npm - nextjs-secure - Versions diffs - 0.2.0 → 0.3.0 - Mend

nextjs-secure 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1178,29 +1178,307 @@ async function validateCSRF(req, config = {}) {
   return { valid: true };
 }
+// src/middleware/headers/builder.ts
+function buildCSP(policy) {
+  const directives = [];
+  const directiveMap = {
+    defaultSrc: "default-src",
+    scriptSrc: "script-src",
+    styleSrc: "style-src",
+    imgSrc: "img-src",
+    fontSrc: "font-src",
+    connectSrc: "connect-src",
+    mediaSrc: "media-src",
+    objectSrc: "object-src",
+    frameSrc: "frame-src",
+    childSrc: "child-src",
+    workerSrc: "worker-src",
+    frameAncestors: "frame-ancestors",
+    formAction: "form-action",
+    baseUri: "base-uri",
+    manifestSrc: "manifest-src",
+    reportUri: "report-uri",
+    reportTo: "report-to"
+  };
+  for (const [key, directive] of Object.entries(directiveMap)) {
+    const value = policy[key];
+    if (value !== void 0 && value !== false) {
+      if (Array.isArray(value)) {
+        directives.push(`${directive} ${value.join(" ")}`);
+      } else if (typeof value === "string") {
+        directives.push(`${directive} ${value}`);
+      }
+    }
+  }
+  if (policy.upgradeInsecureRequests) {
+    directives.push("upgrade-insecure-requests");
+  }
+  if (policy.blockAllMixedContent) {
+    directives.push("block-all-mixed-content");
+  }
+  return directives.join("; ");
+}
+function buildHSTS(config) {
+  let value = `max-age=${config.maxAge}`;
+  if (config.includeSubDomains) {
+    value += "; includeSubDomains";
+  }
+  if (config.preload) {
+    value += "; preload";
+  }
+  return value;
+}
+function buildPermissionsPolicy(policy) {
+  const directives = [];
+  const featureMap = {
+    accelerometer: "accelerometer",
+    ambientLightSensor: "ambient-light-sensor",
+    autoplay: "autoplay",
+    battery: "battery",
+    camera: "camera",
+    displayCapture: "display-capture",
+    documentDomain: "document-domain",
+    encryptedMedia: "encrypted-media",
+    fullscreen: "fullscreen",
+    geolocation: "geolocation",
+    gyroscope: "gyroscope",
+    magnetometer: "magnetometer",
+    microphone: "microphone",
+    midi: "midi",
+    payment: "payment",
+    pictureInPicture: "picture-in-picture",
+    publicKeyCredentialsGet: "publickey-credentials-get",
+    screenWakeLock: "screen-wake-lock",
+    syncXhr: "sync-xhr",
+    usb: "usb",
+    webShare: "web-share",
+    xrSpatialTracking: "xr-spatial-tracking"
+  };
+  for (const [key, feature] of Object.entries(featureMap)) {
+    const origins = policy[key];
+    if (origins !== void 0) {
+      if (origins.length === 0) {
+        directives.push(`${feature}=()`);
+      } else {
+        const formatted = origins.map((o) => o === "self" ? "self" : `"${o}"`).join(" ");
+        directives.push(`${feature}=(${formatted})`);
+      }
+    }
+  }
+  return directives.join(", ");
+}
+var PRESET_STRICT = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+    styleSrc: ["'self'"],
+    imgSrc: ["'self'", "data:"],
+    fontSrc: ["'self'"],
+    objectSrc: ["'none'"],
+    frameAncestors: ["'none'"],
+    formAction: ["'self'"],
+    baseUri: ["'self'"],
+    upgradeInsecureRequests: true
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    // 1 year
+    includeSubDomains: true,
+    preload: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  xDnsPrefetchControl: "off",
+  xDownloadOptions: true,
+  xPermittedCrossDomainPolicies: "none",
+  referrerPolicy: "strict-origin-when-cross-origin",
+  crossOriginOpenerPolicy: "same-origin",
+  crossOriginEmbedderPolicy: "require-corp",
+  crossOriginResourcePolicy: "same-origin",
+  permissionsPolicy: {
+    camera: [],
+    microphone: [],
+    geolocation: [],
+    payment: []
+  },
+  originAgentCluster: true
+};
+var PRESET_RELAXED = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", "data:", "blob:", "https:"],
+    fontSrc: ["'self'", "https:", "data:"],
+    connectSrc: ["'self'", "https:", "wss:"],
+    frameSrc: ["'self'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 86400,
+    // 1 day
+    includeSubDomains: false
+  },
+  xFrameOptions: "SAMEORIGIN",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer-when-downgrade"
+};
+var PRESET_API = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'none'"],
+    frameAncestors: ["'none'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    includeSubDomains: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer",
+  crossOriginResourcePolicy: "same-origin"
+};
+function getPreset(name) {
+  switch (name) {
+    case "strict":
+      return PRESET_STRICT;
+    case "relaxed":
+      return PRESET_RELAXED;
+    case "api":
+      return PRESET_API;
+    default:
+      return PRESET_STRICT;
+  }
+}
+function buildHeaders(config) {
+  const headers = new Headers();
+  if (config.contentSecurityPolicy) {
+    const csp = buildCSP(config.contentSecurityPolicy);
+    if (csp) headers.set("Content-Security-Policy", csp);
+  }
+  if (config.strictTransportSecurity) {
+    headers.set("Strict-Transport-Security", buildHSTS(config.strictTransportSecurity));
+  }
+  if (config.xFrameOptions) {
+    headers.set("X-Frame-Options", config.xFrameOptions);
+  }
+  if (config.xContentTypeOptions) {
+    headers.set("X-Content-Type-Options", "nosniff");
+  }
+  if (config.xDnsPrefetchControl) {
+    headers.set("X-DNS-Prefetch-Control", config.xDnsPrefetchControl);
+  }
+  if (config.xDownloadOptions) {
+    headers.set("X-Download-Options", "noopen");
+  }
+  if (config.xPermittedCrossDomainPolicies) {
+    headers.set("X-Permitted-Cross-Domain-Policies", config.xPermittedCrossDomainPolicies);
+  }
+  if (config.referrerPolicy) {
+    const value = Array.isArray(config.referrerPolicy) ? config.referrerPolicy.join(", ") : config.referrerPolicy;
+    headers.set("Referrer-Policy", value);
+  }
+  if (config.crossOriginOpenerPolicy) {
+    headers.set("Cross-Origin-Opener-Policy", config.crossOriginOpenerPolicy);
+  }
+  if (config.crossOriginEmbedderPolicy) {
+    headers.set("Cross-Origin-Embedder-Policy", config.crossOriginEmbedderPolicy);
+  }
+  if (config.crossOriginResourcePolicy) {
+    headers.set("Cross-Origin-Resource-Policy", config.crossOriginResourcePolicy);
+  }
+  if (config.permissionsPolicy) {
+    const pp = buildPermissionsPolicy(config.permissionsPolicy);
+    if (pp) headers.set("Permissions-Policy", pp);
+  }
+  if (config.originAgentCluster) {
+    headers.set("Origin-Agent-Cluster", "?1");
+  }
+  return headers;
+}
+// src/middleware/headers/middleware.ts
+function mergeConfigs(base, custom) {
+  return {
+    ...base,
+    ...custom,
+    // Deep merge CSP if both exist
+    contentSecurityPolicy: custom.contentSecurityPolicy === false ? false : custom.contentSecurityPolicy ? base.contentSecurityPolicy ? { ...base.contentSecurityPolicy, ...custom.contentSecurityPolicy } : custom.contentSecurityPolicy : base.contentSecurityPolicy,
+    // Deep merge HSTS if both exist
+    strictTransportSecurity: custom.strictTransportSecurity === false ? false : custom.strictTransportSecurity ? base.strictTransportSecurity ? { ...base.strictTransportSecurity, ...custom.strictTransportSecurity } : custom.strictTransportSecurity : base.strictTransportSecurity,
+    // Deep merge Permissions-Policy if both exist
+    permissionsPolicy: custom.permissionsPolicy === false ? false : custom.permissionsPolicy ? base.permissionsPolicy ? { ...base.permissionsPolicy, ...custom.permissionsPolicy } : custom.permissionsPolicy : base.permissionsPolicy
+  };
+}
+function withSecurityHeaders(handler, options = {}) {
+  const { preset, config, override = false } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  const securityHeaders = buildHeaders(baseConfig);
+  return async (req) => {
+    const response = await handler(req);
+    const newHeaders = new Headers(response.headers);
+    securityHeaders.forEach((value, key) => {
+      if (override || !newHeaders.has(key)) {
+        newHeaders.set(key, value);
+      }
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders
+    });
+  };
+}
+function createSecurityHeaders(options = {}) {
+  const { preset, config } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  return buildHeaders(baseConfig);
+}
+function createSecurityHeadersObject(options = {}) {
+  const headers = createSecurityHeaders(options);
+  const obj = {};
+  headers.forEach((value, key) => {
+    obj[key] = value;
+  });
+  return obj;
+}
 // src/index.ts
-var VERSION = "0.2.0";
+var VERSION = "0.3.0";
 exports.AuthenticationError = AuthenticationError;
 exports.AuthorizationError = AuthorizationError;
 exports.ConfigurationError = ConfigurationError;
 exports.CsrfError = CsrfError;
 exports.MemoryStore = MemoryStore;
+exports.PRESET_API = PRESET_API;
+exports.PRESET_RELAXED = PRESET_RELAXED;
+exports.PRESET_STRICT = PRESET_STRICT;
 exports.RateLimitError = RateLimitError;
 exports.SecureError = SecureError;
 exports.VERSION = VERSION;
 exports.ValidationError = ValidationError;
 exports.anonymizeIp = anonymizeIp;
+exports.buildCSP = buildCSP;
+exports.buildHSTS = buildHSTS;
+exports.buildPermissionsPolicy = buildPermissionsPolicy;
 exports.checkRateLimit = checkRateLimit;
 exports.clearAllRateLimits = clearAllRateLimits;
 exports.createCSRFToken = createToken;
 exports.createMemoryStore = createMemoryStore;
 exports.createRateLimiter = createRateLimiter;
+exports.createSecurityHeaders = createSecurityHeaders;
+exports.createSecurityHeadersObject = createSecurityHeadersObject;
 exports.formatDuration = formatDuration;
 exports.generateCSRF = generateCSRF;
 exports.getClientIp = getClientIp;
 exports.getGeoInfo = getGeoInfo;
 exports.getGlobalMemoryStore = getGlobalMemoryStore;
+exports.getPreset = getPreset;
 exports.getRateLimitStatus = getRateLimitStatus;
 exports.isLocalhost = isLocalhost;
 exports.isPrivateIp = isPrivateIp;
@@ -1218,5 +1496,6 @@ exports.validateCSRF = validateCSRF;
 exports.verifyCSRFToken = verifyToken;
 exports.withCSRF = withCSRF;
 exports.withRateLimit = withRateLimit;
+exports.withSecurityHeaders = withSecurityHeaders;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map