nextjs-secure 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/README.md +115 -0
  2. package/dist/headers.cjs +277 -7
  3. package/dist/headers.cjs.map +1 -1
  4. package/dist/headers.d.cts +162 -25
  5. package/dist/headers.d.ts +162 -25
  6. package/dist/headers.js +267 -6
  7. package/dist/headers.js.map +1 -1
  8. package/dist/index.cjs +280 -1
  9. package/dist/index.cjs.map +1 -1
  10. package/dist/index.d.cts +2 -1
  11. package/dist/index.d.ts +2 -1
  12. package/dist/index.js +271 -2
  13. package/dist/index.js.map +1 -1
  14. package/package.json +1 -1
package/README.md CHANGED
@@ -52,6 +52,10 @@ pnpm add nextjs-secure
52
52
  - [Client-Side Usage](#client-side-usage)
53
53
  - [Configuration](#configuration-1)
54
54
  - [Manual Validation](#manual-validation)
55
+ - [Security Headers](#security-headers)
56
+ - [Quick Start](#quick-start-1)
57
+ - [Presets](#presets)
58
+ - [Custom Configuration](#custom-configuration)
55
59
  - [Utilities](#utilities)
56
60
  - [API Reference](#api-reference)
57
61
  - [Examples](#examples)
@@ -515,6 +519,117 @@ Set `CSRF_SECRET` in your environment:
515
519
  CSRF_SECRET=your-secret-key-min-32-chars-recommended
516
520
  ```
517
521
 
522
+ ## Security Headers
523
+
524
+ Add security headers to your responses with pre-configured presets or custom configuration.
525
+
526
+ ### Quick Start
527
+
528
+ ```typescript
529
+ import { withSecurityHeaders } from 'nextjs-secure/headers'
530
+
531
+ // Use strict preset (default)
532
+ export const GET = withSecurityHeaders(async (req) => {
533
+ return Response.json({ data: 'protected' })
534
+ })
535
+ ```
536
+
537
+ ### Presets
538
+
539
+ Three presets available: `strict`, `relaxed`, `api`
540
+
541
+ ```typescript
542
+ // Strict: Maximum security (default)
543
+ export const GET = withSecurityHeaders(handler, { preset: 'strict' })
544
+
545
+ // Relaxed: Development-friendly, allows inline scripts
546
+ export const GET = withSecurityHeaders(handler, { preset: 'relaxed' })
547
+
548
+ // API: Optimized for JSON APIs
549
+ export const GET = withSecurityHeaders(handler, { preset: 'api' })
550
+ ```
551
+
552
+ ### Custom Configuration
553
+
554
+ ```typescript
555
+ import { withSecurityHeaders } from 'nextjs-secure/headers'
556
+
557
+ export const GET = withSecurityHeaders(handler, {
558
+ config: {
559
+ // Content-Security-Policy
560
+ contentSecurityPolicy: {
561
+ defaultSrc: ["'self'"],
562
+ scriptSrc: ["'self'", "'unsafe-inline'"],
563
+ styleSrc: ["'self'", "'unsafe-inline'"],
564
+ imgSrc: ["'self'", 'data:', 'https:'],
565
+ },
566
+
567
+ // Strict-Transport-Security
568
+ strictTransportSecurity: {
569
+ maxAge: 31536000,
570
+ includeSubDomains: true,
571
+ preload: true,
572
+ },
573
+
574
+ // Other headers
575
+ xFrameOptions: 'DENY', // or 'SAMEORIGIN'
576
+ xContentTypeOptions: true, // X-Content-Type-Options: nosniff
577
+ referrerPolicy: 'strict-origin-when-cross-origin',
578
+
579
+ // Cross-Origin headers
580
+ crossOriginOpenerPolicy: 'same-origin',
581
+ crossOriginEmbedderPolicy: 'require-corp',
582
+ crossOriginResourcePolicy: 'same-origin',
583
+
584
+ // Permissions-Policy (disable features)
585
+ permissionsPolicy: {
586
+ camera: [],
587
+ microphone: [],
588
+ geolocation: [],
589
+ },
590
+ }
591
+ })
592
+ ```
593
+
594
+ ### Disable Specific Headers
595
+
596
+ ```typescript
597
+ export const GET = withSecurityHeaders(handler, {
598
+ config: {
599
+ contentSecurityPolicy: false, // Disable CSP
600
+ xFrameOptions: false, // Disable X-Frame-Options
601
+ }
602
+ })
603
+ ```
604
+
605
+ ### Manual Header Creation
606
+
607
+ ```typescript
608
+ import { createSecurityHeaders } from 'nextjs-secure/headers'
609
+
610
+ export async function GET() {
611
+ const headers = createSecurityHeaders({ preset: 'api' })
612
+
613
+ return new Response(JSON.stringify({ ok: true }), {
614
+ headers,
615
+ })
616
+ }
617
+ ```
618
+
619
+ ### Available Headers
620
+
621
+ | Header | Description |
622
+ |--------|-------------|
623
+ | Content-Security-Policy | Controls resources the page can load |
624
+ | Strict-Transport-Security | Forces HTTPS connections |
625
+ | X-Frame-Options | Prevents clickjacking |
626
+ | X-Content-Type-Options | Prevents MIME sniffing |
627
+ | Referrer-Policy | Controls referrer information |
628
+ | Permissions-Policy | Disables browser features |
629
+ | Cross-Origin-Opener-Policy | Isolates browsing context |
630
+ | Cross-Origin-Embedder-Policy | Controls embedding |
631
+ | Cross-Origin-Resource-Policy | Controls resource sharing |
632
+
518
633
  ## Utilities
519
634
 
520
635
  ### Duration Parsing
package/dist/headers.cjs CHANGED
@@ -1,14 +1,284 @@
1
1
  'use strict';
2
2
 
3
- // src/middleware/headers/index.ts
4
- function securityHeaders() {
5
- throw new Error("Security headers coming soon in v0.2.0");
3
+ // src/middleware/headers/builder.ts
4
+ function buildCSP(policy) {
5
+ const directives = [];
6
+ const directiveMap = {
7
+ defaultSrc: "default-src",
8
+ scriptSrc: "script-src",
9
+ styleSrc: "style-src",
10
+ imgSrc: "img-src",
11
+ fontSrc: "font-src",
12
+ connectSrc: "connect-src",
13
+ mediaSrc: "media-src",
14
+ objectSrc: "object-src",
15
+ frameSrc: "frame-src",
16
+ childSrc: "child-src",
17
+ workerSrc: "worker-src",
18
+ frameAncestors: "frame-ancestors",
19
+ formAction: "form-action",
20
+ baseUri: "base-uri",
21
+ manifestSrc: "manifest-src",
22
+ reportUri: "report-uri",
23
+ reportTo: "report-to"
24
+ };
25
+ for (const [key, directive] of Object.entries(directiveMap)) {
26
+ const value = policy[key];
27
+ if (value !== void 0 && value !== false) {
28
+ if (Array.isArray(value)) {
29
+ directives.push(`${directive} ${value.join(" ")}`);
30
+ } else if (typeof value === "string") {
31
+ directives.push(`${directive} ${value}`);
32
+ }
33
+ }
34
+ }
35
+ if (policy.upgradeInsecureRequests) {
36
+ directives.push("upgrade-insecure-requests");
37
+ }
38
+ if (policy.blockAllMixedContent) {
39
+ directives.push("block-all-mixed-content");
40
+ }
41
+ return directives.join("; ");
6
42
  }
7
- function createCsp() {
8
- throw new Error("Security headers coming soon in v0.2.0");
43
+ function buildHSTS(config) {
44
+ let value = `max-age=${config.maxAge}`;
45
+ if (config.includeSubDomains) {
46
+ value += "; includeSubDomains";
47
+ }
48
+ if (config.preload) {
49
+ value += "; preload";
50
+ }
51
+ return value;
52
+ }
53
+ function buildPermissionsPolicy(policy) {
54
+ const directives = [];
55
+ const featureMap = {
56
+ accelerometer: "accelerometer",
57
+ ambientLightSensor: "ambient-light-sensor",
58
+ autoplay: "autoplay",
59
+ battery: "battery",
60
+ camera: "camera",
61
+ displayCapture: "display-capture",
62
+ documentDomain: "document-domain",
63
+ encryptedMedia: "encrypted-media",
64
+ fullscreen: "fullscreen",
65
+ geolocation: "geolocation",
66
+ gyroscope: "gyroscope",
67
+ magnetometer: "magnetometer",
68
+ microphone: "microphone",
69
+ midi: "midi",
70
+ payment: "payment",
71
+ pictureInPicture: "picture-in-picture",
72
+ publicKeyCredentialsGet: "publickey-credentials-get",
73
+ screenWakeLock: "screen-wake-lock",
74
+ syncXhr: "sync-xhr",
75
+ usb: "usb",
76
+ webShare: "web-share",
77
+ xrSpatialTracking: "xr-spatial-tracking"
78
+ };
79
+ for (const [key, feature] of Object.entries(featureMap)) {
80
+ const origins = policy[key];
81
+ if (origins !== void 0) {
82
+ if (origins.length === 0) {
83
+ directives.push(`${feature}=()`);
84
+ } else {
85
+ const formatted = origins.map((o) => o === "self" ? "self" : `"${o}"`).join(" ");
86
+ directives.push(`${feature}=(${formatted})`);
87
+ }
88
+ }
89
+ }
90
+ return directives.join(", ");
91
+ }
92
+ var PRESET_STRICT = {
93
+ contentSecurityPolicy: {
94
+ defaultSrc: ["'self'"],
95
+ scriptSrc: ["'self'"],
96
+ styleSrc: ["'self'"],
97
+ imgSrc: ["'self'", "data:"],
98
+ fontSrc: ["'self'"],
99
+ objectSrc: ["'none'"],
100
+ frameAncestors: ["'none'"],
101
+ formAction: ["'self'"],
102
+ baseUri: ["'self'"],
103
+ upgradeInsecureRequests: true
104
+ },
105
+ strictTransportSecurity: {
106
+ maxAge: 31536e3,
107
+ // 1 year
108
+ includeSubDomains: true,
109
+ preload: true
110
+ },
111
+ xFrameOptions: "DENY",
112
+ xContentTypeOptions: true,
113
+ xDnsPrefetchControl: "off",
114
+ xDownloadOptions: true,
115
+ xPermittedCrossDomainPolicies: "none",
116
+ referrerPolicy: "strict-origin-when-cross-origin",
117
+ crossOriginOpenerPolicy: "same-origin",
118
+ crossOriginEmbedderPolicy: "require-corp",
119
+ crossOriginResourcePolicy: "same-origin",
120
+ permissionsPolicy: {
121
+ camera: [],
122
+ microphone: [],
123
+ geolocation: [],
124
+ payment: []
125
+ },
126
+ originAgentCluster: true
127
+ };
128
+ var PRESET_RELAXED = {
129
+ contentSecurityPolicy: {
130
+ defaultSrc: ["'self'"],
131
+ scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
132
+ styleSrc: ["'self'", "'unsafe-inline'"],
133
+ imgSrc: ["'self'", "data:", "blob:", "https:"],
134
+ fontSrc: ["'self'", "https:", "data:"],
135
+ connectSrc: ["'self'", "https:", "wss:"],
136
+ frameSrc: ["'self'"]
137
+ },
138
+ strictTransportSecurity: {
139
+ maxAge: 86400,
140
+ // 1 day
141
+ includeSubDomains: false
142
+ },
143
+ xFrameOptions: "SAMEORIGIN",
144
+ xContentTypeOptions: true,
145
+ referrerPolicy: "no-referrer-when-downgrade"
146
+ };
147
+ var PRESET_API = {
148
+ contentSecurityPolicy: {
149
+ defaultSrc: ["'none'"],
150
+ frameAncestors: ["'none'"]
151
+ },
152
+ strictTransportSecurity: {
153
+ maxAge: 31536e3,
154
+ includeSubDomains: true
155
+ },
156
+ xFrameOptions: "DENY",
157
+ xContentTypeOptions: true,
158
+ referrerPolicy: "no-referrer",
159
+ crossOriginResourcePolicy: "same-origin"
160
+ };
161
+ function getPreset(name) {
162
+ switch (name) {
163
+ case "strict":
164
+ return PRESET_STRICT;
165
+ case "relaxed":
166
+ return PRESET_RELAXED;
167
+ case "api":
168
+ return PRESET_API;
169
+ default:
170
+ return PRESET_STRICT;
171
+ }
172
+ }
173
+ function buildHeaders(config) {
174
+ const headers = new Headers();
175
+ if (config.contentSecurityPolicy) {
176
+ const csp = buildCSP(config.contentSecurityPolicy);
177
+ if (csp) headers.set("Content-Security-Policy", csp);
178
+ }
179
+ if (config.strictTransportSecurity) {
180
+ headers.set("Strict-Transport-Security", buildHSTS(config.strictTransportSecurity));
181
+ }
182
+ if (config.xFrameOptions) {
183
+ headers.set("X-Frame-Options", config.xFrameOptions);
184
+ }
185
+ if (config.xContentTypeOptions) {
186
+ headers.set("X-Content-Type-Options", "nosniff");
187
+ }
188
+ if (config.xDnsPrefetchControl) {
189
+ headers.set("X-DNS-Prefetch-Control", config.xDnsPrefetchControl);
190
+ }
191
+ if (config.xDownloadOptions) {
192
+ headers.set("X-Download-Options", "noopen");
193
+ }
194
+ if (config.xPermittedCrossDomainPolicies) {
195
+ headers.set("X-Permitted-Cross-Domain-Policies", config.xPermittedCrossDomainPolicies);
196
+ }
197
+ if (config.referrerPolicy) {
198
+ const value = Array.isArray(config.referrerPolicy) ? config.referrerPolicy.join(", ") : config.referrerPolicy;
199
+ headers.set("Referrer-Policy", value);
200
+ }
201
+ if (config.crossOriginOpenerPolicy) {
202
+ headers.set("Cross-Origin-Opener-Policy", config.crossOriginOpenerPolicy);
203
+ }
204
+ if (config.crossOriginEmbedderPolicy) {
205
+ headers.set("Cross-Origin-Embedder-Policy", config.crossOriginEmbedderPolicy);
206
+ }
207
+ if (config.crossOriginResourcePolicy) {
208
+ headers.set("Cross-Origin-Resource-Policy", config.crossOriginResourcePolicy);
209
+ }
210
+ if (config.permissionsPolicy) {
211
+ const pp = buildPermissionsPolicy(config.permissionsPolicy);
212
+ if (pp) headers.set("Permissions-Policy", pp);
213
+ }
214
+ if (config.originAgentCluster) {
215
+ headers.set("Origin-Agent-Cluster", "?1");
216
+ }
217
+ return headers;
218
+ }
219
+
220
+ // src/middleware/headers/middleware.ts
221
+ function mergeConfigs(base, custom) {
222
+ return {
223
+ ...base,
224
+ ...custom,
225
+ // Deep merge CSP if both exist
226
+ contentSecurityPolicy: custom.contentSecurityPolicy === false ? false : custom.contentSecurityPolicy ? base.contentSecurityPolicy ? { ...base.contentSecurityPolicy, ...custom.contentSecurityPolicy } : custom.contentSecurityPolicy : base.contentSecurityPolicy,
227
+ // Deep merge HSTS if both exist
228
+ strictTransportSecurity: custom.strictTransportSecurity === false ? false : custom.strictTransportSecurity ? base.strictTransportSecurity ? { ...base.strictTransportSecurity, ...custom.strictTransportSecurity } : custom.strictTransportSecurity : base.strictTransportSecurity,
229
+ // Deep merge Permissions-Policy if both exist
230
+ permissionsPolicy: custom.permissionsPolicy === false ? false : custom.permissionsPolicy ? base.permissionsPolicy ? { ...base.permissionsPolicy, ...custom.permissionsPolicy } : custom.permissionsPolicy : base.permissionsPolicy
231
+ };
232
+ }
233
+ function withSecurityHeaders(handler, options = {}) {
234
+ const { preset, config, override = false } = options;
235
+ let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
236
+ if (config) {
237
+ baseConfig = mergeConfigs(baseConfig, config);
238
+ }
239
+ const securityHeaders = buildHeaders(baseConfig);
240
+ return async (req) => {
241
+ const response = await handler(req);
242
+ const newHeaders = new Headers(response.headers);
243
+ securityHeaders.forEach((value, key) => {
244
+ if (override || !newHeaders.has(key)) {
245
+ newHeaders.set(key, value);
246
+ }
247
+ });
248
+ return new Response(response.body, {
249
+ status: response.status,
250
+ statusText: response.statusText,
251
+ headers: newHeaders
252
+ });
253
+ };
254
+ }
255
+ function createSecurityHeaders(options = {}) {
256
+ const { preset, config } = options;
257
+ let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
258
+ if (config) {
259
+ baseConfig = mergeConfigs(baseConfig, config);
260
+ }
261
+ return buildHeaders(baseConfig);
262
+ }
263
+ function createSecurityHeadersObject(options = {}) {
264
+ const headers = createSecurityHeaders(options);
265
+ const obj = {};
266
+ headers.forEach((value, key) => {
267
+ obj[key] = value;
268
+ });
269
+ return obj;
9
270
  }
10
271
 
11
- exports.createCsp = createCsp;
12
- exports.securityHeaders = securityHeaders;
272
+ exports.PRESET_API = PRESET_API;
273
+ exports.PRESET_RELAXED = PRESET_RELAXED;
274
+ exports.PRESET_STRICT = PRESET_STRICT;
275
+ exports.buildCSP = buildCSP;
276
+ exports.buildHSTS = buildHSTS;
277
+ exports.buildHeaders = buildHeaders;
278
+ exports.buildPermissionsPolicy = buildPermissionsPolicy;
279
+ exports.createSecurityHeaders = createSecurityHeaders;
280
+ exports.createSecurityHeadersObject = createSecurityHeadersObject;
281
+ exports.getPreset = getPreset;
282
+ exports.withSecurityHeaders = withSecurityHeaders;
13
283
  //# sourceMappingURL=headers.cjs.map
14
284
  //# sourceMappingURL=headers.cjs.map
package/dist/headers.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/middleware/headers/index.ts"],"names":[],"mappings":";;;AAiCO,SAAS,eAAA,GAAkB;AAChC,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D;AAEO,SAAS,SAAA,GAAY;AAC1B,EAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAC1D","file":"headers.cjs","sourcesContent":["/**\n * Security Headers Middleware (Coming Soon)\n *\n * @example\n * ```typescript\n * // next.config.js\n * import { securityHeaders } from 'next-secure/headers'\n *\n * export default {\n * async headers() {\n * return [\n * {\n * source: '/:path*',\n * headers: securityHeaders({\n * contentSecurityPolicy: {\n * directives: {\n * defaultSrc: [\"'self'\"],\n * scriptSrc: [\"'self'\", \"'unsafe-inline'\"],\n * }\n * },\n * strictTransportSecurity: true,\n * xFrameOptions: 'DENY',\n * })\n * }\n * ]\n * }\n * }\n * ```\n *\n * @packageDocumentation\n */\n\n// Placeholder for security headers\nexport function securityHeaders() {\n throw new Error('Security headers coming soon in v0.2.0')\n}\n\nexport function createCsp() {\n throw new Error('Security headers coming soon in v0.2.0')\n}\n"]}
1
+ {"version":3,"sources":["../src/middleware/headers/builder.ts","../src/middleware/headers/middleware.ts"],"names":[],"mappings":";;;AAWO,SAAS,SAAS,MAAA,EAAuC;AAC9D,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,YAAA,GAAuC;AAAA,IAC3C,UAAA,EAAY,aAAA;AAAA,IACZ,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,MAAA,EAAQ,SAAA;AAAA,IACR,OAAA,EAAS,UAAA;AAAA,IACT,UAAA,EAAY,aAAA;AAAA,IACZ,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU,WAAA;AAAA,IACV,QAAA,EAAU,WAAA;AAAA,IACV,SAAA,EAAW,YAAA;AAAA,IACX,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,aAAA;AAAA,IACZ,OAAA,EAAS,UAAA;AAAA,IACT,WAAA,EAAa,cAAA;AAAA,IACb,SAAA,EAAW,YAAA;AAAA,IACX,QAAA,EAAU;AAAA,GACZ;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,SAAS,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AAC3D,IAAA,MAAM,KAAA,GAAQ,OAAO,GAAkC,CAAA;AACvD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,KAAA,EAAO;AAC1C,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,GAAG,SAAS,CAAA,CAAA,EAAI,MAAM,IAAA,CAAK,GAAG,CAAC,CAAA,CAAE,CAAA;AAAA,MACnD,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,UAAA,CAAW,KAAK,2BAA2B,CAAA;AAAA,EAC7C;AAEA,EAAA,IAAI,OAAO,oBAAA,EAAsB;AAC/B,IAAA,UAAA,CAAW,KAAK,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,SAAS,UAAU,MAAA,EAAyC;AACjE,EAAA,IAAI,KAAA,GAAQ,CAAA,QAAA,EAAW,MAAA,CAAO,MAAM,CAAA,CAAA;AAEpC,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,KAAA,IAAS,qBAAA;AAAA,EACX;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,KAAA,IAAS,WAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,uBAAuB,MAAA,EAAmC;AACxE,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,MAAM,UAAA,GAAqC;AAAA,IACzC,aAAA,EAAe,eAAA;AAAA,IACf,kBAAA,EAAoB,sBAAA;AAAA,IACpB,QAAA,EAAU,UAAA;AAAA,IACV,OAAA,EAAS,SAAA;AAAA,IACT,MAAA,EAAQ,QAAA;AAAA,IACR,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,cAAA,EAAgB,iBAAA;AAAA,IAChB,UAAA,EAAY,YAAA;AAAA,IACZ,WAAA,EAAa,aAAA;AAAA,IACb,SAAA,EAAW,WAAA;AAAA,IACX,YAAA,EAAc,cAAA;AAAA,IACd,UAAA,EAAY,YAAA;AAAA,IACZ,IAAA,EAAM,MAAA;AAAA,IACN,OAAA,EAAS,SAAA;AAAA,IACT,gBAAA,EAAkB,oBAAA;AAAA,IAClB,uBAAA,EAAyB,2BAAA;AAAA,IACzB,cAAA,EAAgB,kBAAA;AAAA,IAChB,OAAA,EAAS,UAAA;AAAA,IACT,GAAA,EAAK,KAAA;AAAA,IACL,QAAA,EAAU,WAAA;AAAA,IACV,iBAAA,EAAmB;AAAA,GACrB;AAEA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,EAAG;AACvD,IAAA,MAAM,OAAA,GAAU,OAAO,GAA8B,CAAA;AACrD,IAAA,IAAI,YAAY,MAAA,EAAW;AACzB,MAAA,IAAI,OAAA,CAAQ,WAAW,CAAA,EAAG;AACxB,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,GAAA,CAAK,CAAA;AAAA,MACjC,CAAA,MAAO;AACL,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA,KAAO,CAAA,KAAM,MAAA,GAAS,MAAA,GAAS,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAI,CAAA,CAAE,KAAK,GAAG,CAAA;AACjF,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,EAAG,OAAO,CAAA,EAAA,EAAK,SAAS,CAAA,CAAA,CAAG,CAAA;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKO,IAAM,aAAA,GAAuC;AAAA,EAClD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAO,CAAA;AAAA,IAC1B,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,IACpB,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,IACzB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,OAAA,EAAS,CAAC,QAAQ,CAAA;AAAA,IAClB,uBAAA,EAAyB;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA;AAAA,IACR,iBAAA,EAAmB,IAAA;AAAA,IACnB,OAAA,EAAS;AAAA,GACX;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,mBAAA,EAAqB,KAAA;AAAA,EACrB,gBAAA,EAAkB,IAAA;AAAA,EAClB,6BAAA,EAA+B,MAAA;AAAA,EAC/B,cAAA,EAAgB,iCAAA;AAAA,EAChB,uBAAA,EAAyB,aAAA;AAAA,EACzB,yBAAA,EAA2B,cAAA;AAAA,EAC3B,yBAAA,EAA2B,aAAA;AAAA,EAC3B,iBAAA,EAAmB;AAAA,IACjB,QAAQ,EAAC;AAAA,IACT,YAAY,EAAC;AAAA,IACb,aAAa,EAAC;AAAA,IACd,SAAS;AAAC,GACZ;AAAA,EACA,kBAAA,EAAoB;AACtB;AAKO,IAAM,cAAA,GAAwC;AAAA,EACnD,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,SAAA,EAAW,CAAC,QAAA,EAAU,iBAAA,EAAmB,eAAe,CAAA;AAAA,IACxD,QAAA,EAAU,CAAC,QAAA,EAAU,iBAAiB,CAAA;AAAA,IACtC,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAA,EAAS,SAAS,QAAQ,CAAA;AAAA,IAC7C,OAAA,EAAS,CAAC,QAAA,EAAU,QAAA,EAAU,OAAO,CAAA;AAAA,IACrC,UAAA,EAAY,CAAC,QAAA,EAAU,QAAA,EAAU,MAAM,CAAA;AAAA,IACvC,QAAA,EAAU,CAAC,QAAQ;AAAA,GACrB;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,KAAA;AAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,YAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB;AAClB;AAKO,IAAM,UAAA,GAAoC;AAAA,EAC/C,qBAAA,EAAuB;AAAA,IACrB,UAAA,EAAY,CAAC,QAAQ,CAAA;AAAA,IACrB,cAAA,EAAgB,CAAC,QAAQ;AAAA,GAC3B;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,MAAA,EAAQ,OAAA;AAAA,IACR,iBAAA,EAAmB;AAAA,GACrB;AAAA,EACA,aAAA,EAAe,MAAA;AAAA,EACf,mBAAA,EAAqB,IAAA;AAAA,EACrB,cAAA,EAAgB,aAAA;AAAA,EAChB,yBAAA,EAA2B;AAC7B;AAKO,SAAS,UAAU,IAAA,EAAoD;AAC5E,EAAA,QAAQ,IAAA;AAAM,IACZ,KAAK,QAAA;AACH,MAAA,OAAO,aAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,KAAA;AACH,MAAA,OAAO,UAAA;AAAA,IACT;AACE,MAAA,OAAO,aAAA;AAAA;AAEb;AAKO,SAAS,aAAa,MAAA,EAAwC;AACnE,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAG5B,EAAA,IAAI,OAAO,qBAAA,EAAuB;AAChC,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,MAAA,CAAO,qBAAqB,CAAA;AACjD,IAAA,IAAI,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,yBAAA,EAA2B,GAAG,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,2BAAA,EAA6B,SAAA,CAAU,MAAA,CAAO,uBAAuB,CAAC,CAAA;AAAA,EACpF;AAGA,EAAA,IAAI,OAAO,aAAA,EAAe;AACxB,IAAA,OAAA,CAAQ,GAAA,CAAI,iBAAA,EAAmB,MAAA,CAAO,aAAa,CAAA;AAAA,EACrD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,0BAA0B,SAAS,CAAA;AAAA,EACjD;AAGA,EAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAA,EAA0B,MAAA,CAAO,mBAAmB,CAAA;AAAA,EAClE;AAGA,EAAA,IAAI,OAAO,gBAAA,EAAkB;AAC3B,IAAA,OAAA,CAAQ,GAAA,CAAI,sBAAsB,QAAQ,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAO,6BAAA,EAA+B;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,mCAAA,EAAqC,MAAA,CAAO,6BAA6B,CAAA;AAAA,EACvF;AAGA,EAAA,IAAI,OAAO,cAAA,EAAgB;AACzB,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,cAAc,CAAA,GAC7C,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,IAAI,CAAA,GAC/B,MAAA,CAAO,cAAA;AACX,IAAA,OAAA,CAAQ,GAAA,CAAI,mBAAmB,KAAK,CAAA;AAAA,EACtC;AAGA,EAAA,IAAI,OAAO,uBAAA,EAAyB;AAClC,IAAA,OAAA,CAAQ,GAAA,CAAI,4BAAA,EAA8B,MAAA,CAAO,uBAAuB,CAAA;AAAA,EAC1E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,yBAAA,EAA2B;AACpC,IAAA,OAAA,CAAQ,GAAA,CAAI,8BAAA,EAAgC,MAAA,CAAO,yBAAyB,CAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAO,iBAAA,EAAmB;AAC5B,IAAA,MAAM,EAAA,GAAK,sBAAA,CAAuB,MAAA,CAAO,iBAAiB,CAAA;AAC1D,IAAA,IAAI,EAAA,EAAI,OAAA,CAAQ,GAAA,CAAI,oBAAA,EAAsB,EAAE,CAAA;AAAA,EAC9C;AAGA,EAAA,IAAI,OAAO,kBAAA,EAAoB;AAC7B,IAAA,OAAA,CAAQ,GAAA,CAAI,wBAAwB,IAAI,CAAA;AAAA,EAC1C;AAEA,EAAA,OAAO,OAAA;AACT;;;AC/QA,SAAS,YAAA,CACP,MACA,MAAA,EACuB;AACvB,EAAA,OAAO;AAAA,IACL,GAAG,IAAA;AAAA,IACH,GAAG,MAAA;AAAA;AAAA,IAEH,uBACE,MAAA,CAAO,qBAAA,KAA0B,QAC7B,KAAA,GACA,MAAA,CAAO,wBACL,IAAA,CAAK,qBAAA,GACH,EAAE,GAAI,IAAA,CAAK,uBAAkC,GAAG,MAAA,CAAO,uBAAsB,GAC7E,MAAA,CAAO,wBACT,IAAA,CAAK,qBAAA;AAAA;AAAA,IAEb,yBACE,MAAA,CAAO,uBAAA,KAA4B,QAC/B,KAAA,GACA,MAAA,CAAO,0BACL,IAAA,CAAK,uBAAA,GACH,EAAE,GAAI,IAAA,CAAK,yBAAoC,GAAG,MAAA,CAAO,yBAAwB,GACjF,MAAA,CAAO,0BACT,IAAA,CAAK,uBAAA;AAAA;AAAA,IAEb,mBACE,MAAA,CAAO,iBAAA,KAAsB,QACzB,KAAA,GACA,MAAA,CAAO,oBACL,IAAA,CAAK,iBAAA,GACH,EAAE,GAAI,IAAA,CAAK,mBAA8B,GAAG,MAAA,CAAO,mBAAkB,GACrE,MAAA,CAAO,oBACT,IAAA,CAAK;AAAA,GACf;AACF;AAsBO,SAAS,mBAAA,CACd,OAAA,EACA,OAAA,GAAsC,EAAC,EACzB;AACd,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAQ,QAAA,GAAW,OAAM,GAAI,OAAA;AAG7C,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAGrE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAGA,EAAA,MAAM,eAAA,GAAkB,aAAa,UAAU,CAAA;AAE/C,EAAA,OAAO,OAAO,GAAA,KAAwC;AACpD,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAG,CAAA;AAGlC,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,QAAA,CAAS,OAAO,CAAA;AAG/C,IAAA,eAAA,CAAgB,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACtC,MAAA,IAAI,QAAA,IAAY,CAAC,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA,EAAG;AACpC,QAAA,UAAA,CAAW,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,MAC3B;AAAA,IACF,CAAC,CAAA;AAED,IAAA,OAAO,IAAI,QAAA,CAAS,QAAA,CAAS,IAAA,EAAM;AAAA,MACjC,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH,CAAA;AACF;AAaO,SAAS,qBAAA,CACd,OAAA,GAAsC,EAAC,EAC9B;AACT,EAAA,MAAM,EAAE,MAAA,EAAQ,MAAA,EAAO,GAAI,OAAA;AAE3B,EAAA,IAAI,UAAA,GAAoC,MAAA,GAAS,SAAA,CAAU,MAAM,CAAA,GAAI,aAAA;AAErE,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,UAAA,GAAa,YAAA,CAAa,YAAY,MAAM,CAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,aAAa,UAAU,CAAA;AAChC;AAKO,SAAS,2BAAA,CACd,OAAA,GAAsC,EAAC,EACf;AACxB,EAAA,MAAM,OAAA,GAAU,sBAAsB,OAAO,CAAA;AAC7C,EAAA,MAAM,MAA8B,EAAC;AAErC,EAAA,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AAC9B,IAAA,GAAA,CAAI,GAAG,CAAA,GAAI,KAAA;AAAA,EACb,CAAC,CAAA;AAED,EAAA,OAAO,GAAA;AACT","file":"headers.cjs","sourcesContent":["import type {\n ContentSecurityPolicy,\n StrictTransportSecurity,\n PermissionsPolicy,\n SecurityHeadersConfig,\n SecurityHeadersPreset,\n} from './types'\n\n/**\n * Build CSP header string from config\n */\nexport function buildCSP(policy: ContentSecurityPolicy): string {\n const directives: string[] = []\n\n const directiveMap: Record<string, string> = {\n defaultSrc: 'default-src',\n scriptSrc: 'script-src',\n styleSrc: 'style-src',\n imgSrc: 'img-src',\n fontSrc: 'font-src',\n connectSrc: 'connect-src',\n mediaSrc: 'media-src',\n objectSrc: 'object-src',\n frameSrc: 'frame-src',\n childSrc: 'child-src',\n workerSrc: 'worker-src',\n frameAncestors: 'frame-ancestors',\n formAction: 'form-action',\n baseUri: 'base-uri',\n manifestSrc: 'manifest-src',\n reportUri: 'report-uri',\n reportTo: 'report-to',\n }\n\n for (const [key, directive] of Object.entries(directiveMap)) {\n const value = policy[key as keyof ContentSecurityPolicy]\n if (value !== undefined && value !== false) {\n if (Array.isArray(value)) {\n directives.push(`${directive} ${value.join(' ')}`)\n } else if (typeof value === 'string') {\n directives.push(`${directive} ${value}`)\n }\n }\n }\n\n if (policy.upgradeInsecureRequests) {\n directives.push('upgrade-insecure-requests')\n }\n\n if (policy.blockAllMixedContent) {\n directives.push('block-all-mixed-content')\n }\n\n return directives.join('; ')\n}\n\n/**\n * Build HSTS header string\n */\nexport function buildHSTS(config: StrictTransportSecurity): string {\n let value = `max-age=${config.maxAge}`\n\n if (config.includeSubDomains) {\n value += '; includeSubDomains'\n }\n\n if (config.preload) {\n value += '; preload'\n }\n\n return value\n}\n\n/**\n * Build Permissions-Policy header string\n */\nexport function buildPermissionsPolicy(policy: PermissionsPolicy): string {\n const directives: string[] = []\n\n const featureMap: Record<string, string> = {\n accelerometer: 'accelerometer',\n ambientLightSensor: 'ambient-light-sensor',\n autoplay: 'autoplay',\n battery: 'battery',\n camera: 'camera',\n displayCapture: 'display-capture',\n documentDomain: 'document-domain',\n encryptedMedia: 'encrypted-media',\n fullscreen: 'fullscreen',\n geolocation: 'geolocation',\n gyroscope: 'gyroscope',\n magnetometer: 'magnetometer',\n microphone: 'microphone',\n midi: 'midi',\n payment: 'payment',\n pictureInPicture: 'picture-in-picture',\n publicKeyCredentialsGet: 'publickey-credentials-get',\n screenWakeLock: 'screen-wake-lock',\n syncXhr: 'sync-xhr',\n usb: 'usb',\n webShare: 'web-share',\n xrSpatialTracking: 'xr-spatial-tracking',\n }\n\n for (const [key, feature] of Object.entries(featureMap)) {\n const origins = policy[key as keyof PermissionsPolicy]\n if (origins !== undefined) {\n if (origins.length === 0) {\n directives.push(`${feature}=()`)\n } else {\n const formatted = origins.map((o) => (o === 'self' ? 'self' : `\"${o}\"`)).join(' ')\n directives.push(`${feature}=(${formatted})`)\n }\n }\n }\n\n return directives.join(', ')\n}\n\n/**\n * Preset: Strict security headers\n */\nexport const PRESET_STRICT: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\"],\n styleSrc: [\"'self'\"],\n imgSrc: [\"'self'\", 'data:'],\n fontSrc: [\"'self'\"],\n objectSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"],\n formAction: [\"'self'\"],\n baseUri: [\"'self'\"],\n upgradeInsecureRequests: true,\n },\n strictTransportSecurity: {\n maxAge: 31536000, // 1 year\n includeSubDomains: true,\n preload: true,\n },\n xFrameOptions: 'DENY',\n xContentTypeOptions: true,\n xDnsPrefetchControl: 'off',\n xDownloadOptions: true,\n xPermittedCrossDomainPolicies: 'none',\n referrerPolicy: 'strict-origin-when-cross-origin',\n crossOriginOpenerPolicy: 'same-origin',\n crossOriginEmbedderPolicy: 'require-corp',\n crossOriginResourcePolicy: 'same-origin',\n permissionsPolicy: {\n camera: [],\n microphone: [],\n geolocation: [],\n payment: [],\n },\n originAgentCluster: true,\n}\n\n/**\n * Preset: Relaxed security headers (for development or less strict needs)\n */\nexport const PRESET_RELAXED: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\", \"'unsafe-inline'\", \"'unsafe-eval'\"],\n styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n imgSrc: [\"'self'\", 'data:', 'blob:', 'https:'],\n fontSrc: [\"'self'\", 'https:', 'data:'],\n connectSrc: [\"'self'\", 'https:', 'wss:'],\n frameSrc: [\"'self'\"],\n },\n strictTransportSecurity: {\n maxAge: 86400, // 1 day\n includeSubDomains: false,\n },\n xFrameOptions: 'SAMEORIGIN',\n xContentTypeOptions: true,\n referrerPolicy: 'no-referrer-when-downgrade',\n}\n\n/**\n * Preset: API-focused security headers\n */\nexport const PRESET_API: SecurityHeadersConfig = {\n contentSecurityPolicy: {\n defaultSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"],\n },\n strictTransportSecurity: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n xFrameOptions: 'DENY',\n xContentTypeOptions: true,\n referrerPolicy: 'no-referrer',\n crossOriginResourcePolicy: 'same-origin',\n}\n\n/**\n * Get preset config by name\n */\nexport function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig {\n switch (name) {\n case 'strict':\n return PRESET_STRICT\n case 'relaxed':\n return PRESET_RELAXED\n case 'api':\n return PRESET_API\n default:\n return PRESET_STRICT\n }\n}\n\n/**\n * Build all headers from config\n */\nexport function buildHeaders(config: SecurityHeadersConfig): Headers {\n const headers = new Headers()\n\n // CSP\n if (config.contentSecurityPolicy) {\n const csp = buildCSP(config.contentSecurityPolicy)\n if (csp) headers.set('Content-Security-Policy', csp)\n }\n\n // HSTS\n if (config.strictTransportSecurity) {\n headers.set('Strict-Transport-Security', buildHSTS(config.strictTransportSecurity))\n }\n\n // X-Frame-Options\n if (config.xFrameOptions) {\n headers.set('X-Frame-Options', config.xFrameOptions)\n }\n\n // X-Content-Type-Options\n if (config.xContentTypeOptions) {\n headers.set('X-Content-Type-Options', 'nosniff')\n }\n\n // X-DNS-Prefetch-Control\n if (config.xDnsPrefetchControl) {\n headers.set('X-DNS-Prefetch-Control', config.xDnsPrefetchControl)\n }\n\n // X-Download-Options\n if (config.xDownloadOptions) {\n headers.set('X-Download-Options', 'noopen')\n }\n\n // X-Permitted-Cross-Domain-Policies\n if (config.xPermittedCrossDomainPolicies) {\n headers.set('X-Permitted-Cross-Domain-Policies', config.xPermittedCrossDomainPolicies)\n }\n\n // Referrer-Policy\n if (config.referrerPolicy) {\n const value = Array.isArray(config.referrerPolicy)\n ? config.referrerPolicy.join(', ')\n : config.referrerPolicy\n headers.set('Referrer-Policy', value)\n }\n\n // COOP\n if (config.crossOriginOpenerPolicy) {\n headers.set('Cross-Origin-Opener-Policy', config.crossOriginOpenerPolicy)\n }\n\n // COEP\n if (config.crossOriginEmbedderPolicy) {\n headers.set('Cross-Origin-Embedder-Policy', config.crossOriginEmbedderPolicy)\n }\n\n // CORP\n if (config.crossOriginResourcePolicy) {\n headers.set('Cross-Origin-Resource-Policy', config.crossOriginResourcePolicy)\n }\n\n // Permissions-Policy\n if (config.permissionsPolicy) {\n const pp = buildPermissionsPolicy(config.permissionsPolicy)\n if (pp) headers.set('Permissions-Policy', pp)\n }\n\n // Origin-Agent-Cluster\n if (config.originAgentCluster) {\n headers.set('Origin-Agent-Cluster', '?1')\n }\n\n return headers\n}\n","import type { NextRequest } from 'next/server'\nimport type { SecurityHeadersConfig, SecurityHeadersPreset } from './types'\nimport { buildHeaders, getPreset, PRESET_STRICT } from './builder'\n\ntype RouteHandler = (req: NextRequest) => Response | Promise<Response>\n\nexport interface WithSecurityHeadersOptions {\n /** Use a preset configuration */\n preset?: SecurityHeadersPreset\n\n /** Custom header configuration (merged with preset if provided) */\n config?: SecurityHeadersConfig\n\n /** Override response headers instead of merging */\n override?: boolean\n}\n\n/**\n * Merge two configs, with custom taking precedence\n */\nfunction mergeConfigs(\n base: SecurityHeadersConfig,\n custom: SecurityHeadersConfig\n): SecurityHeadersConfig {\n return {\n ...base,\n ...custom,\n // Deep merge CSP if both exist\n contentSecurityPolicy:\n custom.contentSecurityPolicy === false\n ? false\n : custom.contentSecurityPolicy\n ? base.contentSecurityPolicy\n ? { ...(base.contentSecurityPolicy as object), ...custom.contentSecurityPolicy }\n : custom.contentSecurityPolicy\n : base.contentSecurityPolicy,\n // Deep merge HSTS if both exist\n strictTransportSecurity:\n custom.strictTransportSecurity === false\n ? false\n : custom.strictTransportSecurity\n ? base.strictTransportSecurity\n ? { ...(base.strictTransportSecurity as object), ...custom.strictTransportSecurity }\n : custom.strictTransportSecurity\n : base.strictTransportSecurity,\n // Deep merge Permissions-Policy if both exist\n permissionsPolicy:\n custom.permissionsPolicy === false\n ? false\n : custom.permissionsPolicy\n ? base.permissionsPolicy\n ? { ...(base.permissionsPolicy as object), ...custom.permissionsPolicy }\n : custom.permissionsPolicy\n : base.permissionsPolicy,\n }\n}\n\n/**\n * Security headers middleware\n *\n * Adds security headers to responses. Use presets for quick setup\n * or provide custom configuration.\n *\n * @example\n * ```typescript\n * // Use strict preset\n * export const GET = withSecurityHeaders(handler, { preset: 'strict' })\n *\n * // Custom config\n * export const GET = withSecurityHeaders(handler, {\n * config: {\n * xFrameOptions: 'SAMEORIGIN',\n * referrerPolicy: 'no-referrer'\n * }\n * })\n * ```\n */\nexport function withSecurityHeaders(\n handler: RouteHandler,\n options: WithSecurityHeadersOptions = {}\n): RouteHandler {\n const { preset, config, override = false } = options\n\n // Get base config from preset or default to strict\n let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n // Merge with custom config if provided\n if (config) {\n baseConfig = mergeConfigs(baseConfig, config)\n }\n\n // Pre-build headers for performance\n const securityHeaders = buildHeaders(baseConfig)\n\n return async (req: NextRequest): Promise<Response> => {\n const response = await handler(req)\n\n // Clone response to modify headers\n const newHeaders = new Headers(response.headers)\n\n // Add security headers\n securityHeaders.forEach((value, key) => {\n if (override || !newHeaders.has(key)) {\n newHeaders.set(key, value)\n }\n })\n\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers: newHeaders,\n })\n }\n}\n\n/**\n * Create headers object for use in responses\n * Useful when you want to add headers manually\n *\n * @example\n * ```typescript\n * const headers = createSecurityHeaders({ preset: 'api' })\n *\n * return Response.json(data, { headers })\n * ```\n */\nexport function createSecurityHeaders(\n options: WithSecurityHeadersOptions = {}\n): Headers {\n const { preset, config } = options\n\n let baseConfig: SecurityHeadersConfig = preset ? getPreset(preset) : PRESET_STRICT\n\n if (config) {\n baseConfig = mergeConfigs(baseConfig, config)\n }\n\n return buildHeaders(baseConfig)\n}\n\n/**\n * Create a headers object as a plain object (for Next.js headers())\n */\nexport function createSecurityHeadersObject(\n options: WithSecurityHeadersOptions = {}\n): Record<string, string> {\n const headers = createSecurityHeaders(options)\n const obj: Record<string, string> = {}\n\n headers.forEach((value, key) => {\n obj[key] = value\n })\n\n return obj\n}\n"]}
package/dist/headers.d.cts CHANGED
@@ -1,35 +1,172 @@
1
+ import { NextRequest } from 'next/server';
2
+
3
+ /**
4
+ * Content-Security-Policy directive values
5
+ */
6
+ type CSPDirectiveValue = string | string[];
7
+ interface ContentSecurityPolicy {
8
+ defaultSrc?: CSPDirectiveValue;
9
+ scriptSrc?: CSPDirectiveValue;
10
+ styleSrc?: CSPDirectiveValue;
11
+ imgSrc?: CSPDirectiveValue;
12
+ fontSrc?: CSPDirectiveValue;
13
+ connectSrc?: CSPDirectiveValue;
14
+ mediaSrc?: CSPDirectiveValue;
15
+ objectSrc?: CSPDirectiveValue;
16
+ frameSrc?: CSPDirectiveValue;
17
+ childSrc?: CSPDirectiveValue;
18
+ workerSrc?: CSPDirectiveValue;
19
+ frameAncestors?: CSPDirectiveValue;
20
+ formAction?: CSPDirectiveValue;
21
+ baseUri?: CSPDirectiveValue;
22
+ manifestSrc?: CSPDirectiveValue;
23
+ upgradeInsecureRequests?: boolean;
24
+ blockAllMixedContent?: boolean;
25
+ reportUri?: string;
26
+ reportTo?: string;
27
+ }
28
+ interface StrictTransportSecurity {
29
+ maxAge: number;
30
+ includeSubDomains?: boolean;
31
+ preload?: boolean;
32
+ }
33
+ type XFrameOptions = 'DENY' | 'SAMEORIGIN';
34
+ type ReferrerPolicy = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
35
+ type CrossOriginOpenerPolicy = 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin';
36
+ type CrossOriginEmbedderPolicy = 'unsafe-none' | 'require-corp' | 'credentialless';
37
+ type CrossOriginResourcePolicy = 'same-site' | 'same-origin' | 'cross-origin';
38
+ interface PermissionsPolicy {
39
+ accelerometer?: string[];
40
+ ambientLightSensor?: string[];
41
+ autoplay?: string[];
42
+ battery?: string[];
43
+ camera?: string[];
44
+ displayCapture?: string[];
45
+ documentDomain?: string[];
46
+ encryptedMedia?: string[];
47
+ fullscreen?: string[];
48
+ geolocation?: string[];
49
+ gyroscope?: string[];
50
+ magnetometer?: string[];
51
+ microphone?: string[];
52
+ midi?: string[];
53
+ payment?: string[];
54
+ pictureInPicture?: string[];
55
+ publicKeyCredentialsGet?: string[];
56
+ screenWakeLock?: string[];
57
+ syncXhr?: string[];
58
+ usb?: string[];
59
+ webShare?: string[];
60
+ xrSpatialTracking?: string[];
61
+ }
62
+ interface SecurityHeadersConfig {
63
+ /** Content-Security-Policy */
64
+ contentSecurityPolicy?: ContentSecurityPolicy | false;
65
+ /** Strict-Transport-Security */
66
+ strictTransportSecurity?: StrictTransportSecurity | false;
67
+ /** X-Frame-Options */
68
+ xFrameOptions?: XFrameOptions | false;
69
+ /** X-Content-Type-Options: nosniff */
70
+ xContentTypeOptions?: boolean;
71
+ /** X-DNS-Prefetch-Control */
72
+ xDnsPrefetchControl?: 'on' | 'off' | false;
73
+ /** X-Download-Options: noopen (IE specific) */
74
+ xDownloadOptions?: boolean;
75
+ /** X-Permitted-Cross-Domain-Policies */
76
+ xPermittedCrossDomainPolicies?: 'none' | 'master-only' | 'by-content-type' | 'all' | false;
77
+ /** Referrer-Policy */
78
+ referrerPolicy?: ReferrerPolicy | ReferrerPolicy[] | false;
79
+ /** Cross-Origin-Opener-Policy */
80
+ crossOriginOpenerPolicy?: CrossOriginOpenerPolicy | false;
81
+ /** Cross-Origin-Embedder-Policy */
82
+ crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicy | false;
83
+ /** Cross-Origin-Resource-Policy */
84
+ crossOriginResourcePolicy?: CrossOriginResourcePolicy | false;
85
+ /** Permissions-Policy */
86
+ permissionsPolicy?: PermissionsPolicy | false;
87
+ /** Origin-Agent-Cluster */
88
+ originAgentCluster?: boolean;
89
+ }
90
+ type SecurityHeadersPreset = 'strict' | 'relaxed' | 'api';
91
+
92
+ type RouteHandler = (req: NextRequest) => Response | Promise<Response>;
93
+ interface WithSecurityHeadersOptions {
94
+ /** Use a preset configuration */
95
+ preset?: SecurityHeadersPreset;
96
+ /** Custom header configuration (merged with preset if provided) */
97
+ config?: SecurityHeadersConfig;
98
+ /** Override response headers instead of merging */
99
+ override?: boolean;
100
+ }
1
101
  /**
2
- * Security Headers Middleware (Coming Soon)
102
+ * Security headers middleware
103
+ *
104
+ * Adds security headers to responses. Use presets for quick setup
105
+ * or provide custom configuration.
3
106
  *
4
107
  * @example
5
108
  * ```typescript
6
- * // next.config.js
7
- * import { securityHeaders } from 'next-secure/headers'
109
+ * // Use strict preset
110
+ * export const GET = withSecurityHeaders(handler, { preset: 'strict' })
8
111
  *
9
- * export default {
10
- * async headers() {
11
- * return [
12
- * {
13
- * source: '/:path*',
14
- * headers: securityHeaders({
15
- * contentSecurityPolicy: {
16
- * directives: {
17
- * defaultSrc: ["'self'"],
18
- * scriptSrc: ["'self'", "'unsafe-inline'"],
19
- * }
20
- * },
21
- * strictTransportSecurity: true,
22
- * xFrameOptions: 'DENY',
23
- * })
24
- * }
25
- * ]
112
+ * // Custom config
113
+ * export const GET = withSecurityHeaders(handler, {
114
+ * config: {
115
+ * xFrameOptions: 'SAMEORIGIN',
116
+ * referrerPolicy: 'no-referrer'
26
117
  * }
27
- * }
118
+ * })
28
119
  * ```
120
+ */
121
+ declare function withSecurityHeaders(handler: RouteHandler, options?: WithSecurityHeadersOptions): RouteHandler;
122
+ /**
123
+ * Create headers object for use in responses
124
+ * Useful when you want to add headers manually
29
125
  *
30
- * @packageDocumentation
126
+ * @example
127
+ * ```typescript
128
+ * const headers = createSecurityHeaders({ preset: 'api' })
129
+ *
130
+ * return Response.json(data, { headers })
131
+ * ```
132
+ */
133
+ declare function createSecurityHeaders(options?: WithSecurityHeadersOptions): Headers;
134
+ /**
135
+ * Create a headers object as a plain object (for Next.js headers())
136
+ */
137
+ declare function createSecurityHeadersObject(options?: WithSecurityHeadersOptions): Record<string, string>;
138
+
139
+ /**
140
+ * Build CSP header string from config
141
+ */
142
+ declare function buildCSP(policy: ContentSecurityPolicy): string;
143
+ /**
144
+ * Build HSTS header string
145
+ */
146
+ declare function buildHSTS(config: StrictTransportSecurity): string;
147
+ /**
148
+ * Build Permissions-Policy header string
149
+ */
150
+ declare function buildPermissionsPolicy(policy: PermissionsPolicy): string;
151
+ /**
152
+ * Preset: Strict security headers
153
+ */
154
+ declare const PRESET_STRICT: SecurityHeadersConfig;
155
+ /**
156
+ * Preset: Relaxed security headers (for development or less strict needs)
157
+ */
158
+ declare const PRESET_RELAXED: SecurityHeadersConfig;
159
+ /**
160
+ * Preset: API-focused security headers
161
+ */
162
+ declare const PRESET_API: SecurityHeadersConfig;
163
+ /**
164
+ * Get preset config by name
165
+ */
166
+ declare function getPreset(name: SecurityHeadersPreset): SecurityHeadersConfig;
167
+ /**
168
+ * Build all headers from config
31
169
  */
32
- declare function securityHeaders(): void;
33
- declare function createCsp(): void;
170
+ declare function buildHeaders(config: SecurityHeadersConfig): Headers;
34
171
 
35
- export { createCsp, securityHeaders };
172
+ export { type ContentSecurityPolicy, type CrossOriginEmbedderPolicy, type CrossOriginOpenerPolicy, type CrossOriginResourcePolicy, PRESET_API, PRESET_RELAXED, PRESET_STRICT, type PermissionsPolicy, type ReferrerPolicy, type SecurityHeadersConfig, type SecurityHeadersPreset, type StrictTransportSecurity, type XFrameOptions, buildCSP, buildHSTS, buildHeaders, buildPermissionsPolicy, createSecurityHeaders, createSecurityHeadersObject, getPreset, withSecurityHeaders };