auto-smart-security 1.0.7 → 1.0.9

package/README.md

@@ -41,6 +41,7 @@ applySecurity(app, {
   mode: 'prod',
   pathWhitelist: ['admin/', 'media', 'oauth2'],
   rateLimit: { max: 120, windowMs: 60_000 },
+  trustProxy: 1
   bot: { enabled: true },
   blacklistTTL: 10 * 60 * 1000,
 
@@ -83,6 +84,9 @@ interface SecurityOptions {
     max: number;
   };
 
+  /** express trust proxy setting */
+  trustProxy?: number;
+
   /** Bot detection */
   bot?: {
     enabled: boolean;
@@ -142,6 +146,7 @@ const redis = new Redis({
 applySecurity(app, {
   mode: process.env.NODE_ENV === 'development' ? 'dev' : 'prod',
   rateLimit: { max: 120, windowMs: 60_000 },
+  trustProxy: 1,
   bot: { enabled: true },
   blacklistTTL: 10 * 60 * 1000,
   pathWhitelist: ['api', '/media'],

package/dist/apply-security.js

@@ -15,13 +15,15 @@ function applySecurity(app, options) {
         return;
     if (options.rateLimit) {
         if (options.trustProxy === undefined) {
-            console.warn('[auto-smart-security] rateLimit enabled without trustProxy, defaulting to trust proxy = true');
-            app.set('trust proxy', true);
-        }
-        else {
-            app.set('trust proxy', options.trustProxy);
+            throw new Error('[auto-smart-security] rateLimit requires trustProxy to be a number (e.g. 1). Do NOT use true.');
         }
+        app.set('trust proxy', options.trustProxy);
     }
+    /** ================= HELMET ================= */
+    app.use((0, helmet_1.default)({
+        crossOriginResourcePolicy: false, // 🔥
+        crossOriginOpenerPolicy: false, // disable API
+    }));
     /** ================= BLACKLIST STORE ================= */
     const blacklist = options.blacklist?.store ??
         new memory_store_1.MemoryBlacklistStore(options.staticBlacklist, options.blacklistTTL);
@@ -44,8 +46,12 @@ function applySecurity(app, options) {
     }
     /** ================= MAIN SECURITY ================= */
     app.use(async (req, res, next) => {
+        // pass OPTIONS requests
+        if (req.method === 'OPTIONS')
+            return next();
         const ip = (0, utils_1.getClientIP)(req);
         const url = req.originalUrl;
+        console.log('url =========>', url, ip);
         /** 1️⃣ Blacklist */
         if (await blacklist.isBlocked(ip)) {
             return res.status(403).send('Access denied');
@@ -79,6 +85,4 @@ function applySecurity(app, options) {
         }
         next();
     });
-    /** ================= HELMET ================= */
-    app.use((0, helmet_1.default)());
 }

package/dist/types.d.ts

@@ -19,7 +19,7 @@ export interface SecurityOptions {
     /** dev → skip security */
     mode?: 'prod' | 'dev';
     /** express trust proxy setting */
-    trustProxy?: boolean | number | string;
+    trustProxy?: number;
     /** allow only these paths */
     pathWhitelist: string[];
     /** hard blacklist */

package/dist/utils.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getClientIP = getClientIP;
 function getClientIP(req) {
     return (req.headers?.['x-real-ip'] ||
-        req.headers?.['x-forwarded-for']?.split(',')[0] ||
+        // (req.headers?.['x-forwarded-for'] as string)?.split(',')[0] ||
         req.socket?.remoteAddress ||
         req.ip ||
         'unknown');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auto-smart-security",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "Production-ready security middleware for Express / NestJS",
   "author": "Hai Vinh <haivinhinspirit@gmail.com>",
   "main": "dist/index.js",