koa-helmet 3.3.0 → 4.2.1

package/.eslintrc.js

@@ -0,0 +1,39 @@
+module.exports = {
+  "env": {
+    "es6": true,
+    "node": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:node/recommended"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2017,
+    "sourceType": "module"
+  },
+  "plugins": [
+    "node"
+  ],
+  "rules": {
+    "indent": [
+      "error",
+      2
+    ],
+    "linebreak-style": [
+      "error",
+      "unix"
+    ],
+    "quotes": [
+      "error",
+      "single"
+    ],
+    "semi": [
+      "error",
+      "always"
+    ],
+    "space-before-function-paren": [
+      "error",
+      "always"
+    ]
+  }
+};

package/.travis.yml

@@ -1,7 +1,7 @@
 language: node_js
 node_js:
-  - "9"
+  - "12"
+  - "10"
   - "8"
-  - "7"
   - "6"
 after_success: yarn run coverage

package/README.md

@@ -5,7 +5,7 @@ koa-helmet
 [![Build Status](https://img.shields.io/travis/venables/koa-helmet/master.svg)](https://travis-ci.org/venables/koa-helmet)
 [![Coverage Status](https://img.shields.io/coveralls/venables/koa-helmet.svg)](https://coveralls.io/github/venables/koa-helmet)
 [![Dependency Status](https://img.shields.io/david/venables/koa-helmet.svg)](https://david-dm.org/venables/koa-helmet)
-[![Standard - JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
+[![js-semistandard-style](https://img.shields.io/badge/code%20style-semistandard-brightgreen.svg?style=flat-square)](https://github.com/Flet/semistandard)
 [![Downloads](https://img.shields.io/npm/dm/koa-helmet.svg)](https://www.npmjs.com/package/koa-helmet)
 
 koa-helmet is a wrapper for [helmet](https://github.com/helmetjs/helmet) to work with [koa](https://github.com/koajs/koa). It provides important security headers to make your app more secure by default.
@@ -28,12 +28,15 @@ Usage
 
 Usage is the same as [helmet](https://github.com/helmetjs/helmet)
 
-Helmet offers 11 security middleware functions:
+Helmet offers 14 security middleware functions:
 
 | Module | Default? |
 |---|---|
 | [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy |  |
+| [permittedCrossDomainPolicies](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests |  |
 | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |
+| [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency |  |
+| [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features |  |
 | [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |
 | [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |
 | [hpkp](https://helmetjs.github.io/docs/hpkp/) for HTTP Public Key Pinning |  |
@@ -57,17 +60,19 @@ Example
 -------
 
 ```js
-const Koa = require('koa')
-const helmet = require('koa-helmet')
-const app = new Koa()
+"use strict";
 
-app.use(helmet())
+const Koa = require("koa");
+const helmet = require("koa-helmet");
+const app = new Koa();
+
+app.use(helmet());
 
 app.use((ctx) => {
-  ctx.body = 'Hello World'
-})
+  ctx.body = "Hello World"
+});
 
-app.listen(4000)
+app.listen(4000);
 ```
 
 

package/lib/koa-helmet.js

@@ -1,29 +1,29 @@
-'use strict'
+'use strict';
 
-const helmet = require('helmet')
-const promisify = require('./promisify')
+const helmet = require('helmet');
+const promisify = require('./promisify');
 
 const koaHelmet = function () {
-  const helmetPromise = promisify(helmet.apply(null, arguments))
+  const helmetPromise = promisify(helmet.apply(null, arguments));
 
   const middleware = (ctx, next) => {
-    ctx.req.secure = ctx.request.secure
-    return helmetPromise(ctx.req, ctx.res).then(next)
-  }
-  middleware._name = 'helmet'
-  return middleware
-}
+    ctx.req.secure = ctx.request.secure;
+    return helmetPromise(ctx.req, ctx.res).then(next);
+  };
+  middleware._name = 'helmet';
+  return middleware;
+};
 
 Object.keys(helmet).forEach(function (helmetMethod) {
   koaHelmet[helmetMethod] = function () {
-    const method = helmet[helmetMethod]
-    const methodPromise = promisify(method.apply(null, arguments))
+    const method = helmet[helmetMethod];
+    const methodPromise = promisify(method.apply(null, arguments));
 
     return (ctx, next) => {
-      ctx.req.secure = ctx.request.secure
-      return methodPromise(ctx.req, ctx.res).then(next)
-    }
-  }
-})
+      ctx.req.secure = ctx.request.secure;
+      return methodPromise(ctx.req, ctx.res).then(next);
+    };
+  };
+});
 
-module.exports = koaHelmet
+module.exports = koaHelmet;

package/lib/promisify.js

@@ -1,4 +1,4 @@
-'use strict'
+'use strict';
 
 /**
  * Takes an express-style middleware and returns a promise-based version (returning a Promise,
@@ -7,18 +7,18 @@
  * @param {Function} middleware - The middleware to promisify
  * @returns {Function} - The middleware function updated to return a Promise, not call a callback
  */
-const promisify = function koaHelmetPromisify (middleware) {
+function koaHelmetPromisify (middleware) {
   return function (req, res) {
     return new Promise(function (resolve, reject) {
       middleware(req, res, function (err) {
         if (err) {
-          return reject(err)
+          return reject(err);
         }
 
-        return resolve()
-      })
-    })
-  }
+        return resolve();
+      });
+    });
+  };
 }
 
-module.exports = promisify
+module.exports = koaHelmetPromisify;

package/package.json

@@ -3,10 +3,12 @@
   "author": "Matt Venables <mattvenables@gmail.com>",
   "description": "Security header middleware collection for koa",
   "license": "MIT",
-  "version": "3.3.0",
+  "version": "4.2.1",
   "main": "lib/koa-helmet.js",
   "scripts": {
-    "test": "standard && NODE_ENV=test nyc --reporter=lcov --reporter=text mocha 'test/**/*.spec.js' --exit",
+    "format": "eslint lib test --fix",
+    "lint": "eslint lib test",
+    "test": "eslint lib test && nyc ava",
     "coverage": "nyc report --reporter=text-lcov | coveralls"
   },
   "keywords": [
@@ -21,17 +23,24 @@
     "url": "git://github.com/venables/koa-helmet.git"
   },
   "engines": {
-    "node": ">= 4.0.0"
+    "node": ">= 6.0.0"
   },
   "dependencies": {
-    "helmet": "^3.9.0"
+    "helmet": "^3.15.1"
   },
   "devDependencies": {
-    "coveralls": "^3.0.0",
-    "koa": "^2.4.1",
-    "mocha": "^4.0.1",
-    "nyc": "^11.3.0",
-    "standard": "^10.0.3",
-    "supertest": "^3.0.0"
+    "ava": "^1.3.1",
+    "coveralls": "^3.0.3",
+    "eslint": "^5.15.1",
+    "eslint-plugin-node": "^8.0.1",
+    "koa": "^2.7.0",
+    "nyc": "^13.3.0",
+    "supertest": "^4.0.0"
+  },
+  "nyc": {
+    "reporter": [
+      "lcov",
+      "text"
+    ]
   }
 }

package/test/.eslintrc.js

@@ -0,0 +1,5 @@
+module.exports = {
+  "rules": {
+    "node/no-unpublished-require": "off"
+  }
+};

package/test/koa-helmet.spec.js

@@ -1,84 +1,118 @@
-'use strict'
-
-/* eslint-env mocha */
-
-const helmet = require('../')
-const Koa = require('koa')
-const request = require('supertest')
-
-describe('integration', function () {
-  let app
-
-  beforeEach(function () {
-    app = new Koa()
-  })
-
-  describe('default options', function () {
-    it('works with the default helmet call', function () {
-      app.use(helmet())
-      app.use((ctx, next) => {
-        ctx.body = 'Hello world!'
-      })
-
-      return request(app.listen())
-        .get('/')
-        // dnsPrefetchControl
-        .expect('X-DNS-Prefetch-Control', 'off')
-        // frameguard
-        .expect('X-Frame-Options', 'SAMEORIGIN')
-        // hsts: Not enabled in HTTP
-        // .expect('Strict-Transport-Security', 'max-age=5184000; includeSubDomains')
-        // ieNoOpen
-        .expect('X-Download-Options', 'noopen')
-        // noSniff
-        .expect('X-Content-Type-Options', 'nosniff')
-        // xssFilter
-        .expect('X-XSS-Protection', '1; mode=block')
-        .expect(200)
+'use strict';
+
+const helmet = require('../');
+const Koa = require('koa');
+const request = require('supertest');
+const test = require('ava');
+
+test('it works with the default helmet call', t => {
+  const app = new Koa();
+  app.use(helmet());
+  app.use((ctx) => {
+    ctx.body = 'Hello world!';
+  });
+
+  return (
+    request(app.listen())
+      .get('/')
+
+      // dnsPrefetchControl
+      .expect('X-DNS-Prefetch-Control', 'off')
+
+      // frameguard
+      .expect('X-Frame-Options', 'SAMEORIGIN')
+
+      // hsts: Not enabled in HTTP
+      .expect('Strict-Transport-Security', 'max-age=15552000; includeSubDomains')
+
+      // ieNoOpen
+      .expect('X-Download-Options', 'noopen')
+
+      // noSniff
+      .expect('X-Content-Type-Options', 'nosniff')
+
+      // xssFilter
+      .expect('X-XSS-Protection', '1; mode=block')
+      .expect(200)
+      .then(() => t.pass())
+      .catch(err => t.fail(err))
+  );
+});
+
+test('it sets individual headers properly', t => {
+  const app = new Koa();
+  app.use(
+    helmet.hsts({
+      force: true
     })
-  })
-
-  describe('individual calls', function () {
-    it('sets the headers properly', function () {
-      app.use(helmet.hsts({
-        force: true
-      }))
-      app.use(helmet.noCache())
-      app.use(helmet.xssFilter())
-      app.use(helmet.frameguard('deny'))
-      app.use(helmet.noSniff())
-      app.use(helmet.hpkp({
-        maxAge: 1000,
-        sha256s: ['AbCdEf123=', 'ZyXwVu456='],
-        includeSubdomains: true,
-        reportUri: 'http://example.com'
-      }))
-
-      app.use((ctx) => {
-        ctx.body = 'Hello world!'
-      })
-
-      return request(app.listen())
-        .get('/')
-        // noCache
-        .expect('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate')
-        .expect('Pragma', 'no-cache')
-        .expect('Expires', '0')
-
-        // hsts
-        .expect('Strict-Transport-Security', 'max-age=15552000; includeSubDomains')
-
-        // xssFilter
-        .expect('X-XSS-Protection', '1; mode=block')
-
-        // frameguard
-        .expect('X-Frame-Options', 'SAMEORIGIN')
-
-        // noSniff
-        .expect('X-Content-Type-Options', 'nosniff')
-
-        // hpkp
-        .expect('Public-Key-Pins', 'pin-sha256="AbCdEf123="; pin-sha256="ZyXwVu456="; max-age=1000; includeSubDomains; report-uri="http://example.com"')
+  );
+  app.use(helmet.noCache());
+  app.use(helmet.xssFilter());
+  app.use(helmet.frameguard('deny'));
+  app.use(helmet.noSniff());
+  app.use(helmet.permittedCrossDomainPolicies());
+  app.use(helmet.expectCt());
+  app.use(helmet.featurePolicy({
+    features: {
+      fullscreen: ['\'self\''],
+      notifications: ['\'none\''],
+      vibrate: ['\'none\'']
+    }
+  }));
+  app.use(
+    helmet.hpkp({
+      maxAge: 1000,
+      sha256s: ['AbCdEf123=', 'ZyXwVu456='],
+      includeSubdomains: true,
+      reportUri: 'http://example.com'
     })
-  })
-})
+  );
+
+  app.use(ctx => {
+    ctx.body = 'Hello world!';
+  });
+
+  return (
+    request(app.listen())
+      .get('/')
+      // noCache
+      .expect(
+        'Cache-Control',
+        'no-store, no-cache, must-revalidate, proxy-revalidate'
+      )
+      .expect('Pragma', 'no-cache')
+      .expect('Expires', '0')
+
+      // hsts
+      .expect(
+        'Strict-Transport-Security',
+        'max-age=15552000; includeSubDomains'
+      )
+
+      // xssFilter
+      .expect('X-XSS-Protection', '1; mode=block')
+
+      // frameguard
+      .expect('X-Frame-Options', 'SAMEORIGIN')
+
+      // noSniff
+      .expect('X-Content-Type-Options', 'nosniff')
+
+      // permittedCrossDomainPolicies
+      .expect('X-Permitted-Cross-Domain-Policies', 'none')
+
+      // expectCt
+      .expect('Expect-CT', 'max-age=0')
+
+      // featurePolicy
+      .expect('Feature-Policy', 'fullscreen \'self\';notifications \'none\';vibrate \'none\'')
+
+      // hpkp
+      .expect(
+        'Public-Key-Pins',
+        'pin-sha256="AbCdEf123="; pin-sha256="ZyXwVu456="; max-age=1000; includeSubDomains; report-uri="http://example.com"'
+      )
+      .then(() => t.pass())
+      .catch(err => t.fail(err))
+  );
+});

package/test/promisify.spec.js

@@ -1,33 +1,38 @@
-'use strict'
+'use strict';
 
-/* eslint-env mocha */
-
-const promisify = require('../lib/promisify')
+const promisify = require('../lib/promisify');
+const test = require('ava');
 
 function passingMiddleware (req, res, next) {
-  return next()
+  return next();
 }
 
 function failingMiddleware (req, res, next) {
-  return next(new Error('Expected Failure'))
+  return next(new Error('Expected Failure'));
 }
 
-describe('promisify', function () {
-  it('returns a promisified version of the middleware which resolves the Promise on success', function () {
-    let middleware = promisify(passingMiddleware)
-
-    return middleware().catch((err) => {
-      throw err
-    })
-  })
-
-  it('returns a promisified version of the middleware which rejects the Promise on failure', function () {
-    let middleware = promisify(failingMiddleware)
-
-    return middleware().then(() => {
-      throw new Error('Unexpected Success!')
-    }, () => {
-      // Expect failure, do not fail test
-    })
-  })
-})
+test('returns a promisified version of the middleware which resolves the Promise on success', t => {
+  let middleware = promisify(passingMiddleware);
+
+  return middleware().then(
+    () => {
+      t.pass();
+    },
+    err => {
+      t.fail(err);
+    }
+  );
+});
+
+test('returns a promisified version of the middleware which rejects the Promise on failure', t => {
+  let middleware = promisify(failingMiddleware);
+
+  return middleware().then(
+    () => {
+      t.fail('Unexpected Success!');
+    },
+    () => {
+      t.pass();
+    }
+  );
+});