResourcePolicy: "same-origin",
+	strictTransportSecurity: !1
+};
+function F(e = {}) {
+	let t = {
+		...P,
+		...e
+	};
+	return async (e, n) => {
+		let r = await n();
+		if (!r) return;
+		let i = new Headers(r.headers);
+		return I(i, "content-security-policy", t.contentSecurityPolicy), I(i, "x-frame-options", t.frameOptions), I(i, "referrer-policy", t.referrerPolicy), I(i, "permissions-policy", t.permissionsPolicy), I(i, "cross-origin-opener-policy", t.crossOriginOpenerPolicy), I(i, "cross-origin-resource-policy", t.crossOriginResourcePolicy), I(i, "strict-transport-security", t.strictTransportSecurity), new Response(r.body, {
+			status: r.status,
+			statusText: r.statusText,
+			headers: i
+		});
+	};
+}
+function I(e, t, n) {
+	!n || e.has(t) || e.set(t, n);
+}
+//#endregion
+//#region src/middlewares/requestid/index.ts
+var L = /* @__PURE__ */ S({ assign: () => R });
+function R(t = {}) {
+	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e;
+	return async (e, t) => {
+		let i = e.request.headers.get(n) ?? r();
+		Object.assign(e.locals, { requestId: i });
+		let a = await t();
+		if (!a) return;
+		if (a.headers.has(n)) return a;
+		let o = new Headers(a.headers);
+		return o.set(n, i), new Response(a.body, {
+			status: a.status,
+			statusText: a.statusText,
+			headers: o
+		});
+	};
+}
+//#endregion
+//#region src/middlewares/timeout/index.ts
+var z = /* @__PURE__ */ S({ deadline: () => B });
+function B(e) {
+	let { ms: t, status: n = 504, body: r = "Gateway Timeout", onTimeout: i } = e;
+	if (!Number.isFinite(t) || t <= 0) throw TypeError("Timeout.deadline requires a positive ms value");
+	return async (e, a) => {
+		let o = e.request, s = new AbortController(), c = () => s.abort();
+		o.signal.addEventListener("abort", c, { once: !0 });
+		let l = AbortSignal.any([o.signal, s.signal]);
+		e.request = new Request(o, {
+			signal: l,
+			duplex: o.body ? "half" : void 0
+		});
+		let u;
+		try {
+			return await Promise.race([a(), new Promise((e) => {
+				u = setTimeout(() => {
+					s.abort(), i?.(), e(new Response(r, { status: n }));
+				}, t);
+			})]);
+		} finally {
+			o.signal.removeEventListener("abort", c), u && clearTimeout(u);
+		}
+	};
+}
+//#endregion
 //#region src/types/RequestMethod.ts
-var F = [
+var V = [
 	"GET",
 	"PUT",
 	"POST",
@@ -167,7 +243,7 @@ var F = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], I = class {
+], H = class {
 	static {
 		this.cache = /* @__PURE__ */ new Map();
 	}
@@ -177,7 +253,7 @@ var F = [
 	static set(e, t) {
 		this.cache.set(e, t);
 	}
-}, L = class e {
+}, U = class {
 	constructor() {
 		this._routes = [], this._wsRoutes = [], this._nestedRouters = [], this._middlewares = [], this._preHandlers = [], this._postHandlers = [], this.routesSorted = !1, this.wsRoutesSorted = !1;
 	}
@@ -209,7 +285,7 @@ var F = [
 		return this.addHandler("OPTIONS", e, t, n);
 	}
 	USE(e, t, ...n) {
-		return F.forEach((r) => this.addHandler(r, e, t, n)), this;
+		return V.forEach((r) => this.addHandler(r, e, t, n)), this;
 	}
 	action(e, t, ...n) {
 		return this.addHandler("POST", e, async (e) => {
@@ -300,7 +376,10 @@ var F = [
 			if (!r.regex.test(n)) continue;
 			let i = n.match(r.regex);
 			if (!i) continue;
-			let a = Object.fromEntries(r.paramNames.map((e, t) => [e, i[t + 1] || ""])), o = {
+			let a = Object.fromEntries(r.paramNames.map((e, t) => {
+				let n = i[t + 1];
+				return n === void 0 ? void 0 : [e, decodeURIComponent(n)];
+			}).filter((e) => e !== void 0)), o = {
 				...e,
 				params: {
 					...e.params,
@@ -312,7 +391,7 @@ var F = [
 				},
 				websocket: t
 			}, s = [...this._middlewares, ...r.middlewares];
-			if (await this.applyMiddlewaresWithList(o, s, () => r.handler(o)) === void 0) return !0;
+			if (await this.applyMiddlewaresWithList(o, s, () => r.handler(o)) !== void 0) return !0;
 		}
 		return !1;
 	}
@@ -326,7 +405,7 @@ var F = [
 			let i = r || new Response("No Content", { status: 204 });
 			return await this.runPostHandlers(e, i);
 		} catch (e) {
-			if (w(e)) return e;
+			if (T(e)) return e;
 			throw e;
 		}
 	}
@@ -362,7 +441,7 @@ var F = [
 		}), this.routesSorted = !1, this;
 	}
 	createPathRegex(e) {
-		let t = I.get(e);
+		let t = H.get(e);
 		if (t) return t;
 		let n = [], r = !1, i, a = e.split("/").filter(Boolean);
 		i = a.reduce((e, t) => t.startsWith("[...") ? e - 10 : t.startsWith("[[") ? e - 5 : t.startsWith("[") ? e - 1 : e + 1, 0);
@@ -385,7 +464,7 @@ var F = [
 			isCatchAll: r,
 			priority: i
 		};
-		return I.set(e, s), s;
+		return H.set(e, s), s;
 	}
 	createPrefixRegex(e) {
 		let t = [], n = !1, r, i = e.split("/").filter(Boolean);
@@ -416,9 +495,14 @@ var F = [
 		let n = t.match(e.regex);
 		if (!n) return {};
 		let r = {};
-		return e.isCatchAll && e.paramNames.length === 1 ? r[e.paramNames[0]] = n[1]?.replace(/^\//, "") || "" : e.paramNames.forEach((e, t) => {
-			r[e] = n[t + 1] || "";
-		}), r;
+		if (e.isCatchAll && e.paramNames.length === 1) {
+			let t = n[1]?.replace(/^\//, "");
+			t !== void 0 && (r[e.paramNames[0]] = decodeURIComponent(t));
+		} else e.paramNames.forEach((e, t) => {
+			let i = n[t + 1];
+			i !== void 0 && (r[e] = decodeURIComponent(i));
+		});
+		return r;
 	}
 	async handleNestedRouters(e, t) {
 		let n = [...this._nestedRouters].sort((e, t) => t.priority - e.priority);
@@ -442,7 +526,10 @@ var F = [
 			if (!a.regex.test(n) || (r.add(a.method), a.method === "GET" && (i = !0, r.add("HEAD")), !(a.method === t || t === "HEAD" && a.method === "GET"))) continue;
 			let o = n.match(a.regex);
 			if (!o) continue;
-			let s = Object.fromEntries(a.paramNames.map((e, t) => [e, o[t + 1] || ""]));
+			let s = Object.fromEntries(a.paramNames.map((e, t) => {
+				let n = o[t + 1];
+				return n === void 0 ? void 0 : [e, decodeURIComponent(n)];
+			}).filter((e) => e !== void 0));
 			return e.params = {
 				...e.params,
 				...s
@@ -470,20 +557,17 @@ var F = [
 		this._wsRoutes.sort((e, t) => t.priority - e.priority), this.wsRoutesSorted = !0;
 	}
 	formatActionResult(e) {
-		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? R.fail(e.status, e.data) : R.success(200, e ?? void 0);
+		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? W.fail(e.status, e.data) : W.success(200, e ?? void 0);
 	}
 	handleActionError(e) {
-		if (S(e)) return R.error(e.status, { message: e.statusText || "Error" });
-		if (C(e)) {
+		if (C(e)) return W.error(e.status, { message: e.statusText || "Error" });
+		if (w(e)) {
 			let t = e.headers.get("Location") || "/";
-			return R.redirect(e.status, t);
+			return W.redirect(e.status, t);
 		}
-		return console.error(e), R.error(500, { message: "Internal Server Error" });
+		return console.error(e), W.error(500, { message: "Internal Server Error" });
 	}
-	static New() {
-		return new e();
-	}
-}, R = {
+}, W = {
 	success: (e = 200, t) => new Response(JSON.stringify({
 		data: t,
 		type: "success",
@@ -516,21 +600,21 @@ var F = [
 		status: e,
 		headers: { "Content-Type": "application/json" }
 	})
-}, z = class {
+}, re = class {
 	constructor(e, t) {
 		this.raw = e.headers.get("cookie") ?? "", this.setCookieHeader = t;
 	}
 	get(e, t) {
-		return c(this.raw, t)[e];
+		return l(this.raw, t)[e];
 	}
 	getAll(e) {
-		return Object.entries(c(this.raw, e)).filter(([, e]) => e !== void 0).map(([e, t]) => ({
+		return Object.entries(l(this.raw, e)).filter(([, e]) => e !== void 0).map(([e, t]) => ({
 			name: e,
 			value: t
 		}));
 	}
 	set(e, t, n) {
-		this.setCookieHeader(l(e, t, n));
+		this.setCookieHeader(u(e, t, n));
 	}
 	delete(e, t) {
 		this.set(e, "", {
@@ -538,28 +622,28 @@ var F = [
 			maxAge: 0
 		});
 	}
-}, B = class extends Error {
+}, G = class extends Error {
 	constructor(e = "Payload Too Large") {
 		super(e), this.status = 413, this.name = "PayloadTooLargeError";
 	}
-}, V = class extends L {
+}, K = class extends U {
 	constructor(e) {
 		super(), this.upgradeHandlerInstalled = !1, this.config = e ?? {
 			type: "http",
 			options: {}
-		}, this.wss = new s({
+		}, this.wss = new c({
 			noServer: !0,
 			maxPayload: this.config.security?.maxWebSocketPayload ?? 1024 * 1024
 		});
 	}
 	get server() {
 		if (!this._server) {
-			let n = (e, t) => {
+			let e = (e, t) => {
 				this.handleRequest(e, t).catch((e) => {
 					console.error("Unhandled request error:", e), t.statusCode = 500, t.end("Internal Server Error");
 				});
 			};
-			this._server = this.config.type === "https" ? t(this.config.options, n) : e(this.config.options, n);
+			this._server = this.config.type === "https" ? n(this.config.options, e) : t(this.config.options, e), this.configureServerTimeouts(this._server);
 		}
 		return this._server;
 	}
@@ -580,7 +664,7 @@ var F = [
 				return;
 			}
 			let a = this.toRequestEvent(i, r, {
-				getClientAddress: () => e.socket.remoteAddress ?? "127.0.0.1",
+				getClientAddress: () => this.getClientAddress(e),
 				setHeader: () => {},
 				pushSetCookie: () => {}
 			});
@@ -591,9 +675,9 @@ var F = [
 				}
 				this.wss.handleUpgrade(e, t, n, (e) => {
 					this.handleWebSocket(a, e).then((t) => {
-						!t && e.readyState === o.OPEN && e.close(1008, "Route not found");
+						!t && e.readyState === s.OPEN && e.close(1008, "Route not found");
 					}).catch((t) => {
-						console.error("WebSocket routing error:", t), e.readyState === o.OPEN && e.close(1011, "Internal error");
+						console.error("WebSocket routing error:", t), e.readyState === s.OPEN && e.close(1011, "Internal error");
 					});
 				});
 			}).catch(() => t.destroy());
@@ -618,7 +702,7 @@ var F = [
 		let n = new AbortController(), r = () => n.abort();
 		e.once("aborted", r), e.once("close", r), t.once("close", r);
 		let i = this.toWebRequest(e, n.signal), a = new URL(i.url), o = {}, s = [], c = this.toRequestEvent(i, a, {
-			getClientAddress: () => e.socket.remoteAddress ?? "127.0.0.1",
+			getClientAddress: () => this.getClientAddress(e),
 			setHeader: (e, t) => {
 				o[e.toLowerCase()] = t;
 			},
@@ -638,21 +722,21 @@ var F = [
 		let n = this.toURL(e, !1);
 		return this.toRequest(e, n, !1, t);
 	}
-	toRequest(e, t, n, i) {
+	toRequest(e, t, n, r) {
 		let a = {
 			method: n ? "GET" : e.method,
 			headers: this.toHeaders(e.headers),
-			signal: i,
+			signal: r,
 			duplex: "half"
 		};
-		return !n && e.method !== "GET" && e.method !== "HEAD" && (a.body = r.toWeb(this.wrapRequestBody(e))), new Request(t, a);
+		return !n && e.method !== "GET" && e.method !== "HEAD" && (a.body = i.toWeb(this.wrapRequestBody(e))), new Request(t, a);
 	}
 	wrapRequestBody(e) {
 		let t = this.config.security?.maxRequestBodySize;
 		if (!t) return e;
-		let n = 0, r = new i({ transform(e, r, i) {
+		let n = 0, r = new a({ transform(e, r, i) {
 			if (n += Buffer.byteLength(e), n > t) {
-				i(new B());
+				i(new G());
 				return;
 			}
 			i(null, e);
@@ -660,14 +744,31 @@ var F = [
 		return e.on("aborted", () => r.destroy(/* @__PURE__ */ Error("Request aborted"))), e.on("error", (e) => r.destroy(e)), e.pipe(r), r;
 	}
 	toURL(e, t) {
-		let r = e.socket instanceof n ? t ? "wss" : "https" : t ? "ws" : "http", i = this.resolveAuthority(e);
-		return new URL(e.url ?? "/", `${r}://${i}`);
+		let n = this.resolveProtocol(e, t), r = this.resolveAuthority(e);
+		return new URL(e.url ?? "/", `${n}://${r}`);
+	}
+	resolveProtocol(e, t) {
+		let n = this.getTrustedForwardedHeader(e, "x-forwarded-proto")?.split(",")[0]?.trim().toLowerCase();
+		return n === "http" || n === "https" ? t ? n === "https" ? "wss" : "ws" : n : e.socket instanceof r ? t ? "wss" : "https" : t ? "ws" : "http";
 	}
 	resolveAuthority(e) {
-		let t = this.config.security?.trustHostHeader ? this.normalizeTrustedHost(e.headers.host) : null;
-		if (t) return t;
-		let n = this.server.address();
-		return n && typeof n == "object" ? `${n.address.includes(":") ? `[${n.address}]` : n.address}:${n.port}` : e.socket.localPort ? `127.0.0.1:${e.socket.localPort}` : "localhost";
+		let t = this.getTrustedForwardedHeader(e, "x-forwarded-host") ?? e.headers.host, n = this.config.security?.trustHostHeader ? this.normalizeTrustedHost(t) : null;
+		if (n) return n;
+		let r = this.server.address();
+		return r && typeof r == "object" ? `${r.address.includes(":") ? `[${r.address}]` : r.address}:${r.port}` : e.socket.localPort ? `127.0.0.1:${e.socket.localPort}` : "localhost";
+	}
+	getClientAddress(e) {
+		let t = e.socket.remoteAddress ?? "127.0.0.1";
+		if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
+		let n = e.headers["x-forwarded-for"];
+		if (!n) return this.normalizeAddress(t);
+		let r = this.parseForwardedHeader(n);
+		r.push(t);
+		for (let e = r.length - 1; e >= 0; --e) {
+			let t = r[e];
+			if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
+		}
+		return this.normalizeAddress(r[0] ?? t);
 	}
 	normalizeTrustedHost(e) {
 		if (!e) return null;
@@ -684,6 +785,30 @@ var F = [
 	matchesValue(e, t) {
 		return (Array.isArray(t) ? t : [t]).some((t) => typeof t == "string" ? t === e : t instanceof RegExp ? t.test(e) : t(e));
 	}
+	configureServerTimeouts(e) {
+		let t = this.config.security, n = this.isDevelopment();
+		e.headersTimeout = t?.headersTimeoutMs ?? 3e4, e.requestTimeout = t?.requestTimeoutMs ?? (n ? 0 : 6e4), e.keepAliveTimeout = t?.keepAliveTimeoutMs ?? 5e3;
+	}
+	isDevelopment() {
+		return process.env.NODE_ENV !== "production";
+	}
+	getTrustedForwardedHeader(e, t) {
+		if (!this.isTrustedProxy(e.socket.remoteAddress ?? "")) return;
+		let n = e.headers[t];
+		return Array.isArray(n) ? n[0] : n;
+	}
+	isTrustedProxy(e) {
+		let t = this.config.security?.trustedProxies;
+		if (!t) return !1;
+		let n = this.normalizeAddress(e);
+		return n !== e && this.matchesValue(n, t) ? !0 : this.matchesValue(e, t);
+	}
+	normalizeAddress(e) {
+		return e.startsWith("::ffff:") ? e.slice(7) : e;
+	}
+	parseForwardedHeader(e) {
+		return (Array.isArray(e) ? e.join(",") : e).split(",").map((e) => this.normalizeAddress(e.trim())).filter(Boolean);
+	}
 	toHeaders(e) {
 		let t = new Headers();
 		for (let [n, r] of Object.entries(e)) if (r !== void 0) {
@@ -705,15 +830,15 @@ var F = [
 		return Number.isFinite(r) && r <= t;
 	}
 	handleError(e) {
-		if (e instanceof B) return new Response(e.message, { status: e.status });
-		if (S(e)) return new Response(JSON.stringify({
+		if (e instanceof G) return new Response(e.message, { status: e.status });
+		if (C(e)) return new Response(JSON.stringify({
 			error: e.statusText || "Error",
 			status: e.status
 		}), {
 			status: e.status,
 			headers: { "Content-Type": "application/json" }
 		});
-		if (C(e)) {
+		if (w(e)) {
 			let t = e.headers.get("Location") || "/";
 			return new Response(null, {
 				status: e.status,
@@ -729,10 +854,10 @@ var F = [
 			e.end();
 			return;
 		}
-		let n = t.body.getReader(), r = a.toWeb(e).getWriter(), i = !1, o = async () => {
+		let n = t.body.getReader(), r = o.toWeb(e).getWriter(), i = !1, a = async () => {
 			i || (i = !0, await n.cancel().catch(() => {}));
 		}, s = () => {
-			o();
+			a();
 		};
 		e.once("close", s);
 		try {
@@ -743,7 +868,7 @@ var F = [
 			}
 			i = !0;
 		} catch (e) {
-			if (await o(), !this.isPrematureCloseError(e)) throw e;
+			if (await a(), !this.isPrematureCloseError(e)) throw e;
 		} finally {
 			e.off("close", s), await r.close().catch(() => {});
 		}
@@ -803,7 +928,10 @@ var F = [
 		r && t.set(n, r);
 	}
 	toRequestEvent(e, t, n) {
-		let r = new z(e, n.pushSetCookie), i = this.config, a = {}, o = { name: "WebHTTPServer" }, s = /* @__PURE__ */ new Set(), c = {
+		let r = new re(e, n.pushSetCookie), i = this.config, a = {}, o = {
+			name: "node-webserver",
+			dev: this.isDevelopment()
+		}, s = /* @__PURE__ */ new Set(), c = {
 			request: e,
 			url: t,
 			cookies: r,
@@ -828,7 +956,7 @@ var F = [
 		}, l = this.createEventFetch(c, n);
 		return i.locals && Object.assign(a, i.locals(c)), i.platform && Object.assign(o, i.platform(c)), c;
 	}
-}, H = {
+}, q = {
 	".avif": "image/avif",
 	".css": "text/css; charset=utf-8",
 	".gif": "image/gif",
@@ -846,24 +974,24 @@ var F = [
 	".wasm": "application/wasm",
 	".webp": "image/webp",
 	".xml": "application/xml; charset=utf-8"
-}, U = {
+}, J = {
 	index: "index.html",
 	cacheControl: "public, max-age=0",
 	dotFiles: "ignore"
 };
-async function W(e, t, n = {}) {
-	let r = Z(t), i = {
-		...U,
+async function Y(e, t, n = {}) {
+	let r = $(t), i = {
+		...J,
 		...n
-	}, a = await G(e), o = K(r, i.dotFiles);
+	}, a = await X(e), o = ie(r, i.dotFiles);
 	if (o instanceof Response) return o;
-	let s = _(a, o.length > 0 ? o.join(v) : "");
-	if (!Y(a, s)) return new Response("Forbidden", { status: 403 });
-	let c = await q(s, a, i.index);
+	let s = v(a, o.length > 0 ? o.join(y) : "");
+	if (!Q(a, s)) return new Response("Forbidden", { status: 403 });
+	let c = await ae(s, a, i.index);
 	if (c instanceof Response) return c;
-	let l = await p(c), d = new Headers({
+	let l = await m(c), u = new Headers({
 		"content-length": String(l.size),
-		"content-type": X(c),
+		"content-type": oe(c),
 		"cache-control": i.cacheControl,
 		"last-modified": l.mtime.toUTCString(),
 		"x-content-type-options": "nosniff"
@@ -871,18 +999,18 @@ async function W(e, t, n = {}) {
 	if (n.headers) {
 		let e = typeof n.headers == "function" ? n.headers(c, l) : n.headers;
 		new Headers(e).forEach((e, t) => {
-			d.set(t, e);
+			u.set(t, e);
 		});
 	}
-	return new Response(y.toWeb(u(c)), {
+	return new Response(b.toWeb(d(c)), {
 		status: 200,
-		headers: d
+		headers: u
 	});
 }
-async function G(e) {
-	return f(e);
+async function X(e) {
+	return p(e);
 }
-function K(e, t) {
+function ie(e, t) {
 	if (e.includes("\0")) return new Response("Bad Request", { status: 400 });
 	let n = e.replace(/\\/g, "/").split("/").filter(Boolean), r = [];
 	for (let e of n) {
@@ -903,43 +1031,43 @@ function K(e, t) {
 	}
 	return r;
 }
-async function q(e, t, n) {
+async function ae(e, t, n) {
 	try {
-		return (await d(e)).isDirectory() ? J(_(e, n), t) : J(e, t);
+		return (await f(e)).isDirectory() ? Z(v(e, n), t) : Z(e, t);
 	} catch {
 		return new Response("Not Found", { status: 404 });
 	}
 }
-async function J(e, t) {
+async function Z(e, t) {
 	try {
-		let n = await f(e);
-		return Y(t, n) ? (await p(n)).isFile() ? n : new Response("Not Found", { status: 404 }) : new Response("Forbidden", { status: 403 });
+		let n = await p(e);
+		return Q(t, n) ? (await m(n)).isFile() ? n : new Response("Not Found", { status: 404 }) : new Response("Forbidden", { status: 403 });
 	} catch {
 		return new Response("Not Found", { status: 404 });
 	}
 }
-function Y(e, t) {
-	let n = g(e, t);
-	return n === "" || !n.startsWith("..") && !h(n);
+function Q(e, t) {
+	let n = _(e, t);
+	return n === "" || !n.startsWith("..") && !g(n);
 }
-function X(e) {
-	return H[m(e).toLowerCase()] ?? "application/octet-stream";
+function oe(e) {
+	return q[h(e).toLowerCase()] ?? "application/octet-stream";
 }
-function Z(e) {
+function $(e) {
 	return typeof e.params.path == "string" ? e.params.path : e.url.pathname.replace(/^\/+/, "");
 }
-var Q = (e, t = {}) => (n) => W(e, n, t), $ = (e, ...t) => async (n) => {
+var se = (e, t = {}) => (n) => Y(e, n, t), ce = (e, ...t) => async (n) => {
 	let r = {};
 	for (let e of t) {
 		let t = await e(n);
-		if (w(t)) return t;
+		if (T(t)) return t;
 		t && typeof t == "object" && Object.assign(r, t);
 	}
 	return e(Object.assign(n, { context: r }));
 };
 //#endregion
 //#region src/helpers/sse.ts
-function ee(e, t = {}) {
+function le(e, t = {}) {
 	let n = [];
 	if (t.comment) for (let e of t.comment.split(/\r?\n/)) n.push(`: ${e}`);
 	if (t.event && n.push(`event: ${t.event}`), t.id && n.push(`id: ${t.id}`), t.retry !== void 0 && n.push(`retry: ${t.retry}`), e !== void 0) {
@@ -948,7 +1076,7 @@ function ee(e, t = {}) {
 	}
 	return `${n.join("\n")}\n\n`;
 }
-var te = (e, t = {}) => (n) => {
+var ue = (e, t = {}) => (n) => {
 	let r = new TextEncoder(), i = null, a = !1, o, s = async () => {
 		if (!a) {
 			a = !0;
@@ -964,7 +1092,7 @@ var te = (e, t = {}) => (n) => {
 		async start(t) {
 			i = t;
 			let c = (e, n = {}) => {
-				a || t.enqueue(r.encode(ee(e, n)));
+				a || t.enqueue(r.encode(le(e, n)));
 			};
 			n.request.signal.addEventListener("abort", () => {
 				s();
@@ -992,7 +1120,7 @@ var te = (e, t = {}) => (n) => {
 			...t.headers
 		}
 	});
-}, ne = async (e, t) => {
+}, de = async (e, t) => {
 	let n = JSON.stringify(await e);
 	return new Response(n, {
 		...t,
@@ -1003,19 +1131,19 @@ var te = (e, t = {}) => (n) => {
 		}
 	});
 };
-function re(e, t) {
+function fe(e, t) {
 	throw new Response(null, {
 		status: e,
 		headers: { location: t.toString() }
 	});
 }
-function ie(e, t) {
+function pe(e, t) {
 	throw new Response(JSON.stringify(typeof t == "string" ? { message: t } : t), {
 		status: e,
 		headers: { "content-type": "application/json" }
 	});
 }
-var ae = async (e, t) => {
+var me = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1025,7 +1153,7 @@ var ae = async (e, t) => {
 			...t?.headers
 		}
 	});
-}, oe = async (e, t) => {
+}, he = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1037,6 +1165,6 @@ var ae = async (e, t) => {
 	});
 };
 //#endregion
-export { R as Action, O as CORS, E as RateLimiter, F as RequestMethods, L as Router, V as WebServer, Q as dir, $ as enhance, ie as error, oe as html, S as isHttpError, C as isRedirect, w as isResponse, ne as json, re as redirect, W as serveStatic, te as sse, ae as text };
+export { W as Action, ee as CORS, D as RateLimiter, L as RequestId, V as RequestMethods, U as Router, N as Security, z as Timeout, K as WebServer, se as dir, ce as enhance, pe as error, he as html, C as isHttpError, w as isRedirect, T as isResponse, de as json, fe as redirect, Y as serveStatic, ue as sse, me as text };
 //# sourceMappingURL=index.es.js.map