nextjs-secure 0.1.1 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +243 -0
- package/dist/csrf.cjs +187 -10
- package/dist/csrf.cjs.map +1 -1
- package/dist/csrf.d.cts +71 -22
- package/dist/csrf.d.ts +71 -22
- package/dist/csrf.js +182 -8
- package/dist/csrf.js.map +1 -1
- package/dist/headers.cjs +277 -7
- package/dist/headers.cjs.map +1 -1
- package/dist/headers.d.cts +162 -25
- package/dist/headers.d.ts +162 -25
- package/dist/headers.js +267 -6
- package/dist/headers.js.map +1 -1
- package/dist/index.cjs +469 -1
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +6 -3
- package/dist/index.d.ts +6 -3
- package/dist/index.js +454 -2
- package/dist/index.js.map +1 -1
- package/dist/{memory-g9zyQPy5.d.cts → memory-Dauy-IH3.d.cts} +1 -1
- package/dist/{memory-g9zyQPy5.d.ts → memory-Dauy-IH3.d.ts} +1 -1
- package/dist/rate-limit.d.cts +2 -2
- package/dist/rate-limit.d.ts +2 -2
- package/package.json +1 -1
package/dist/headers.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/middleware/headers/index.ts"],"names":[],"mappings":";;;AAiCO,SAAS,eAAA,GAAkB;AAChC,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D;AAEO,SAAS,SAAA,GAAY;AAC1B,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D","file":"headers.cjs","sourcesContent":["/**\n * Security Headers Middleware (Coming Soon)\n *\n * @example\n * ```typescript\n * // next.config.js\n * import { securityHeaders } from 'next-secure/headers'\n *\n * export default {\n * async headers() {\n * return [\n * {\n * source: '/:path*',\n * headers: securityHeaders({\n * contentSecurityPolicy: {\n * directives: {\n * defaultSrc: [\"'self'\"],\n * scriptSrc: [\"'self'\", \"'unsafe-inline'\"],\n * }\n * },\n * strictTransportSecurity: true,\n * xFrameOptions: 'DENY',\n * })\n * }\n * ]\n * }\n * }\n * ```\n *\n * @packageDocumentation\n */\n\n// Placeholder for security headers\nexport function securityHeaders() {\n throw new Error('Security headers coming soon in v0.2.0')\n}\n\nexport function createCsp() {\n throw new Error('Security headers coming soon in v0.2.0')\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/middleware/headers/builder.ts","../src/middleware/headers/middleware.ts"],"names":[],"mappings":";;;AAWO,SAAS,SAAS,MAAA,EAAuC;AAC9D,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,YAAA,GAAuC;AAAA,IAC3C,UAAA,EAAY,aAAA;AAAA,IACZ,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,MAAA,EAAQ,SAAA;AAAA,IACR,OAAA,EAAS,UAAA;AAAA,IACT,UAAA,EAAY,aAAA;AAAA,IACZ,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,aAAA;AAAA,IACZ,OAAA,EAAS,UAAA;AAAA,IACT,WAAA,EAAa,cAAA;AAAA,IACb,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU;AAAA,GACZ;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,SAAS,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AAC3D,IAAA,MAAM,KAAA,GAAQ,OAAO,GAAkC,CAAA;AACvD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,KAAA,EAAO;AAC1C,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,GAAG,SAAS,CAAA,CAAA,EAAI,MAAM,IAAA,CAAK,GAAG,CAAC,CAAA,CAAE,CAAA;AAAA,MACnD,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,UAAA,CAAW,KAAK,2BAA2B,CAAA;AAAA,EAC7C;AAEA,EAAA,IAAI,OAAO,oBAAA,EAAsB;AAC/B,IAAA,UAAA,CAAW,KAAK,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,SAAS,UAAU,MAAA,EAAyC;AACjE,EAAA,IAAI,KAAA,GAAQ,CAAA,QAAA,EAAW,MAAA,CAAO,MAAM,CAAA,CAAA;AAEpC,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,KAAA,IAAS,qBAAA;AAAA,EACX;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,KAAA,IAAS,WAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,uBAAuB,MAAA,EAAmC;AACxE,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,UAAA,GAAqC;AAAA,IACzC,aAAA,EAAe,eAAA;AAAA,IACf,kBAAA,EAAoB,sBAAA;AAAA,IACpB,QAAA,EAAU,UAAA;AAAA,IACV,OAAA,EAAS,SAAA;AAAA,IACT,MAAA,EAAQ,QAAA;AAAA,IACR,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,YAAA;AAAA,IACZ,WAAA,EAAa,aAAA;AAAA,IACb,SAAA,EAAW,WAAA;AAAA,IACX,YAAA,EAAc,cAAA;AAAA,IACd,UAAA,EAAY,YAAA;AAAA,IACZ,IAAA,EAAM,MAAA;AAAA,IACN,OAAA,EAAS,SAAA;AAAA,IACT,gBAAA,EAAkB,oBAAA;AAAA,IAClB,uBAAA,EAAyB,2BAAA;AAAA,IACzB,cAAA,EAAgB,kBAAA;AAAA,IAChB,OAAA,EAAS,UAAA;AAAA,IACT,GAAA,EAAK,KAAA;AAAA,IACL,QAAA,EAAU,WAAA;AAAA,IACV,iBAAA,EAAmB;AAAA,GACrB;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,EAAG;AACvD,IAAA,MAAM,OAAA,GAAU,OAAO,GAA8B,CAAA;AACrD,IAAA,IAAI,YAAY,MAAA,EAAW;AACzB,MAAA,IAAI,OAAA,CAAQ,WAAW,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,GAAA,CAAK,CAAA;AAAA,MACjC,CAAA,MAAO;AACL,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA,KAAO,CAAA,KAAM,MAAA,GAAS,MAAA,GAAS,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAI,CAAA,CAAE,KAAK,GAAG,CAAA;AACjF,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,EAAA,EAAK,SAAS,CAAA,CAAA,CAAG,CAAA;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,IAAM,aAAA,GAAuC;AAAA,EAClD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAO,CAAA;AAAA,IAC1B,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,IACzB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,uBAAA,EAAyB;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA;AAAA,IACR,iBAAA,EAAmB,IAAA;AAAA,IACnB,OAAA,EAAS;AAAA,GACX;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,mBAAA,EAAqB,KAAA;AAAA,EACrB,gBAAA,EAAkB,IAAA;AAAA,EAClB,6BAAA,EAA+B,MAAA;AAAA,EAC/B,cAAA,EAAgB,iCAAA;AAAA,EAChB,uBAAA,EAAyB,aAAA;AAAA,EACzB,yBAAA,EAA2B,cAAA;AAAA,EAC3B,yBAAA,EAA2B,aAAA;AAAA,EAC3B,iBAAA,EAAmB;AAAA,IACjB,QAAQ,EAAC;AAAA,IACT,YAAY,EAAC;AAAA,IACb,aAAa,EAAC;AAAA,IACd,SAAS;AAAC,GACZ;AAAA,EACA,kBAAA,EAAoB;AACtB;AAKO,IAAM,cAAA,GAAwC;AAAA,EACnD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAA,EAAU,iBAAA,EAAmB,eAAe,CAAA;AAAA,IACxD,QAAA,EAAU,CAAC,QAAA,EAAU,iBAAiB,CAAA;AAAA,IACtC,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAA,EAAS,SAAS,QAAQ,CAAA;AAAA,IAC7C,OAAA,EAAS,CAAC,QAAA,EAAU,QAAA,EAAU,OAAO,CAAA;AAAA,IACrC,UAAA,EAAY,CAAC,QAAA,EAAU,QAAA,EAAU,MAAM,CAAA;AAAA,IACvC,QAAA,EAAU,CAAC,QAAQ;AAAA,GACrB;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,KAAA;AAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,YAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB;AAClB;AAKO,IAAM,UAAA,GAAoC;AAAA,EAC/C,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,cAAA,EAAgB,CAAC,QAAQ;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB,aAAA;AAAA,EAChB,yBAAA,EAA2B;AAC7B;AAKO,SAAS,UAAU,IAAA,EAAoD;AAC5E,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAK,QAAA;AACH,MAAA,OAAO,aAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,KAAA;AACH,MAAA,OAAO,UAAA;AAAA,IACT;AACE,MAAA,OAAO,aAAA;AAAA;AAEb;AAKO,SAAS,aAAa,MAAA,EAAwC;AACnE,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAG5B,EAAA,IAAI,OAAO,qBAAA,EAAuB;AAChC,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,MAAA,CAAO,qBAAqB,CAAA;AACjD,IAAA,IAAI,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,yBAAA,EAA2B,GAAG,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,2BAAA,EAA6B,SAAA,CAAU,MAAA,CAAO,uBAAuB,CAAC,CAAA;AAAA,EACpF;AAGA,EAAA,IAAI,OAAO,aAAA,EAAe;AACxB,IAAA,OAAA,CAAQ,GAAA,CAAI,iBAAA,EAAmB,MAAA,CAAO,aAAa,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,0BAA0B,SAAS,CAAA;AAAA,EACjD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAA,EAA0B,MAAA,CAAO,mBAAmB,CAAA;AAAA,EAClE;AAGA,EAAA,IAAI,OAAO,gBAAA,EAAkB;AAC3B,IAAA,OAAA,CAAQ,GAAA,CAAI,sBAAsB,QAAQ,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAO,6BAAA,EAA+B;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,mCAAA,EAAqC,MAAA,CAAO,6BAA6B,CAAA;AAAA,EACvF;AAGA,EAAA,IAAI,OAAO,cAAA,EAAgB;AACzB,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,cAAc,CAAA,GAC7C,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,IAAI,CAAA,GAC/B,MAAA,CAAO,cAAA;AACX,IAAA,OAAA,CAAQ,GAAA,CAAI,mBAAmB,KAAK,CAAA;AAAA,EACtC;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,4BAAA,EAA8B,MAAA,CAAO,uBAAuB,CAAA;AAAA,EAC1E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,MAAM,EAAA,GAAK,sBAAA,CAAuB,MAAA,CAAO,iBAAiB,CAAA;AAC1D,IAAA,IAAI,EAAA,EAAI,OAAA,CAAQ,GAAA,CAAI,oBAAA,EAAsB,EAAE,CAAA;AAAA,EAC9C;AAGA,EAAA,IAAI,OAAO,kBAAA,EAAoB;AAC7B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAwB,IAAI,CAAA;AAAA,EAC1C;AAEA,EAAA,OAAO,OAAA;AACT;;;AC/QA,SAAS,YAAA,CACP,MACA,MAAA,EACuB;AACvB,EAAA,OAAO;AAAA,IACL,GAAG,IAAA;AAAA,IACH,GAAG,MAAA;AAAA;AAAA,IAEH,uBACE,MAAA,CAAO,qBAAA,KAA0B,QAC7B,KAAA,GACA,MAAA,CAAO,wBACL,IAAA,CAAK,qBAAA,GACH,EAAE,GAAI,IAAA,CAAK,uBAAkC,GAAG,MAAA,CAAO,uBAAsB,GAC7E,MAAA,CAAO,wBACT,IAAA,CAAK,qBAAA;AAAA;AAAA,IAEb,yBACE,MAAA,CAAO,uBAAA,KAA4B,QAC/B,KAAA,GACA,MAAA,CAAO,0BACL,IAAA,CAAK,uBAAA,GACH,EAAE,GAAI,IAAA,CAAK,yBAAoC,GAAG,MAAA,CAAO,yBAAwB,GACjF,MAAA,CAAO,0BACT,IAAA,CAAK,uBAAA;AAAA;AAAA,IAEb,mBACE,MAAA,CAAO,iBAAA,KAAsB,QACzB,KAAA,GACA,MAAA,CAAO,oBACL,IAAA,CAAK,iBAAA,GACH,EAAE,GAAI,IAAA,CAAK,mBAA8B,GAAG,MAAA,CAAO,mBAAkB,GACrE,MAAA,CAAO,oBACT,IAAA,CAAK;AAAA,GACf;AACF;AAsBO,SAAS,mBAAA,CACd,OAAA,EACA,OAAA,GAAsC,EAAC,EACzB;AACd,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAQ,QAAA,GAAW,OAAM,GAAI,OAAA;AAG7C,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAGrE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAGA,EAAA,MAAM,eAAA,GAAkB,aAAa,UAAU,CAAA;AAE/C,EAAA,OAAO,OAAO,GAAA,KAAwC;AACpD,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAG,CAAA;AAGlC,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,QAAA,CAAS,OAAO,CAAA;AAG/C,IAAA,eAAA,CAAgB,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACtC,MAAA,IAAI,QAAA,IAAY,CAAC,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA,EAAG;AACpC,QAAA,UAAA,CAAW,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,MAC3B;AAAA,IACF,CAAC,CAAA;AAED,IAAA,OAAO,IAAI,QAAA,CAAS,QAAA,CAAS,IAAA,EAAM;AAAA,MACjC,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH,CAAA;AACF;AAaO,SAAS,qBAAA,CACd,OAAA,GAAsC,EAAC,EAC9B;AACT,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAO,GAAI,OAAA;AAE3B,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAErE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,aAAa,UAAU,CAAA;AAChC;AAKO,SAAS,2BAAA,CACd,OAAA,GAAsC,EAAC,EACf;AACxB,EAAA,MAAM,OAAA,GAAU,sBAAsB,OAAO,CAAA;AAC7C,EAAA,MAAM,MAA8B,EAAC;AAErC,EAAA,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AAC9B,IAAA,GAAA,CAAI,GAAG,CAAA,GAAI,KAAA;AAAA,EACb,CAAC,CAAA;AAED,EAAA,OAAO,GAAA;AACT","file":"headers.cjs","sourcesContent":["import type {\n ContentSecurityPolicy,\n StrictTransportSecurity,\n PermissionsPolicy,\n SecurityHeadersConfig,\n SecurityHeadersPreset,\n} from './types'\n\n/**\n * Build CSP header string from config\n */\nexport function buildCSP(policy: ContentSecurityPolicy): string {\n const directives: string[] = []\n\n const directiveMap: Record<string, string> = {\n defaultSrc: 'default-src',\n scriptSrc: 'script-src',\n styleSrc: 'style-src',\n imgSrc: 'img-src',\n fontSrc: 'font-src',\n connectSrc: 'connect-src',\n mediaSrc: 'media-src',\n objectSrc: 'object-src',\n frameSrc: 'frame-src',\n childSrc: 'child-src',\n workerSrc: 'worker-src',\n frameAncestors: 'frame-ancestors',\n formAction: 'form-action',\n baseUri: 'base-uri',\n manifestSrc: 'manifest-src',\n reportUri: 'report-uri',\n reportTo: 'report-to',\n }\n\n for (const [key, directive] of Object.entries(directiveMap)) {\n const value = policy[key as keyof ContentSecurityPolicy]\n if (value !== undefined && value !== false) {\n if (Array.isArray(value)) {\n directives.push(`${directive} ${value.join(' ')}`)\n } else if (typeof value === 'string') {\n directives.push(`${directive} ${value}`)\n }\n }\n }\n\n if (policy.upgradeInsecureRequests) {\n directives.push('upgrade-insecure-requests')\n }\n\n if (policy.blockAllMixedContent) {\n directives.push('block-all-mixed-content')\n }\n\n return directives.join('; ')\n}\n\n/**\n * Build HSTS header string\n */\nexport function buildHSTS(config: StrictTransportSecurity): string {\n let value = `max-age=${config.maxAge}`\n\n if (config.includeSubDomains) {\n value += '; includeSubDomains'\n }\n\n if (config.preload) {\n value += '; preload'\n }\n\n return value\n}\n\n/**\n * Build Permissions-Policy header string\n */\nexport function buildPermissionsPolicy(policy: PermissionsPolicy): string {\n const directives: string[] = []\n\n const featureMap: Record<string, string> = {\n accelerometer: 'accelerometer',\n ambientLightSensor: 'ambient-light-sensor',\n autoplay: 'autoplay',\n battery: 'battery',\n camera: 'camera',\n displayCapture: 'display-capture',\n documentDomain: 'document-domain',\n encryptedMedia: 'encrypted-media',\n fullscreen: 'fullscreen',\n geolocation: 'geolocation',\n gyroscope: 'gyroscope',\n magnetometer: 'magnetometer',\n microphone: 'microphone',\n midi: 'midi',\n payment: 'payment',\n pictureInPicture: 'picture-in-picture',\n publicKeyCredentialsGet: 'publickey-credentials-get',\n screenWakeLock: 'screen-wake-lock',\n syncXhr: 'sync-xhr',\n usb: 'usb',\n webShare: 'web-share',\n xrSpatialTracking: 'xr-spatial-tracking',\n }\n\n for (const [key, feature] of Object.entries(featureMap)) {\n const origins = policy[key as keyof PermissionsPolicy]\n if (origins !== undefined) {\n if (origins.length === 0) {\n directives.push(`${feature}=()`)\n } else {\n const formatted = origins.map((o) => (o === 'self' ? 'self' : `\"${o}\"`)).join(' ')\n directives.push(`${feature}=(${formatted})`)\n }\n }\n }\n\n return directives.join(', ')\n}\n\n/**\n * Preset: Strict security headers\n */\nexport const PRESET_STRICT: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\"],\n styleSrc: [\"'self'\"],\n imgSrc: [\"'self'\", 'data:'],\n fontSrc: [\"'self'\"],\n objectSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"],\n formAction: [\"'self'\"],\n baseUri: [\"'self'\"],\n upgradeInsecureRequests: true,\n },\n strictTransportSecurity: {\n maxAge: 31536000, // 1 year\n includeSubDomains: true,\n preload: true,\n },\n xFrameOptions: 'DENY',\n xContentTypeOptions: true,\n xDnsPrefetchControl: 'off',\n xDownloadOptions: true,\n xPermittedCrossDomainPolicies: 'none',\n referrerPolicy: 'strict-origin-when-cross-origin',\n crossOriginOpenerPolicy: 'same-origin',\n crossOriginEmbedderPolicy: 'require-corp',\n crossOriginResourcePolicy: 'same-origin',\n permissionsPolicy: {\n camera: [],\n microphone: [],\n geolocation: [],\n payment: [],\n },\n originAgentCluster: true,\n}\n\n/**\n * Preset: Relaxed security headers (for development or less strict needs)\n */\nexport const PRESET_RELAXED: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\", \"'unsafe-inline'\", \"'unsafe-eval'\"],\n styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n imgSrc: [\"'self'\", 'data:', 'blob:', 'https:'],\n fontSrc: [\"'self'\", 'https:', 'data:'],\n connectSrc: [\"'self'\", 'https:', 'wss:'],\n frameSrc: [\"'self'\"],\n },\n strictTransportSecurity: {\n maxAge: 86400, // 1 day\n includeSubDomains: false,\n },\n xFrameOptions: 'SAMEORIGIN',\n xContentTypeOptions: true,\n referrerPolicy: 'no-referrer-when-downgrade',\n}\n\n/**\n * Preset: API-focused security headers\n */\nexport const PRESET_API: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"],\n },\n strictTransportSecurity: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n xFrameOptions: 'DENY',\n xContentTypeOptions: true,\n referrerPolicy: 'no-referrer',\n crossOriginResourcePolicy: 'same-origin',\n}\n\n/**\n * Get preset config by name\n */\nexport function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig {\n switch (name) {\n case 'strict':\n return PRESET_STRICT\n case 'relaxed':\n return PRESET_RELAXED\n case 'api':\n return PRESET_API\n default:\n return PRESET_STRICT\n }\n}\n\n/**\n * Build all headers from config\n */\nexport function buildHeaders(config: SecurityHeadersConfig): Headers {\n const headers = new Headers()\n\n // CSP\n if (config.contentSecurityPolicy) {\n const csp = buildCSP(config.contentSecurityPolicy)\n if (csp) headers.set('Content-Security-Policy', csp)\n }\n\n // HSTS\n if (config.strictTransportSecurity) {\n headers.set('Strict-Transport-Security', buildHSTS(config.strictTransportSecurity))\n }\n\n // X-Frame-Options\n if (config.xFrameOptions) {\n headers.set('X-Frame-Options', config.xFrameOptions)\n }\n\n // X-Content-Type-Options\n if (config.xContentTypeOptions) {\n headers.set('X-Content-Type-Options', 'nosniff')\n }\n\n // X-DNS-Prefetch-Control\n if (config.xDnsPrefetchControl) {\n headers.set('X-DNS-Prefetch-Control', config.xDnsPrefetchControl)\n }\n\n // X-Download-Options\n if (config.xDownloadOptions) {\n headers.set('X-Download-Options', 'noopen')\n }\n\n // X-Permitted-Cross-Domain-Policies\n if (config.xPermittedCrossDomainPolicies) {\n headers.set('X-Permitted-Cross-Domain-Policies', config.xPermittedCrossDomainPolicies)\n }\n\n // Referrer-Policy\n if (config.referrerPolicy) {\n const value = Array.isArray(config.referrerPolicy)\n ? config.referrerPolicy.join(', ')\n : config.referrerPolicy\n headers.set('Referrer-Policy', value)\n }\n\n // COOP\n if (config.crossOriginOpenerPolicy) {\n headers.set('Cross-Origin-Opener-Policy', config.crossOriginOpenerPolicy)\n }\n\n // COEP\n if (config.crossOriginEmbedderPolicy) {\n headers.set('Cross-Origin-Embedder-Policy', config.crossOriginEmbedderPolicy)\n }\n\n // CORP\n if (config.crossOriginResourcePolicy) {\n headers.set('Cross-Origin-Resource-Policy', config.crossOriginResourcePolicy)\n }\n\n // Permissions-Policy\n if (config.permissionsPolicy) {\n const pp = buildPermissionsPolicy(config.permissionsPolicy)\n if (pp) headers.set('Permissions-Policy', pp)\n }\n\n // Origin-Agent-Cluster\n if (config.originAgentCluster) {\n headers.set('Origin-Agent-Cluster', '?1')\n }\n\n return headers\n}\n","import type { NextRequest } from 'next/server'\nimport type { SecurityHeadersConfig, SecurityHeadersPreset } from './types'\nimport { buildHeaders, getPreset, PRESET_STRICT } from './builder'\n\ntype RouteHandler = (req: NextRequest) => Response | Promise<Response>\n\nexport interface WithSecurityHeadersOptions {\n /** Use a preset configuration */\n preset?: SecurityHeadersPreset\n\n /** Custom header configuration (merged with preset if provided) */\n config?: SecurityHeadersConfig\n\n /** Override response headers instead of merging */\n override?: boolean\n}\n\n/**\n * Merge two configs, with custom taking precedence\n */\nfunction mergeConfigs(\n base: SecurityHeadersConfig,\n custom: SecurityHeadersConfig\n): SecurityHeadersConfig {\n return {\n ...base,\n ...custom,\n // Deep merge CSP if both exist\n contentSecurityPolicy:\n custom.contentSecurityPolicy === false\n ? false\n : custom.contentSecurityPolicy\n ? base.contentSecurityPolicy\n ? { ...(base.contentSecurityPolicy as object), ...custom.contentSecurityPolicy }\n : custom.contentSecurityPolicy\n : base.contentSecurityPolicy,\n // Deep merge HSTS if both exist\n strictTransportSecurity:\n custom.strictTransportSecurity === false\n ? false\n : custom.strictTransportSecurity\n ? base.strictTransportSecurity\n ? { ...(base.strictTransportSecurity as object), ...custom.strictTransportSecurity }\n : custom.strictTransportSecurity\n : base.strictTransportSecurity,\n // Deep merge Permissions-Policy if both exist\n permissionsPolicy:\n custom.permissionsPolicy === false\n ? false\n : custom.permissionsPolicy\n ? base.permissionsPolicy\n ? { ...(base.permissionsPolicy as object), ...custom.permissionsPolicy }\n : custom.permissionsPolicy\n : base.permissionsPolicy,\n }\n}\n\n/**\n * Security headers middleware\n *\n * Adds security headers to responses. Use presets for quick setup\n * or provide custom configuration.\n *\n * @example\n * ```typescript\n * // Use strict preset\n * export const GET = withSecurityHeaders(handler, { preset: 'strict' })\n *\n * // Custom config\n * export const GET = withSecurityHeaders(handler, {\n * config: {\n * xFrameOptions: 'SAMEORIGIN',\n * referrerPolicy: 'no-referrer'\n * }\n * })\n * ```\n */\nexport function withSecurityHeaders(\n handler: RouteHandler,\n options: WithSecurityHeadersOptions = {}\n): RouteHandler {\n const { preset, config, override = false } = options\n\n // Get base config from preset or default to strict\n let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n // Merge with custom config if provided\n if (config) {\n baseConfig = mergeConfigs(baseConfig, config)\n }\n\n // Pre-build headers for performance\n const securityHeaders = buildHeaders(baseConfig)\n\n return async (req: NextRequest): Promise<Response> => {\n const response = await handler(req)\n\n // Clone response to modify headers\n const newHeaders = new Headers(response.headers)\n\n // Add security headers\n securityHeaders.forEach((value, key) => {\n if (override || !newHeaders.has(key)) {\n newHeaders.set(key, value)\n }\n })\n\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers: newHeaders,\n })\n }\n}\n\n/**\n * Create headers object for use in responses\n * Useful when you want to add headers manually\n *\n * @example\n * ```typescript\n * const headers = createSecurityHeaders({ preset: 'api' })\n *\n * return Response.json(data, { headers })\n * ```\n */\nexport function createSecurityHeaders(\n options: WithSecurityHeadersOptions = {}\n): Headers {\n const { preset, config } = options\n\n let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n if (config) {\n baseConfig = mergeConfigs(baseConfig, config)\n }\n\n return buildHeaders(baseConfig)\n}\n\n/**\n * Create a headers object as a plain object (for Next.js headers())\n */\nexport function createSecurityHeadersObject(\n options: WithSecurityHeadersOptions = {}\n): Record<string, string> {\n const headers = createSecurityHeaders(options)\n const obj: Record<string, string> = {}\n\n headers.forEach((value, key) => {\n obj[key] = value\n })\n\n return obj\n}\n"]}
|
package/dist/headers.d.cts
CHANGED
|
@@ -1,35 +1,172 @@
|
|
|
1
|
+
import { NextRequest } from 'next/server';
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Content-Security-Policy directive values
|
|
5
|
+
*/
|
|
6
|
+
type CSPDirectiveValue = string | string[];
|
|
7
|
+
interface ContentSecurityPolicy {
|
|
8
|
+
defaultSrc?: CSPDirectiveValue;
|
|
9
|
+
scriptSrc?: CSPDirectiveValue;
|
|
10
|
+
styleSrc?: CSPDirectiveValue;
|
|
11
|
+
imgSrc?: CSPDirectiveValue;
|
|
12
|
+
fontSrc?: CSPDirectiveValue;
|
|
13
|
+
connectSrc?: CSPDirectiveValue;
|
|
14
|
+
mediaSrc?: CSPDirectiveValue;
|
|
15
|
+
objectSrc?: CSPDirectiveValue;
|
|
16
|
+
frameSrc?: CSPDirectiveValue;
|
|
17
|
+
childSrc?: CSPDirectiveValue;
|
|
18
|
+
workerSrc?: CSPDirectiveValue;
|
|
19
|
+
frameAncestors?: CSPDirectiveValue;
|
|
20
|
+
formAction?: CSPDirectiveValue;
|
|
21
|
+
baseUri?: CSPDirectiveValue;
|
|
22
|
+
manifestSrc?: CSPDirectiveValue;
|
|
23
|
+
upgradeInsecureRequests?: boolean;
|
|
24
|
+
blockAllMixedContent?: boolean;
|
|
25
|
+
reportUri?: string;
|
|
26
|
+
reportTo?: string;
|
|
27
|
+
}
|
|
28
|
+
interface StrictTransportSecurity {
|
|
29
|
+
maxAge: number;
|
|
30
|
+
includeSubDomains?: boolean;
|
|
31
|
+
preload?: boolean;
|
|
32
|
+
}
|
|
33
|
+
type XFrameOptions = 'DENY' | 'SAMEORIGIN';
|
|
34
|
+
type ReferrerPolicy = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
|
|
35
|
+
type CrossOriginOpenerPolicy = 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin';
|
|
36
|
+
type CrossOriginEmbedderPolicy = 'unsafe-none' | 'require-corp' | 'credentialless';
|
|
37
|
+
type CrossOriginResourcePolicy = 'same-site' | 'same-origin' | 'cross-origin';
|
|
38
|
+
interface PermissionsPolicy {
|
|
39
|
+
accelerometer?: string[];
|
|
40
|
+
ambientLightSensor?: string[];
|
|
41
|
+
autoplay?: string[];
|
|
42
|
+
battery?: string[];
|
|
43
|
+
camera?: string[];
|
|
44
|
+
displayCapture?: string[];
|
|
45
|
+
documentDomain?: string[];
|
|
46
|
+
encryptedMedia?: string[];
|
|
47
|
+
fullscreen?: string[];
|
|
48
|
+
geolocation?: string[];
|
|
49
|
+
gyroscope?: string[];
|
|
50
|
+
magnetometer?: string[];
|
|
51
|
+
microphone?: string[];
|
|
52
|
+
midi?: string[];
|
|
53
|
+
payment?: string[];
|
|
54
|
+
pictureInPicture?: string[];
|
|
55
|
+
publicKeyCredentialsGet?: string[];
|
|
56
|
+
screenWakeLock?: string[];
|
|
57
|
+
syncXhr?: string[];
|
|
58
|
+
usb?: string[];
|
|
59
|
+
webShare?: string[];
|
|
60
|
+
xrSpatialTracking?: string[];
|
|
61
|
+
}
|
|
62
|
+
interface SecurityHeadersConfig {
|
|
63
|
+
/** Content-Security-Policy */
|
|
64
|
+
contentSecurityPolicy?: ContentSecurityPolicy | false;
|
|
65
|
+
/** Strict-Transport-Security */
|
|
66
|
+
strictTransportSecurity?: StrictTransportSecurity | false;
|
|
67
|
+
/** X-Frame-Options */
|
|
68
|
+
xFrameOptions?: XFrameOptions | false;
|
|
69
|
+
/** X-Content-Type-Options: nosniff */
|
|
70
|
+
xContentTypeOptions?: boolean;
|
|
71
|
+
/** X-DNS-Prefetch-Control */
|
|
72
|
+
xDnsPrefetchControl?: 'on' | 'off' | false;
|
|
73
|
+
/** X-Download-Options: noopen (IE specific) */
|
|
74
|
+
xDownloadOptions?: boolean;
|
|
75
|
+
/** X-Permitted-Cross-Domain-Policies */
|
|
76
|
+
xPermittedCrossDomainPolicies?: 'none' | 'master-only' | 'by-content-type' | 'all' | false;
|
|
77
|
+
/** Referrer-Policy */
|
|
78
|
+
referrerPolicy?: ReferrerPolicy | ReferrerPolicy[] | false;
|
|
79
|
+
/** Cross-Origin-Opener-Policy */
|
|
80
|
+
crossOriginOpenerPolicy?: CrossOriginOpenerPolicy | false;
|
|
81
|
+
/** Cross-Origin-Embedder-Policy */
|
|
82
|
+
crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicy | false;
|
|
83
|
+
/** Cross-Origin-Resource-Policy */
|
|
84
|
+
crossOriginResourcePolicy?: CrossOriginResourcePolicy | false;
|
|
85
|
+
/** Permissions-Policy */
|
|
86
|
+
permissionsPolicy?: PermissionsPolicy | false;
|
|
87
|
+
/** Origin-Agent-Cluster */
|
|
88
|
+
originAgentCluster?: boolean;
|
|
89
|
+
}
|
|
90
|
+
type SecurityHeadersPreset = 'strict' | 'relaxed' | 'api';
|
|
91
|
+
|
|
92
|
+
type RouteHandler = (req: NextRequest) => Response | Promise<Response>;
|
|
93
|
+
interface WithSecurityHeadersOptions {
|
|
94
|
+
/** Use a preset configuration */
|
|
95
|
+
preset?: SecurityHeadersPreset;
|
|
96
|
+
/** Custom header configuration (merged with preset if provided) */
|
|
97
|
+
config?: SecurityHeadersConfig;
|
|
98
|
+
/** Override response headers instead of merging */
|
|
99
|
+
override?: boolean;
|
|
100
|
+
}
|
|
1
101
|
/**
|
|
2
|
-
* Security
|
|
102
|
+
* Security headers middleware
|
|
103
|
+
*
|
|
104
|
+
* Adds security headers to responses. Use presets for quick setup
|
|
105
|
+
* or provide custom configuration.
|
|
3
106
|
*
|
|
4
107
|
* @example
|
|
5
108
|
* ```typescript
|
|
6
|
-
* //
|
|
7
|
-
*
|
|
109
|
+
* // Use strict preset
|
|
110
|
+
* export const GET = withSecurityHeaders(handler, { preset: 'strict' })
|
|
8
111
|
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
* headers: securityHeaders({
|
|
15
|
-
* contentSecurityPolicy: {
|
|
16
|
-
* directives: {
|
|
17
|
-
* defaultSrc: ["'self'"],
|
|
18
|
-
* scriptSrc: ["'self'", "'unsafe-inline'"],
|
|
19
|
-
* }
|
|
20
|
-
* },
|
|
21
|
-
* strictTransportSecurity: true,
|
|
22
|
-
* xFrameOptions: 'DENY',
|
|
23
|
-
* })
|
|
24
|
-
* }
|
|
25
|
-
* ]
|
|
112
|
+
* // Custom config
|
|
113
|
+
* export const GET = withSecurityHeaders(handler, {
|
|
114
|
+
* config: {
|
|
115
|
+
* xFrameOptions: 'SAMEORIGIN',
|
|
116
|
+
* referrerPolicy: 'no-referrer'
|
|
26
117
|
* }
|
|
27
|
-
* }
|
|
118
|
+
* })
|
|
28
119
|
* ```
|
|
120
|
+
*/
|
|
121
|
+
declare function withSecurityHeaders(handler: RouteHandler, options?: WithSecurityHeadersOptions): RouteHandler;
|
|
122
|
+
/**
|
|
123
|
+
* Create headers object for use in responses
|
|
124
|
+
* Useful when you want to add headers manually
|
|
29
125
|
*
|
|
30
|
-
* @
|
|
126
|
+
* @example
|
|
127
|
+
* ```typescript
|
|
128
|
+
* const headers = createSecurityHeaders({ preset: 'api' })
|
|
129
|
+
*
|
|
130
|
+
* return Response.json(data, { headers })
|
|
131
|
+
* ```
|
|
132
|
+
*/
|
|
133
|
+
declare function createSecurityHeaders(options?: WithSecurityHeadersOptions): Headers;
|
|
134
|
+
/**
|
|
135
|
+
* Create a headers object as a plain object (for Next.js headers())
|
|
136
|
+
*/
|
|
137
|
+
declare function createSecurityHeadersObject(options?: WithSecurityHeadersOptions): Record<string, string>;
|
|
138
|
+
|
|
139
|
+
/**
|
|
140
|
+
* Build CSP header string from config
|
|
141
|
+
*/
|
|
142
|
+
declare function buildCSP(policy: ContentSecurityPolicy): string;
|
|
143
|
+
/**
|
|
144
|
+
* Build HSTS header string
|
|
145
|
+
*/
|
|
146
|
+
declare function buildHSTS(config: StrictTransportSecurity): string;
|
|
147
|
+
/**
|
|
148
|
+
* Build Permissions-Policy header string
|
|
149
|
+
*/
|
|
150
|
+
declare function buildPermissionsPolicy(policy: PermissionsPolicy): string;
|
|
151
|
+
/**
|
|
152
|
+
* Preset: Strict security headers
|
|
153
|
+
*/
|
|
154
|
+
declare const PRESET_STRICT: SecurityHeadersConfig;
|
|
155
|
+
/**
|
|
156
|
+
* Preset: Relaxed security headers (for development or less strict needs)
|
|
157
|
+
*/
|
|
158
|
+
declare const PRESET_RELAXED: SecurityHeadersConfig;
|
|
159
|
+
/**
|
|
160
|
+
* Preset: API-focused security headers
|
|
161
|
+
*/
|
|
162
|
+
declare const PRESET_API: SecurityHeadersConfig;
|
|
163
|
+
/**
|
|
164
|
+
* Get preset config by name
|
|
165
|
+
*/
|
|
166
|
+
declare function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig;
|
|
167
|
+
/**
|
|
168
|
+
* Build all headers from config
|
|
31
169
|
*/
|
|
32
|
-
declare function
|
|
33
|
-
declare function createCsp(): void;
|
|
170
|
+
declare function buildHeaders(config: SecurityHeadersConfig): Headers;
|
|
34
171
|
|
|
35
|
-
export {
|
|
172
|
+
export { type ContentSecurityPolicy, type CrossOriginEmbedderPolicy, type CrossOriginOpenerPolicy, type CrossOriginResourcePolicy, PRESET_API, PRESET_RELAXED, PRESET_STRICT, type PermissionsPolicy, type ReferrerPolicy, type SecurityHeadersConfig, type SecurityHeadersPreset, type StrictTransportSecurity, type XFrameOptions, buildCSP, buildHSTS, buildHeaders, buildPermissionsPolicy, createSecurityHeaders, createSecurityHeadersObject, getPreset, withSecurityHeaders };
|
package/dist/headers.d.ts
CHANGED
|
@@ -1,35 +1,172 @@
|
|
|
1
|
+
import { NextRequest } from 'next/server';
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Content-Security-Policy directive values
|
|
5
|
+
*/
|
|
6
|
+
type CSPDirectiveValue = string | string[];
|
|
7
|
+
interface ContentSecurityPolicy {
|
|
8
|
+
defaultSrc?: CSPDirectiveValue;
|
|
9
|
+
scriptSrc?: CSPDirectiveValue;
|
|
10
|
+
styleSrc?: CSPDirectiveValue;
|
|
11
|
+
imgSrc?: CSPDirectiveValue;
|
|
12
|
+
fontSrc?: CSPDirectiveValue;
|
|
13
|
+
connectSrc?: CSPDirectiveValue;
|
|
14
|
+
mediaSrc?: CSPDirectiveValue;
|
|
15
|
+
objectSrc?: CSPDirectiveValue;
|
|
16
|
+
frameSrc?: CSPDirectiveValue;
|
|
17
|
+
childSrc?: CSPDirectiveValue;
|
|
18
|
+
workerSrc?: CSPDirectiveValue;
|
|
19
|
+
frameAncestors?: CSPDirectiveValue;
|
|
20
|
+
formAction?: CSPDirectiveValue;
|
|
21
|
+
baseUri?: CSPDirectiveValue;
|
|
22
|
+
manifestSrc?: CSPDirectiveValue;
|
|
23
|
+
upgradeInsecureRequests?: boolean;
|
|
24
|
+
blockAllMixedContent?: boolean;
|
|
25
|
+
reportUri?: string;
|
|
26
|
+
reportTo?: string;
|
|
27
|
+
}
|
|
28
|
+
interface StrictTransportSecurity {
|
|
29
|
+
maxAge: number;
|
|
30
|
+
includeSubDomains?: boolean;
|
|
31
|
+
preload?: boolean;
|
|
32
|
+
}
|
|
33
|
+
type XFrameOptions = 'DENY' | 'SAMEORIGIN';
|
|
34
|
+
type ReferrerPolicy = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
|
|
35
|
+
type CrossOriginOpenerPolicy = 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin';
|
|
36
|
+
type CrossOriginEmbedderPolicy = 'unsafe-none' | 'require-corp' | 'credentialless';
|
|
37
|
+
type CrossOriginResourcePolicy = 'same-site' | 'same-origin' | 'cross-origin';
|
|
38
|
+
interface PermissionsPolicy {
|
|
39
|
+
accelerometer?: string[];
|
|
40
|
+
ambientLightSensor?: string[];
|
|
41
|
+
autoplay?: string[];
|
|
42
|
+
battery?: string[];
|
|
43
|
+
camera?: string[];
|
|
44
|
+
displayCapture?: string[];
|
|
45
|
+
documentDomain?: string[];
|
|
46
|
+
encryptedMedia?: string[];
|
|
47
|
+
fullscreen?: string[];
|
|
48
|
+
geolocation?: string[];
|
|
49
|
+
gyroscope?: string[];
|
|
50
|
+
magnetometer?: string[];
|
|
51
|
+
microphone?: string[];
|
|
52
|
+
midi?: string[];
|
|
53
|
+
payment?: string[];
|
|
54
|
+
pictureInPicture?: string[];
|
|
55
|
+
publicKeyCredentialsGet?: string[];
|
|
56
|
+
screenWakeLock?: string[];
|
|
57
|
+
syncXhr?: string[];
|
|
58
|
+
usb?: string[];
|
|
59
|
+
webShare?: string[];
|
|
60
|
+
xrSpatialTracking?: string[];
|
|
61
|
+
}
|
|
62
|
+
interface SecurityHeadersConfig {
|
|
63
|
+
/** Content-Security-Policy */
|
|
64
|
+
contentSecurityPolicy?: ContentSecurityPolicy | false;
|
|
65
|
+
/** Strict-Transport-Security */
|
|
66
|
+
strictTransportSecurity?: StrictTransportSecurity | false;
|
|
67
|
+
/** X-Frame-Options */
|
|
68
|
+
xFrameOptions?: XFrameOptions | false;
|
|
69
|
+
/** X-Content-Type-Options: nosniff */
|
|
70
|
+
xContentTypeOptions?: boolean;
|
|
71
|
+
/** X-DNS-Prefetch-Control */
|
|
72
|
+
xDnsPrefetchControl?: 'on' | 'off' | false;
|
|
73
|
+
/** X-Download-Options: noopen (IE specific) */
|
|
74
|
+
xDownloadOptions?: boolean;
|
|
75
|
+
/** X-Permitted-Cross-Domain-Policies */
|
|
76
|
+
xPermittedCrossDomainPolicies?: 'none' | 'master-only' | 'by-content-type' | 'all' | false;
|
|
77
|
+
/** Referrer-Policy */
|
|
78
|
+
referrerPolicy?: ReferrerPolicy | ReferrerPolicy[] | false;
|
|
79
|
+
/** Cross-Origin-Opener-Policy */
|
|
80
|
+
crossOriginOpenerPolicy?: CrossOriginOpenerPolicy | false;
|
|
81
|
+
/** Cross-Origin-Embedder-Policy */
|
|
82
|
+
crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicy | false;
|
|
83
|
+
/** Cross-Origin-Resource-Policy */
|
|
84
|
+
crossOriginResourcePolicy?: CrossOriginResourcePolicy | false;
|
|
85
|
+
/** Permissions-Policy */
|
|
86
|
+
permissionsPolicy?: PermissionsPolicy | false;
|
|
87
|
+
/** Origin-Agent-Cluster */
|
|
88
|
+
originAgentCluster?: boolean;
|
|
89
|
+
}
|
|
90
|
+
type SecurityHeadersPreset = 'strict' | 'relaxed' | 'api';
|
|
91
|
+
|
|
92
|
+
type RouteHandler = (req: NextRequest) => Response | Promise<Response>;
|
|
93
|
+
interface WithSecurityHeadersOptions {
|
|
94
|
+
/** Use a preset configuration */
|
|
95
|
+
preset?: SecurityHeadersPreset;
|
|
96
|
+
/** Custom header configuration (merged with preset if provided) */
|
|
97
|
+
config?: SecurityHeadersConfig;
|
|
98
|
+
/** Override response headers instead of merging */
|
|
99
|
+
override?: boolean;
|
|
100
|
+
}
|
|
1
101
|
/**
|
|
2
|
-
* Security
|
|
102
|
+
* Security headers middleware
|
|
103
|
+
*
|
|
104
|
+
* Adds security headers to responses. Use presets for quick setup
|
|
105
|
+
* or provide custom configuration.
|
|
3
106
|
*
|
|
4
107
|
* @example
|
|
5
108
|
* ```typescript
|
|
6
|
-
* //
|
|
7
|
-
*
|
|
109
|
+
* // Use strict preset
|
|
110
|
+
* export const GET = withSecurityHeaders(handler, { preset: 'strict' })
|
|
8
111
|
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
* headers: securityHeaders({
|
|
15
|
-
* contentSecurityPolicy: {
|
|
16
|
-
* directives: {
|
|
17
|
-
* defaultSrc: ["'self'"],
|
|
18
|
-
* scriptSrc: ["'self'", "'unsafe-inline'"],
|
|
19
|
-
* }
|
|
20
|
-
* },
|
|
21
|
-
* strictTransportSecurity: true,
|
|
22
|
-
* xFrameOptions: 'DENY',
|
|
23
|
-
* })
|
|
24
|
-
* }
|
|
25
|
-
* ]
|
|
112
|
+
* // Custom config
|
|
113
|
+
* export const GET = withSecurityHeaders(handler, {
|
|
114
|
+
* config: {
|
|
115
|
+
* xFrameOptions: 'SAMEORIGIN',
|
|
116
|
+
* referrerPolicy: 'no-referrer'
|
|
26
117
|
* }
|
|
27
|
-
* }
|
|
118
|
+
* })
|
|
28
119
|
* ```
|
|
120
|
+
*/
|
|
121
|
+
declare function withSecurityHeaders(handler: RouteHandler, options?: WithSecurityHeadersOptions): RouteHandler;
|
|
122
|
+
/**
|
|
123
|
+
* Create headers object for use in responses
|
|
124
|
+
* Useful when you want to add headers manually
|
|
29
125
|
*
|
|
30
|
-
* @
|
|
126
|
+
* @example
|
|
127
|
+
* ```typescript
|
|
128
|
+
* const headers = createSecurityHeaders({ preset: 'api' })
|
|
129
|
+
*
|
|
130
|
+
* return Response.json(data, { headers })
|
|
131
|
+
* ```
|
|
132
|
+
*/
|
|
133
|
+
declare function createSecurityHeaders(options?: WithSecurityHeadersOptions): Headers;
|
|
134
|
+
/**
|
|
135
|
+
* Create a headers object as a plain object (for Next.js headers())
|
|
136
|
+
*/
|
|
137
|
+
declare function createSecurityHeadersObject(options?: WithSecurityHeadersOptions): Record<string, string>;
|
|
138
|
+
|
|
139
|
+
/**
|
|
140
|
+
* Build CSP header string from config
|
|
141
|
+
*/
|
|
142
|
+
declare function buildCSP(policy: ContentSecurityPolicy): string;
|
|
143
|
+
/**
|
|
144
|
+
* Build HSTS header string
|
|
145
|
+
*/
|
|
146
|
+
declare function buildHSTS(config: StrictTransportSecurity): string;
|
|
147
|
+
/**
|
|
148
|
+
* Build Permissions-Policy header string
|
|
149
|
+
*/
|
|
150
|
+
declare function buildPermissionsPolicy(policy: PermissionsPolicy): string;
|
|
151
|
+
/**
|
|
152
|
+
* Preset: Strict security headers
|
|
153
|
+
*/
|
|
154
|
+
declare const PRESET_STRICT: SecurityHeadersConfig;
|
|
155
|
+
/**
|
|
156
|
+
* Preset: Relaxed security headers (for development or less strict needs)
|
|
157
|
+
*/
|
|
158
|
+
declare const PRESET_RELAXED: SecurityHeadersConfig;
|
|
159
|
+
/**
|
|
160
|
+
* Preset: API-focused security headers
|
|
161
|
+
*/
|
|
162
|
+
declare const PRESET_API: SecurityHeadersConfig;
|
|
163
|
+
/**
|
|
164
|
+
* Get preset config by name
|
|
165
|
+
*/
|
|
166
|
+
declare function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig;
|
|
167
|
+
/**
|
|
168
|
+
* Build all headers from config
|
|
31
169
|
*/
|
|
32
|
-
declare function
|
|
33
|
-
declare function createCsp(): void;
|
|
170
|
+
declare function buildHeaders(config: SecurityHeadersConfig): Headers;
|
|
34
171
|
|
|
35
|
-
export {
|
|
172
|
+
export { type ContentSecurityPolicy, type CrossOriginEmbedderPolicy, type CrossOriginOpenerPolicy, type CrossOriginResourcePolicy, PRESET_API, PRESET_RELAXED, PRESET_STRICT, type PermissionsPolicy, type ReferrerPolicy, type SecurityHeadersConfig, type SecurityHeadersPreset, type StrictTransportSecurity, type XFrameOptions, buildCSP, buildHSTS, buildHeaders, buildPermissionsPolicy, createSecurityHeaders, createSecurityHeadersObject, getPreset, withSecurityHeaders };
|