nextjs-secure 0.1.1 → 0.3.0

package/dist/headers.js

@@ -1,11 +1,272 @@
-// src/middleware/headers/index.ts
-function securityHeaders() {
-  throw new Error("Security headers coming soon in v0.2.0");
+// src/middleware/headers/builder.ts
+function buildCSP(policy) {
+  const directives = [];
+  const directiveMap = {
+    defaultSrc: "default-src",
+    scriptSrc: "script-src",
+    styleSrc: "style-src",
+    imgSrc: "img-src",
+    fontSrc: "font-src",
+    connectSrc: "connect-src",
+    mediaSrc: "media-src",
+    objectSrc: "object-src",
+    frameSrc: "frame-src",
+    childSrc: "child-src",
+    workerSrc: "worker-src",
+    frameAncestors: "frame-ancestors",
+    formAction: "form-action",
+    baseUri: "base-uri",
+    manifestSrc: "manifest-src",
+    reportUri: "report-uri",
+    reportTo: "report-to"
+  };
+  for (const [key, directive] of Object.entries(directiveMap)) {
+    const value = policy[key];
+    if (value !== void 0 && value !== false) {
+      if (Array.isArray(value)) {
+        directives.push(`${directive} ${value.join(" ")}`);
+      } else if (typeof value === "string") {
+        directives.push(`${directive} ${value}`);
+      }
+    }
+  }
+  if (policy.upgradeInsecureRequests) {
+    directives.push("upgrade-insecure-requests");
+  }
+  if (policy.blockAllMixedContent) {
+    directives.push("block-all-mixed-content");
+  }
+  return directives.join("; ");
 }
-function createCsp() {
-  throw new Error("Security headers coming soon in v0.2.0");
+function buildHSTS(config) {
+  let value = `max-age=${config.maxAge}`;
+  if (config.includeSubDomains) {
+    value += "; includeSubDomains";
+  }
+  if (config.preload) {
+    value += "; preload";
+  }
+  return value;
+}
+function buildPermissionsPolicy(policy) {
+  const directives = [];
+  const featureMap = {
+    accelerometer: "accelerometer",
+    ambientLightSensor: "ambient-light-sensor",
+    autoplay: "autoplay",
+    battery: "battery",
+    camera: "camera",
+    displayCapture: "display-capture",
+    documentDomain: "document-domain",
+    encryptedMedia: "encrypted-media",
+    fullscreen: "fullscreen",
+    geolocation: "geolocation",
+    gyroscope: "gyroscope",
+    magnetometer: "magnetometer",
+    microphone: "microphone",
+    midi: "midi",
+    payment: "payment",
+    pictureInPicture: "picture-in-picture",
+    publicKeyCredentialsGet: "publickey-credentials-get",
+    screenWakeLock: "screen-wake-lock",
+    syncXhr: "sync-xhr",
+    usb: "usb",
+    webShare: "web-share",
+    xrSpatialTracking: "xr-spatial-tracking"
+  };
+  for (const [key, feature] of Object.entries(featureMap)) {
+    const origins = policy[key];
+    if (origins !== void 0) {
+      if (origins.length === 0) {
+        directives.push(`${feature}=()`);
+      } else {
+        const formatted = origins.map((o) => o === "self" ? "self" : `"${o}"`).join(" ");
+        directives.push(`${feature}=(${formatted})`);
+      }
+    }
+  }
+  return directives.join(", ");
+}
+var PRESET_STRICT = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+    styleSrc: ["'self'"],
+    imgSrc: ["'self'", "data:"],
+    fontSrc: ["'self'"],
+    objectSrc: ["'none'"],
+    frameAncestors: ["'none'"],
+    formAction: ["'self'"],
+    baseUri: ["'self'"],
+    upgradeInsecureRequests: true
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    // 1 year
+    includeSubDomains: true,
+    preload: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  xDnsPrefetchControl: "off",
+  xDownloadOptions: true,
+  xPermittedCrossDomainPolicies: "none",
+  referrerPolicy: "strict-origin-when-cross-origin",
+  crossOriginOpenerPolicy: "same-origin",
+  crossOriginEmbedderPolicy: "require-corp",
+  crossOriginResourcePolicy: "same-origin",
+  permissionsPolicy: {
+    camera: [],
+    microphone: [],
+    geolocation: [],
+    payment: []
+  },
+  originAgentCluster: true
+};
+var PRESET_RELAXED = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", "data:", "blob:", "https:"],
+    fontSrc: ["'self'", "https:", "data:"],
+    connectSrc: ["'self'", "https:", "wss:"],
+    frameSrc: ["'self'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 86400,
+    // 1 day
+    includeSubDomains: false
+  },
+  xFrameOptions: "SAMEORIGIN",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer-when-downgrade"
+};
+var PRESET_API = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'none'"],
+    frameAncestors: ["'none'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    includeSubDomains: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer",
+  crossOriginResourcePolicy: "same-origin"
+};
+function getPreset(name) {
+  switch (name) {
+    case "strict":
+      return PRESET_STRICT;
+    case "relaxed":
+      return PRESET_RELAXED;
+    case "api":
+      return PRESET_API;
+    default:
+      return PRESET_STRICT;
+  }
+}
+function buildHeaders(config) {
+  const headers = new Headers();
+  if (config.contentSecurityPolicy) {
+    const csp = buildCSP(config.contentSecurityPolicy);
+    if (csp) headers.set("Content-Security-Policy", csp);
+  }
+  if (config.strictTransportSecurity) {
+    headers.set("Strict-Transport-Security", buildHSTS(config.strictTransportSecurity));
+  }
+  if (config.xFrameOptions) {
+    headers.set("X-Frame-Options", config.xFrameOptions);
+  }
+  if (config.xContentTypeOptions) {
+    headers.set("X-Content-Type-Options", "nosniff");
+  }
+  if (config.xDnsPrefetchControl) {
+    headers.set("X-DNS-Prefetch-Control", config.xDnsPrefetchControl);
+  }
+  if (config.xDownloadOptions) {
+    headers.set("X-Download-Options", "noopen");
+  }
+  if (config.xPermittedCrossDomainPolicies) {
+    headers.set("X-Permitted-Cross-Domain-Policies", config.xPermittedCrossDomainPolicies);
+  }
+  if (config.referrerPolicy) {
+    const value = Array.isArray(config.referrerPolicy) ? config.referrerPolicy.join(", ") : config.referrerPolicy;
+    headers.set("Referrer-Policy", value);
+  }
+  if (config.crossOriginOpenerPolicy) {
+    headers.set("Cross-Origin-Opener-Policy", config.crossOriginOpenerPolicy);
+  }
+  if (config.crossOriginEmbedderPolicy) {
+    headers.set("Cross-Origin-Embedder-Policy", config.crossOriginEmbedderPolicy);
+  }
+  if (config.crossOriginResourcePolicy) {
+    headers.set("Cross-Origin-Resource-Policy", config.crossOriginResourcePolicy);
+  }
+  if (config.permissionsPolicy) {
+    const pp = buildPermissionsPolicy(config.permissionsPolicy);
+    if (pp) headers.set("Permissions-Policy", pp);
+  }
+  if (config.originAgentCluster) {
+    headers.set("Origin-Agent-Cluster", "?1");
+  }
+  return headers;
+}
+
+// src/middleware/headers/middleware.ts
+function mergeConfigs(base, custom) {
+  return {
+    ...base,
+    ...custom,
+    // Deep merge CSP if both exist
+    contentSecurityPolicy: custom.contentSecurityPolicy === false ? false : custom.contentSecurityPolicy ? base.contentSecurityPolicy ? { ...base.contentSecurityPolicy, ...custom.contentSecurityPolicy } : custom.contentSecurityPolicy : base.contentSecurityPolicy,
+    // Deep merge HSTS if both exist
+    strictTransportSecurity: custom.strictTransportSecurity === false ? false : custom.strictTransportSecurity ? base.strictTransportSecurity ? { ...base.strictTransportSecurity, ...custom.strictTransportSecurity } : custom.strictTransportSecurity : base.strictTransportSecurity,
+    // Deep merge Permissions-Policy if both exist
+    permissionsPolicy: custom.permissionsPolicy === false ? false : custom.permissionsPolicy ? base.permissionsPolicy ? { ...base.permissionsPolicy, ...custom.permissionsPolicy } : custom.permissionsPolicy : base.permissionsPolicy
+  };
+}
+function withSecurityHeaders(handler, options = {}) {
+  const { preset, config, override = false } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  const securityHeaders = buildHeaders(baseConfig);
+  return async (req) => {
+    const response = await handler(req);
+    const newHeaders = new Headers(response.headers);
+    securityHeaders.forEach((value, key) => {
+      if (override || !newHeaders.has(key)) {
+        newHeaders.set(key, value);
+      }
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders
+    });
+  };
+}
+function createSecurityHeaders(options = {}) {
+  const { preset, config } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  return buildHeaders(baseConfig);
+}
+function createSecurityHeadersObject(options = {}) {
+  const headers = createSecurityHeaders(options);
+  const obj = {};
+  headers.forEach((value, key) => {
+    obj[key] = value;
+  });
+  return obj;
 }
 
-export { createCsp, securityHeaders };
+export { PRESET_API, PRESET_RELAXED, PRESET_STRICT, buildCSP, buildHSTS, buildHeaders, buildPermissionsPolicy, createSecurityHeaders, createSecurityHeadersObject, getPreset, withSecurityHeaders };
 //# sourceMappingURL=headers.js.map
 //# sourceMappingURL=headers.js.map

package/dist/headers.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/middleware/headers/index.ts"],"names":[],"mappings":";AAiCO,SAAS,eAAA,GAAkB;AAChC,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D;AAEO,SAAS,SAAA,GAAY;AAC1B,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D","file":"headers.js","sourcesContent":["/**\n * Security Headers Middleware (Coming Soon)\n *\n * @example\n * ```typescript\n * // next.config.js\n * import { securityHeaders } from 'next-secure/headers'\n *\n * export default {\n *   async headers() {\n *     return [\n *       {\n *         source: '/:path*',\n *         headers: securityHeaders({\n *           contentSecurityPolicy: {\n *             directives: {\n *               defaultSrc: [\"'self'\"],\n *               scriptSrc: [\"'self'\", \"'unsafe-inline'\"],\n *             }\n *           },\n *           strictTransportSecurity: true,\n *           xFrameOptions: 'DENY',\n *         })\n *       }\n *     ]\n *   }\n * }\n * ```\n *\n * @packageDocumentation\n */\n\n// Placeholder for security headers\nexport function securityHeaders() {\n  throw new Error('Security headers coming soon in v0.2.0')\n}\n\nexport function createCsp() {\n  throw new Error('Security headers coming soon in v0.2.0')\n}\n"]}
+{"version":3,"sources":["../src/middleware/headers/builder.ts","../src/middleware/headers/middleware.ts"],"names":[],"mappings":";AAWO,SAAS,SAAS,MAAA,EAAuC;AAC9D,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,YAAA,GAAuC;AAAA,IAC3C,UAAA,EAAY,aAAA;AAAA,IACZ,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,MAAA,EAAQ,SAAA;AAAA,IACR,OAAA,EAAS,UAAA;AAAA,IACT,UAAA,EAAY,aAAA;AAAA,IACZ,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,aAAA;AAAA,IACZ,OAAA,EAAS,UAAA;AAAA,IACT,WAAA,EAAa,cAAA;AAAA,IACb,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU;AAAA,GACZ;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,SAAS,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AAC3D,IAAA,MAAM,KAAA,GAAQ,OAAO,GAAkC,CAAA;AACvD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,KAAA,EAAO;AAC1C,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,GAAG,SAAS,CAAA,CAAA,EAAI,MAAM,IAAA,CAAK,GAAG,CAAC,CAAA,CAAE,CAAA;AAAA,MACnD,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,UAAA,CAAW,KAAK,2BAA2B,CAAA;AAAA,EAC7C;AAEA,EAAA,IAAI,OAAO,oBAAA,EAAsB;AAC/B,IAAA,UAAA,CAAW,KAAK,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,SAAS,UAAU,MAAA,EAAyC;AACjE,EAAA,IAAI,KAAA,GAAQ,CAAA,QAAA,EAAW,MAAA,CAAO,MAAM,CAAA,CAAA;AAEpC,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,KAAA,IAAS,qBAAA;AAAA,EACX;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,KAAA,IAAS,WAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,uBAAuB,MAAA,EAAmC;AACxE,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,UAAA,GAAqC;AAAA,IACzC,aAAA,EAAe,eAAA;AAAA,IACf,kBAAA,EAAoB,sBAAA;AAAA,IACpB,QAAA,EAAU,UAAA;AAAA,IACV,OAAA,EAAS,SAAA;AAAA,IACT,MAAA,EAAQ,QAAA;AAAA,IACR,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,YAAA;AAAA,IACZ,WAAA,EAAa,aAAA;AAAA,IACb,SAAA,EAAW,WAAA;AAAA,IACX,YAAA,EAAc,cAAA;AAAA,IACd,UAAA,EAAY,YAAA;AAAA,IACZ,IAAA,EAAM,MAAA;AAAA,IACN,OAAA,EAAS,SAAA;AAAA,IACT,gBAAA,EAAkB,oBAAA;AAAA,IAClB,uBAAA,EAAyB,2BAAA;AAAA,IACzB,cAAA,EAAgB,kBAAA;AAAA,IAChB,OAAA,EAAS,UAAA;AAAA,IACT,GAAA,EAAK,KAAA;AAAA,IACL,QAAA,EAAU,WAAA;AAAA,IACV,iBAAA,EAAmB;AAAA,GACrB;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,EAAG;AACvD,IAAA,MAAM,OAAA,GAAU,OAAO,GAA8B,CAAA;AACrD,IAAA,IAAI,YAAY,MAAA,EAAW;AACzB,MAAA,IAAI,OAAA,CAAQ,WAAW,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,GAAA,CAAK,CAAA;AAAA,MACjC,CAAA,MAAO;AACL,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA,KAAO,CAAA,KAAM,MAAA,GAAS,MAAA,GAAS,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAI,CAAA,CAAE,KAAK,GAAG,CAAA;AACjF,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,EAAA,EAAK,SAAS,CAAA,CAAA,CAAG,CAAA;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,IAAM,aAAA,GAAuC;AAAA,EAClD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAO,CAAA;AAAA,IAC1B,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,IACzB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,uBAAA,EAAyB;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA;AAAA,IACR,iBAAA,EAAmB,IAAA;AAAA,IACnB,OAAA,EAAS;AAAA,GACX;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,mBAAA,EAAqB,KAAA;AAAA,EACrB,gBAAA,EAAkB,IAAA;AAAA,EAClB,6BAAA,EAA+B,MAAA;AAAA,EAC/B,cAAA,EAAgB,iCAAA;AAAA,EAChB,uBAAA,EAAyB,aAAA;AAAA,EACzB,yBAAA,EAA2B,cAAA;AAAA,EAC3B,yBAAA,EAA2B,aAAA;AAAA,EAC3B,iBAAA,EAAmB;AAAA,IACjB,QAAQ,EAAC;AAAA,IACT,YAAY,EAAC;AAAA,IACb,aAAa,EAAC;AAAA,IACd,SAAS;AAAC,GACZ;AAAA,EACA,kBAAA,EAAoB;AACtB;AAKO,IAAM,cAAA,GAAwC;AAAA,EACnD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAA,EAAU,iBAAA,EAAmB,eAAe,CAAA;AAAA,IACxD,QAAA,EAAU,CAAC,QAAA,EAAU,iBAAiB,CAAA;AAAA,IACtC,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAA,EAAS,SAAS,QAAQ,CAAA;AAAA,IAC7C,OAAA,EAAS,CAAC,QAAA,EAAU,QAAA,EAAU,OAAO,CAAA;AAAA,IACrC,UAAA,EAAY,CAAC,QAAA,EAAU,QAAA,EAAU,MAAM,CAAA;AAAA,IACvC,QAAA,EAAU,CAAC,QAAQ;AAAA,GACrB;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,KAAA;AAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,YAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB;AAClB;AAKO,IAAM,UAAA,GAAoC;AAAA,EAC/C,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,cAAA,EAAgB,CAAC,QAAQ;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB,aAAA;AAAA,EAChB,yBAAA,EAA2B;AAC7B;AAKO,SAAS,UAAU,IAAA,EAAoD;AAC5E,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAK,QAAA;AACH,MAAA,OAAO,aAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,KAAA;AACH,MAAA,OAAO,UAAA;AAAA,IACT;AACE,MAAA,OAAO,aAAA;AAAA;AAEb;AAKO,SAAS,aAAa,MAAA,EAAwC;AACnE,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAG5B,EAAA,IAAI,OAAO,qBAAA,EAAuB;AAChC,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,MAAA,CAAO,qBAAqB,CAAA;AACjD,IAAA,IAAI,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,yBAAA,EAA2B,GAAG,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,2BAAA,EAA6B,SAAA,CAAU,MAAA,CAAO,uBAAuB,CAAC,CAAA;AAAA,EACpF;AAGA,EAAA,IAAI,OAAO,aAAA,EAAe;AACxB,IAAA,OAAA,CAAQ,GAAA,CAAI,iBAAA,EAAmB,MAAA,CAAO,aAAa,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,0BAA0B,SAAS,CAAA;AAAA,EACjD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAA,EAA0B,MAAA,CAAO,mBAAmB,CAAA;AAAA,EAClE;AAGA,EAAA,IAAI,OAAO,gBAAA,EAAkB;AAC3B,IAAA,OAAA,CAAQ,GAAA,CAAI,sBAAsB,QAAQ,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAO,6BAAA,EAA+B;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,mCAAA,EAAqC,MAAA,CAAO,6BAA6B,CAAA;AAAA,EACvF;AAGA,EAAA,IAAI,OAAO,cAAA,EAAgB;AACzB,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,cAAc,CAAA,GAC7C,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,IAAI,CAAA,GAC/B,MAAA,CAAO,cAAA;AACX,IAAA,OAAA,CAAQ,GAAA,CAAI,mBAAmB,KAAK,CAAA;AAAA,EACtC;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,4BAAA,EAA8B,MAAA,CAAO,uBAAuB,CAAA;AAAA,EAC1E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,MAAM,EAAA,GAAK,sBAAA,CAAuB,MAAA,CAAO,iBAAiB,CAAA;AAC1D,IAAA,IAAI,EAAA,EAAI,OAAA,CAAQ,GAAA,CAAI,oBAAA,EAAsB,EAAE,CAAA;AAAA,EAC9C;AAGA,EAAA,IAAI,OAAO,kBAAA,EAAoB;AAC7B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAwB,IAAI,CAAA;AAAA,EAC1C;AAEA,EAAA,OAAO,OAAA;AACT;;;AC/QA,SAAS,YAAA,CACP,MACA,MAAA,EACuB;AACvB,EAAA,OAAO;AAAA,IACL,GAAG,IAAA;AAAA,IACH,GAAG,MAAA;AAAA;AAAA,IAEH,uBACE,MAAA,CAAO,qBAAA,KAA0B,QAC7B,KAAA,GACA,MAAA,CAAO,wBACL,IAAA,CAAK,qBAAA,GACH,EAAE,GAAI,IAAA,CAAK,uBAAkC,GAAG,MAAA,CAAO,uBAAsB,GAC7E,MAAA,CAAO,wBACT,IAAA,CAAK,qBAAA;AAAA;AAAA,IAEb,yBACE,MAAA,CAAO,uBAAA,KAA4B,QAC/B,KAAA,GACA,MAAA,CAAO,0BACL,IAAA,CAAK,uBAAA,GACH,EAAE,GAAI,IAAA,CAAK,yBAAoC,GAAG,MAAA,CAAO,yBAAwB,GACjF,MAAA,CAAO,0BACT,IAAA,CAAK,uBAAA;AAAA;AAAA,IAEb,mBACE,MAAA,CAAO,iBAAA,KAAsB,QACzB,KAAA,GACA,MAAA,CAAO,oBACL,IAAA,CAAK,iBAAA,GACH,EAAE,GAAI,IAAA,CAAK,mBAA8B,GAAG,MAAA,CAAO,mBAAkB,GACrE,MAAA,CAAO,oBACT,IAAA,CAAK;AAAA,GACf;AACF;AAsBO,SAAS,mBAAA,CACd,OAAA,EACA,OAAA,GAAsC,EAAC,EACzB;AACd,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAQ,QAAA,GAAW,OAAM,GAAI,OAAA;AAG7C,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAGrE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAGA,EAAA,MAAM,eAAA,GAAkB,aAAa,UAAU,CAAA;AAE/C,EAAA,OAAO,OAAO,GAAA,KAAwC;AACpD,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAG,CAAA;AAGlC,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,QAAA,CAAS,OAAO,CAAA;AAG/C,IAAA,eAAA,CAAgB,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACtC,MAAA,IAAI,QAAA,IAAY,CAAC,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA,EAAG;AACpC,QAAA,UAAA,CAAW,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,MAC3B;AAAA,IACF,CAAC,CAAA;AAED,IAAA,OAAO,IAAI,QAAA,CAAS,QAAA,CAAS,IAAA,EAAM;AAAA,MACjC,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH,CAAA;AACF;AAaO,SAAS,qBAAA,CACd,OAAA,GAAsC,EAAC,EAC9B;AACT,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAO,GAAI,OAAA;AAE3B,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAErE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,aAAa,UAAU,CAAA;AAChC;AAKO,SAAS,2BAAA,CACd,OAAA,GAAsC,EAAC,EACf;AACxB,EAAA,MAAM,OAAA,GAAU,sBAAsB,OAAO,CAAA;AAC7C,EAAA,MAAM,MAA8B,EAAC;AAErC,EAAA,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AAC9B,IAAA,GAAA,CAAI,GAAG,CAAA,GAAI,KAAA;AAAA,EACb,CAAC,CAAA;AAED,EAAA,OAAO,GAAA;AACT","file":"headers.js","sourcesContent":["import type {\n  ContentSecurityPolicy,\n  StrictTransportSecurity,\n  PermissionsPolicy,\n  SecurityHeadersConfig,\n  SecurityHeadersPreset,\n} from './types'\n\n/**\n * Build CSP header string from config\n */\nexport function buildCSP(policy: ContentSecurityPolicy): string {\n  const directives: string[] = []\n\n  const directiveMap: Record<string, string> = {\n    defaultSrc: 'default-src',\n    scriptSrc: 'script-src',\n    styleSrc: 'style-src',\n    imgSrc: 'img-src',\n    fontSrc: 'font-src',\n    connectSrc: 'connect-src',\n    mediaSrc: 'media-src',\n    objectSrc: 'object-src',\n    frameSrc: 'frame-src',\n    childSrc: 'child-src',\n    workerSrc: 'worker-src',\n    frameAncestors: 'frame-ancestors',\n    formAction: 'form-action',\n    baseUri: 'base-uri',\n    manifestSrc: 'manifest-src',\n    reportUri: 'report-uri',\n    reportTo: 'report-to',\n  }\n\n  for (const [key, directive] of Object.entries(directiveMap)) {\n    const value = policy[key as keyof ContentSecurityPolicy]\n    if (value !== undefined && value !== false) {\n      if (Array.isArray(value)) {\n        directives.push(`${directive} ${value.join(' ')}`)\n      } else if (typeof value === 'string') {\n        directives.push(`${directive} ${value}`)\n      }\n    }\n  }\n\n  if (policy.upgradeInsecureRequests) {\n    directives.push('upgrade-insecure-requests')\n  }\n\n  if (policy.blockAllMixedContent) {\n    directives.push('block-all-mixed-content')\n  }\n\n  return directives.join('; ')\n}\n\n/**\n * Build HSTS header string\n */\nexport function buildHSTS(config: StrictTransportSecurity): string {\n  let value = `max-age=${config.maxAge}`\n\n  if (config.includeSubDomains) {\n    value += '; includeSubDomains'\n  }\n\n  if (config.preload) {\n    value += '; preload'\n  }\n\n  return value\n}\n\n/**\n * Build Permissions-Policy header string\n */\nexport function buildPermissionsPolicy(policy: PermissionsPolicy): string {\n  const directives: string[] = []\n\n  const featureMap: Record<string, string> = {\n    accelerometer: 'accelerometer',\n    ambientLightSensor: 'ambient-light-sensor',\n    autoplay: 'autoplay',\n    battery: 'battery',\n    camera: 'camera',\n    displayCapture: 'display-capture',\n    documentDomain: 'document-domain',\n    encryptedMedia: 'encrypted-media',\n    fullscreen: 'fullscreen',\n    geolocation: 'geolocation',\n    gyroscope: 'gyroscope',\n    magnetometer: 'magnetometer',\n    microphone: 'microphone',\n    midi: 'midi',\n    payment: 'payment',\n    pictureInPicture: 'picture-in-picture',\n    publicKeyCredentialsGet: 'publickey-credentials-get',\n    screenWakeLock: 'screen-wake-lock',\n    syncXhr: 'sync-xhr',\n    usb: 'usb',\n    webShare: 'web-share',\n    xrSpatialTracking: 'xr-spatial-tracking',\n  }\n\n  for (const [key, feature] of Object.entries(featureMap)) {\n    const origins = policy[key as keyof PermissionsPolicy]\n    if (origins !== undefined) {\n      if (origins.length === 0) {\n        directives.push(`${feature}=()`)\n      } else {\n        const formatted = origins.map((o) => (o === 'self' ? 'self' : `\"${o}\"`)).join(' ')\n        directives.push(`${feature}=(${formatted})`)\n      }\n    }\n  }\n\n  return directives.join(', ')\n}\n\n/**\n * Preset: Strict security headers\n */\nexport const PRESET_STRICT: SecurityHeadersConfig = {\n  contentSecurityPolicy: {\n    defaultSrc: [\"'self'\"],\n    scriptSrc: [\"'self'\"],\n    styleSrc: [\"'self'\"],\n    imgSrc: [\"'self'\", 'data:'],\n    fontSrc: [\"'self'\"],\n    objectSrc: [\"'none'\"],\n    frameAncestors: [\"'none'\"],\n    formAction: [\"'self'\"],\n    baseUri: [\"'self'\"],\n    upgradeInsecureRequests: true,\n  },\n  strictTransportSecurity: {\n    maxAge: 31536000, // 1 year\n    includeSubDomains: true,\n    preload: true,\n  },\n  xFrameOptions: 'DENY',\n  xContentTypeOptions: true,\n  xDnsPrefetchControl: 'off',\n  xDownloadOptions: true,\n  xPermittedCrossDomainPolicies: 'none',\n  referrerPolicy: 'strict-origin-when-cross-origin',\n  crossOriginOpenerPolicy: 'same-origin',\n  crossOriginEmbedderPolicy: 'require-corp',\n  crossOriginResourcePolicy: 'same-origin',\n  permissionsPolicy: {\n    camera: [],\n    microphone: [],\n    geolocation: [],\n    payment: [],\n  },\n  originAgentCluster: true,\n}\n\n/**\n * Preset: Relaxed security headers (for development or less strict needs)\n */\nexport const PRESET_RELAXED: SecurityHeadersConfig = {\n  contentSecurityPolicy: {\n    defaultSrc: [\"'self'\"],\n    scriptSrc: [\"'self'\", \"'unsafe-inline'\", \"'unsafe-eval'\"],\n    styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n    imgSrc: [\"'self'\", 'data:', 'blob:', 'https:'],\n    fontSrc: [\"'self'\", 'https:', 'data:'],\n    connectSrc: [\"'self'\", 'https:', 'wss:'],\n    frameSrc: [\"'self'\"],\n  },\n  strictTransportSecurity: {\n    maxAge: 86400, // 1 day\n    includeSubDomains: false,\n  },\n  xFrameOptions: 'SAMEORIGIN',\n  xContentTypeOptions: true,\n  referrerPolicy: 'no-referrer-when-downgrade',\n}\n\n/**\n * Preset: API-focused security headers\n */\nexport const PRESET_API: SecurityHeadersConfig = {\n  contentSecurityPolicy: {\n    defaultSrc: [\"'none'\"],\n    frameAncestors: [\"'none'\"],\n  },\n  strictTransportSecurity: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  xFrameOptions: 'DENY',\n  xContentTypeOptions: true,\n  referrerPolicy: 'no-referrer',\n  crossOriginResourcePolicy: 'same-origin',\n}\n\n/**\n * Get preset config by name\n */\nexport function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig {\n  switch (name) {\n    case 'strict':\n      return PRESET_STRICT\n    case 'relaxed':\n      return PRESET_RELAXED\n    case 'api':\n      return PRESET_API\n    default:\n      return PRESET_STRICT\n  }\n}\n\n/**\n * Build all headers from config\n */\nexport function buildHeaders(config: SecurityHeadersConfig): Headers {\n  const headers = new Headers()\n\n  // CSP\n  if (config.contentSecurityPolicy) {\n    const csp = buildCSP(config.contentSecurityPolicy)\n    if (csp) headers.set('Content-Security-Policy', csp)\n  }\n\n  // HSTS\n  if (config.strictTransportSecurity) {\n    headers.set('Strict-Transport-Security', buildHSTS(config.strictTransportSecurity))\n  }\n\n  // X-Frame-Options\n  if (config.xFrameOptions) {\n    headers.set('X-Frame-Options', config.xFrameOptions)\n  }\n\n  // X-Content-Type-Options\n  if (config.xContentTypeOptions) {\n    headers.set('X-Content-Type-Options', 'nosniff')\n  }\n\n  // X-DNS-Prefetch-Control\n  if (config.xDnsPrefetchControl) {\n    headers.set('X-DNS-Prefetch-Control', config.xDnsPrefetchControl)\n  }\n\n  // X-Download-Options\n  if (config.xDownloadOptions) {\n    headers.set('X-Download-Options', 'noopen')\n  }\n\n  // X-Permitted-Cross-Domain-Policies\n  if (config.xPermittedCrossDomainPolicies) {\n    headers.set('X-Permitted-Cross-Domain-Policies', config.xPermittedCrossDomainPolicies)\n  }\n\n  // Referrer-Policy\n  if (config.referrerPolicy) {\n    const value = Array.isArray(config.referrerPolicy)\n      ? config.referrerPolicy.join(', ')\n      : config.referrerPolicy\n    headers.set('Referrer-Policy', value)\n  }\n\n  // COOP\n  if (config.crossOriginOpenerPolicy) {\n    headers.set('Cross-Origin-Opener-Policy', config.crossOriginOpenerPolicy)\n  }\n\n  // COEP\n  if (config.crossOriginEmbedderPolicy) {\n    headers.set('Cross-Origin-Embedder-Policy', config.crossOriginEmbedderPolicy)\n  }\n\n  // CORP\n  if (config.crossOriginResourcePolicy) {\n    headers.set('Cross-Origin-Resource-Policy', config.crossOriginResourcePolicy)\n  }\n\n  // Permissions-Policy\n  if (config.permissionsPolicy) {\n    const pp = buildPermissionsPolicy(config.permissionsPolicy)\n    if (pp) headers.set('Permissions-Policy', pp)\n  }\n\n  // Origin-Agent-Cluster\n  if (config.originAgentCluster) {\n    headers.set('Origin-Agent-Cluster', '?1')\n  }\n\n  return headers\n}\n","import type { NextRequest } from 'next/server'\nimport type { SecurityHeadersConfig, SecurityHeadersPreset } from './types'\nimport { buildHeaders, getPreset, PRESET_STRICT } from './builder'\n\ntype RouteHandler = (req: NextRequest) => Response | Promise<Response>\n\nexport interface WithSecurityHeadersOptions {\n  /** Use a preset configuration */\n  preset?: SecurityHeadersPreset\n\n  /** Custom header configuration (merged with preset if provided) */\n  config?: SecurityHeadersConfig\n\n  /** Override response headers instead of merging */\n  override?: boolean\n}\n\n/**\n * Merge two configs, with custom taking precedence\n */\nfunction mergeConfigs(\n  base: SecurityHeadersConfig,\n  custom: SecurityHeadersConfig\n): SecurityHeadersConfig {\n  return {\n    ...base,\n    ...custom,\n    // Deep merge CSP if both exist\n    contentSecurityPolicy:\n      custom.contentSecurityPolicy === false\n        ? false\n        : custom.contentSecurityPolicy\n          ? base.contentSecurityPolicy\n            ? { ...(base.contentSecurityPolicy as object), ...custom.contentSecurityPolicy }\n            : custom.contentSecurityPolicy\n          : base.contentSecurityPolicy,\n    // Deep merge HSTS if both exist\n    strictTransportSecurity:\n      custom.strictTransportSecurity === false\n        ? false\n        : custom.strictTransportSecurity\n          ? base.strictTransportSecurity\n            ? { ...(base.strictTransportSecurity as object), ...custom.strictTransportSecurity }\n            : custom.strictTransportSecurity\n          : base.strictTransportSecurity,\n    // Deep merge Permissions-Policy if both exist\n    permissionsPolicy:\n      custom.permissionsPolicy === false\n        ? false\n        : custom.permissionsPolicy\n          ? base.permissionsPolicy\n            ? { ...(base.permissionsPolicy as object), ...custom.permissionsPolicy }\n            : custom.permissionsPolicy\n          : base.permissionsPolicy,\n  }\n}\n\n/**\n * Security headers middleware\n *\n * Adds security headers to responses. Use presets for quick setup\n * or provide custom configuration.\n *\n * @example\n * ```typescript\n * // Use strict preset\n * export const GET = withSecurityHeaders(handler, { preset: 'strict' })\n *\n * // Custom config\n * export const GET = withSecurityHeaders(handler, {\n *   config: {\n *     xFrameOptions: 'SAMEORIGIN',\n *     referrerPolicy: 'no-referrer'\n *   }\n * })\n * ```\n */\nexport function withSecurityHeaders(\n  handler: RouteHandler,\n  options: WithSecurityHeadersOptions = {}\n): RouteHandler {\n  const { preset, config, override = false } = options\n\n  // Get base config from preset or default to strict\n  let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n  // Merge with custom config if provided\n  if (config) {\n    baseConfig = mergeConfigs(baseConfig, config)\n  }\n\n  // Pre-build headers for performance\n  const securityHeaders = buildHeaders(baseConfig)\n\n  return async (req: NextRequest): Promise<Response> => {\n    const response = await handler(req)\n\n    // Clone response to modify headers\n    const newHeaders = new Headers(response.headers)\n\n    // Add security headers\n    securityHeaders.forEach((value, key) => {\n      if (override || !newHeaders.has(key)) {\n        newHeaders.set(key, value)\n      }\n    })\n\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers: newHeaders,\n    })\n  }\n}\n\n/**\n * Create headers object for use in responses\n * Useful when you want to add headers manually\n *\n * @example\n * ```typescript\n * const headers = createSecurityHeaders({ preset: 'api' })\n *\n * return Response.json(data, { headers })\n * ```\n */\nexport function createSecurityHeaders(\n  options: WithSecurityHeadersOptions = {}\n): Headers {\n  const { preset, config } = options\n\n  let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n  if (config) {\n    baseConfig = mergeConfigs(baseConfig, config)\n  }\n\n  return buildHeaders(baseConfig)\n}\n\n/**\n * Create a headers object as a plain object (for Next.js headers())\n */\nexport function createSecurityHeadersObject(\n  options: WithSecurityHeadersOptions = {}\n): Record<string, string> {\n  const headers = createSecurityHeaders(options)\n  const obj: Record<string, string> = {}\n\n  headers.forEach((value, key) => {\n    obj[key] = value\n  })\n\n  return obj\n}\n"]}