perimeterx-js-core 0.13.0 → 0.14.0

package/lib/cjs/config/ConfigurationBase.js

@@ -634,6 +634,13 @@ var ConfigurationBase = /** @class */ (function () {
         enumerable: false,
         configurable: true
     });
+    Object.defineProperty(ConfigurationBase.prototype, "securedPxhdEnabled", {
+        get: function () {
+            return this.configParams.px_secured_pxhd_enabled;
+        },
+        enumerable: false,
+        configurable: true
+    });
     return ConfigurationBase;
 }());
 exports.ConfigurationBase = ConfigurationBase;

package/lib/cjs/config/defaults/DefaultCommonConfigurationParams.js

@@ -13,7 +13,6 @@ exports.DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_risk_cookie_max_iterations: 5000,
     px_logger_severity: logger_1.LoggerSeverity.ERROR,
     px_ip_headers: [],
-    px_extract_ip: null,
     px_module_enabled: true,
     px_module_mode: utils_1.ModuleMode.MONITOR,
     px_additional_activity_handler: null,
@@ -21,9 +20,6 @@ exports.DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_max_activity_batch_size: 0,
     px_batch_activities_timeout_ms: 1000,
     px_bypass_monitor_header: '',
-    px_csp_enabled: false,
-    px_csp_no_updates_max_interval_minutes: 60,
-    px_csp_policy_refresh_interval_minutes: 5,
     px_enforced_routes: [],
     px_first_party_enabled: true,
     px_custom_first_party_prefix: '',
@@ -104,7 +100,6 @@ exports.DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_sensitive_graphql_operation_names: [],
     px_sensitive_graphql_operation_types: [],
     px_enrich_custom_parameters: null,
-    px_proxy_url: '',
     px_jwt_cookie_name: '',
     px_jwt_cookie_user_id_field_name: '',
     px_jwt_cookie_additional_field_names: [],
@@ -118,4 +113,5 @@ exports.DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_remote_config_max_fetch_attempts: 5,
     px_remote_config_retry_interval_ms: 1000,
     px_url_decode_reserved_characters: false,
+    px_secured_pxhd_enabled: false,
 };

package/lib/cjs/impl/url/UrlImpl.js

@@ -11,15 +11,18 @@ var UrlImpl = /** @class */ (function () {
             throw new Error("Invalid UrlImpl: ".concat(rawUrl));
         }
         this.protocol = match[1];
-        this.hostname = match[3];
-        this.port = match[4] || '';
-        this.pathname = match[5] || '/';
-        this.search = match[6] || '';
-        this.hash = match[7] || '';
+        this.username = match[3] || '';
+        this.password = match[4] || '';
+        this.hostname = match[6];
+        this.port = match[7] || '';
+        this.pathname = match[8] || '/';
+        this.search = match[9] || '';
+        this.hash = match[10] || '';
+        this.urlUtils = new CustomImplUrlUtils_1.CustomImplUrlUtils();
     }
     Object.defineProperty(UrlImpl.prototype, "href", {
         get: function () {
-            return "".concat(this.origin).concat(this.pathname).concat(this.search).concat(this.hash);
+            return "".concat(this.protocol, "//").concat(this.credentials).concat(this.host).concat(this.pathname).concat(this.search).concat(this.hash);
         },
         enumerable: false,
         configurable: true
@@ -57,7 +60,7 @@ var UrlImpl = /** @class */ (function () {
     });
     Object.defineProperty(UrlImpl.prototype, "searchParams", {
         get: function () {
-            return new UrlSearchParamsImpl_1.UrlSearchParamsImpl(new CustomImplUrlUtils_1.CustomImplUrlUtils(), this.search);
+            return new UrlSearchParamsImpl_1.UrlSearchParamsImpl(this.urlUtils, this.search);
         },
         enumerable: false,
         configurable: true
@@ -69,6 +72,23 @@ var UrlImpl = /** @class */ (function () {
         };
         return PROTOCOL_TO_DEFAULT_PORT[this.protocol] === port;
     };
+    Object.defineProperty(UrlImpl.prototype, "credentials", {
+        get: function () {
+            if (!this.username && !this.password) {
+                return '';
+            }
+            var credentials = '';
+            if (this.username) {
+                credentials += this.urlUtils.encodeUriComponent(this.username);
+            }
+            if (this.password) {
+                credentials += ":".concat(this.urlUtils.encodeUriComponent(this.password));
+            }
+            return "".concat(credentials, "@");
+        },
+        enumerable: false,
+        configurable: true
+    });
     return UrlImpl;
 }());
 exports.UrlImpl = UrlImpl;

package/lib/cjs/logger/LoggerBase.js

@@ -54,6 +54,9 @@ var LoggerBase = /** @class */ (function () {
         var logRecord = __assign(__assign({}, metadata), { message: message, severity: loggerSeverity, messageTimestamp: Date.now() });
         this.logs.push(logRecord);
     };
+    LoggerBase.prototype.clearLogs = function () {
+        this.logs = [];
+    };
     return LoggerBase;
 }());
 exports.LoggerBase = LoggerBase;

package/lib/cjs/phase/flow/PostEnforceFlow.js

@@ -23,7 +23,7 @@ var PostEnforceFlow = /** @class */ (function (_super) {
         var products = _a.products, activityClient = _a.activityClient;
         return _super.call(this, [
             new impl_1.EnrichContextFromResponsePhase(config, products),
-            new impl_1.ModifyOutgoingResponsePhase(Object.values(products)),
+            new impl_1.ModifyOutgoingResponsePhase(config, Object.values(products)),
             new impl_1.SendAsyncActivitiesOnResponsePhase(activityClient),
         ]) || this;
     }

package/lib/cjs/phase/impl/CreateBlockResponsePhase.js

@@ -92,7 +92,7 @@ var CreateBlockResponsePhase = /** @class */ (function () {
                 switch (_c.label) {
                     case 0:
                         if (!context.isMobile && ((_a = context.pxhd) === null || _a === void 0 ? void 0 : _a.source) === pxhd_1.PXHDSource.RISK) {
-                            response = pxhd_1.PXHDUtils.addPxhdToMinimalResponse(context, response);
+                            response = pxhd_1.PXHDUtils.addPxhdToMinimalResponse(this.config, context, response);
                         }
                         if (!(this.config.corsSupportEnabled && ((_b = this.cors) === null || _b === void 0 ? void 0 : _b.isCorsRequest(context)))) return [3 /*break*/, 2];
                         return [4 /*yield*/, this.cors.getCorsBlockHeaders(context)];

package/lib/cjs/phase/impl/ModifyOutgoingResponsePhase.js

@@ -39,7 +39,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ModifyOutgoingResponsePhase = void 0;
 var pxhd_1 = require("../../pxhd");
 var ModifyOutgoingResponsePhase = /** @class */ (function () {
-    function ModifyOutgoingResponsePhase(products) {
+    function ModifyOutgoingResponsePhase(config, products) {
+        this.config = config;
         this.products = products;
     }
     ModifyOutgoingResponsePhase.prototype.execute = function (context) {
@@ -51,7 +52,7 @@ var ModifyOutgoingResponsePhase = /** @class */ (function () {
                     case 1:
                         _b.sent();
                         if (((_a = context.pxhd) === null || _a === void 0 ? void 0 : _a.source) === pxhd_1.PXHDSource.RISK) {
-                            pxhd_1.PXHDUtils.addPxhdToOutgoingResponse(context, context.response);
+                            pxhd_1.PXHDUtils.addPxhdToOutgoingResponse(this.config, context, context.response);
                         }
                         return [2 /*return*/, { done: false }];
                 }

package/lib/cjs/phase/impl/SendLogsPhase.js

@@ -52,7 +52,9 @@ var SendLogsPhase = /** @class */ (function () {
                     case 1:
                         _a.sent();
                         _a.label = 2;
-                    case 2: return [2 /*return*/, { done: false }];
+                    case 2:
+                        this.config.logger.clearLogs();
+                        return [2 /*return*/, { done: false }];
                 }
             });
         });

package/lib/cjs/products/bot_defender/first_party/DefaultBotDefenderFirstParty.js

@@ -85,6 +85,9 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
                             return [2 /*return*/, { defaultResponse: defaultResponse }];
                         }
                         url = this.getThirdPartySensorScriptUrl();
+                        if (!url) {
+                            return [2 /*return*/, { defaultResponse: defaultResponse }];
+                        }
                         return [4 /*yield*/, this.getOutgoingRequest(url, context)];
                     case 1:
                         request = _a.sent();
@@ -105,6 +108,9 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
                             return [2 /*return*/, { defaultResponse: defaultResponse }];
                         }
                         url = this.getThirdPartyXhrUrl(context, prefix);
+                        if (!url) {
+                            return [2 /*return*/, { defaultResponse: defaultResponse }];
+                        }
                         return [4 /*yield*/, this.getOutgoingRequest(url, context)];
                     case 1:
                         request = _a.sent();
@@ -133,6 +139,9 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
                             return [2 /*return*/, { defaultResponse: defaultResponse }];
                         }
                         url = this.getThirdPartyCaptchaScriptUrl(context);
+                        if (!url) {
+                            return [2 /*return*/, { defaultResponse: defaultResponse }];
+                        }
                         return [4 /*yield*/, this.getOutgoingRequest(url, context)];
                     case 1:
                         request = _a.sent();
@@ -147,7 +156,7 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
         return __awaiter(this, void 0, void 0, function () {
             return __generator(this, function (_b) {
                 return [2 /*return*/, new http_1.OutgoingRequestImpl({
-                        url: url,
+                        url: url.href,
                         method: requestData.method,
                         headers: this.prepareFirstPartyHeaders(url, requestData, vid),
                         body: requestData.request.body,
@@ -173,8 +182,7 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
         return headers;
     };
     DefaultBotDefenderFirstParty.prototype.setHostHeader = function (headers, url) {
-        var host = this.urlUtils.createUrl(url).host;
-        headers[http_1.HOST_HEADER_NAME] = [host];
+        headers[http_1.HOST_HEADER_NAME] = [url.host];
     };
     DefaultBotDefenderFirstParty.prototype.setXffHeader = function (headers, ip) {
         var xffValue = headers[http_1.X_FORWARDED_FOR_HEADER_NAME] || [];
@@ -185,17 +193,44 @@ var DefaultBotDefenderFirstParty = /** @class */ (function () {
         headers[constants_1.X_PX_ENFORCER_TRUE_IP_HEADER_NAME] = [ip];
     };
     DefaultBotDefenderFirstParty.prototype.getThirdPartySensorScriptUrl = function () {
-        return "".concat(this.config.backendClientUrl, "/").concat(this.config.appId, "/main.min.js");
+        try {
+            return this.urlUtils.createUrl("".concat(this.config.backendClientUrl, "/").concat(this.config.appId, "/main.min.js"));
+        }
+        catch (e) {
+            this.config.logger.debug("unable to create third party sensor URL: ".concat(e));
+            return null;
+        }
     };
     DefaultBotDefenderFirstParty.prototype.getThirdPartyCaptchaScriptUrl = function (context) {
-        var originalUrl = context.requestData.url;
-        var _a = this.config, appId = _a.appId, backendCaptchaUrl = _a.backendCaptchaUrl;
-        return "".concat(backendCaptchaUrl, "/").concat(appId).concat(FirstPartySuffix_1.FirstPartySuffix.CAPTCHA, ".js").concat(originalUrl.search);
+        try {
+            var originalUrl = context.requestData.url;
+            var _a = this.config, appId = _a.appId, backendCaptchaUrl = _a.backendCaptchaUrl;
+            return this.urlUtils.createUrl("".concat(backendCaptchaUrl, "/").concat(appId).concat(FirstPartySuffix_1.FirstPartySuffix.CAPTCHA, ".js").concat(originalUrl.search));
+        }
+        catch (e) {
+            this.config.logger.debug("unable to create third party captcha URL: ".concat(e));
+            return null;
+        }
     };
     DefaultBotDefenderFirstParty.prototype.getThirdPartyXhrUrl = function (context, prefix) {
-        var originalUrl = context.requestData.url;
-        var backendCollectorUrl = this.config.backendCollectorUrl;
-        return "".concat(backendCollectorUrl).concat(originalUrl.pathname.replace(prefix, '')).concat(originalUrl.search);
+        try {
+            var originalUrl = context.requestData.url;
+            var pathname = originalUrl.pathname.replace(prefix, '');
+            var thirdPartyUrl = this.urlUtils.createUrl("".concat(this.config.backendCollectorUrl).concat(pathname).concat(originalUrl.search));
+            var host = this.urlUtils.createUrl(this.config.backendCollectorUrl).host;
+            if (!this.isValidThirdPartyUrl(thirdPartyUrl, host, pathname)) {
+                this.config.logger.debug("invalid third party url: ".concat(thirdPartyUrl));
+                return null;
+            }
+            return thirdPartyUrl;
+        }
+        catch (e) {
+            this.config.logger.debug("unable to create third party XHR URL: ".concat(e));
+            return null;
+        }
+    };
+    DefaultBotDefenderFirstParty.prototype.isValidThirdPartyUrl = function (url, expectedHost, expectedPath) {
+        return url.host.toLowerCase() === expectedHost.toLowerCase() && url.pathname.startsWith(expectedPath);
     };
     return DefaultBotDefenderFirstParty;
 }());

package/lib/cjs/pxhd/PXHDUtils.js

@@ -7,25 +7,26 @@ var PXHDUtils;
 (function (PXHDUtils) {
     PXHDUtils.PXHD_SAMESITE_VALUE = 'Lax';
     PXHDUtils.PXHD_PATH_VALUE = '/';
-    PXHDUtils.addPxhdToOutgoingResponse = function (context, response) {
+    PXHDUtils.addPxhdToOutgoingResponse = function (config, context, response) {
         if (!(context === null || context === void 0 ? void 0 : context.pxhd)) {
             return;
         }
-        var setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd);
+        var setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd, config.securedPxhdEnabled);
         response.headers.append(http_1.SET_COOKIE_HEADER_NAME, setPxhdCookie);
     };
-    PXHDUtils.addPxhdToMinimalResponse = function (context, response) {
+    PXHDUtils.addPxhdToMinimalResponse = function (config, context, response) {
         if (context === null || context === void 0 ? void 0 : context.pxhd) {
-            var setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd);
+            var setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd, config.securedPxhdEnabled);
             return http_1.MinimalResponseUtils.appendHeader(response, http_1.SET_COOKIE_HEADER_NAME, setPxhdCookie);
         }
         return response;
     };
-    PXHDUtils.getPxhdCookieValue = function (pxhd) {
+    PXHDUtils.getPxhdCookieValue = function (pxhd, isSecure) {
         var value = "".concat(utils_1.PXHD_COOKIE_NAME, "=").concat(pxhd.value);
+        var secure = isSecure ? 'Secure' : '';
         var domain = pxhd.domain && "domain=".concat(pxhd.domain);
         var path = "path=".concat(PXHDUtils.PXHD_PATH_VALUE);
         var sameSite = "SameSite=".concat(PXHDUtils.PXHD_SAMESITE_VALUE);
-        return [value, domain, path, sameSite].filter(Boolean).join('; ');
+        return [value, secure, domain, path, sameSite].filter(Boolean).join('; ');
     };
 })(PXHDUtils || (exports.PXHDUtils = PXHDUtils = {}));

package/lib/cjs/utils/constants.js

@@ -12,5 +12,5 @@ exports.X_PX_BYPASS_REASON_HEADER_NAME = 'x-px-bypass-reason';
 exports.PUSH_DATA_HMAC_HEADER_NAME = 'x-px-pushdata';
 exports.PUSH_DATA_FEATURE_HEADER_NAME = 'x-px-feature';
 exports.EMAIL_ADDRESS_REGEX = /^[a-zA-Z0-9_+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/;
-exports.URL_REGEX = /^(https?\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/;
-exports.CORE_MODULE_VERSION = 'JS Core 0.13.0';
+exports.URL_REGEX = /^(https?\:)\/\/(([^@\s:]+):?([^@\s]*)@)?(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/;
+exports.CORE_MODULE_VERSION = 'JS Core 0.14.0';

package/lib/esm/config/ConfigurationBase.js

@@ -304,4 +304,7 @@ export class ConfigurationBase {
     get urlDecodeReservedCharacters() {
         return this.configParams.px_url_decode_reserved_characters;
     }
+    get securedPxhdEnabled() {
+        return this.configParams.px_secured_pxhd_enabled;
+    }
 }

package/lib/esm/config/defaults/DefaultCommonConfigurationParams.js

@@ -10,7 +10,6 @@ export const DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_risk_cookie_max_iterations: 5000,
     px_logger_severity: LoggerSeverity.ERROR,
     px_ip_headers: [],
-    px_extract_ip: null,
     px_module_enabled: true,
     px_module_mode: ModuleMode.MONITOR,
     px_additional_activity_handler: null,
@@ -18,9 +17,6 @@ export const DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_max_activity_batch_size: 0,
     px_batch_activities_timeout_ms: 1000,
     px_bypass_monitor_header: '',
-    px_csp_enabled: false,
-    px_csp_no_updates_max_interval_minutes: 60,
-    px_csp_policy_refresh_interval_minutes: 5,
     px_enforced_routes: [],
     px_first_party_enabled: true,
     px_custom_first_party_prefix: '',
@@ -101,7 +97,6 @@ export const DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_sensitive_graphql_operation_names: [],
     px_sensitive_graphql_operation_types: [],
     px_enrich_custom_parameters: null,
-    px_proxy_url: '',
     px_jwt_cookie_name: '',
     px_jwt_cookie_user_id_field_name: '',
     px_jwt_cookie_additional_field_names: [],
@@ -115,4 +110,5 @@ export const DEFAULT_COMMON_CONFIGURATION_PARAMS = {
     px_remote_config_max_fetch_attempts: 5,
     px_remote_config_retry_interval_ms: 1000,
     px_url_decode_reserved_characters: false,
+    px_secured_pxhd_enabled: false,
 };

package/lib/esm/impl/url/UrlImpl.js

@@ -7,21 +7,27 @@ export class UrlImpl {
     pathname;
     search;
     hash;
+    username;
+    password;
     _port;
+    urlUtils;
     constructor(rawUrl) {
         const match = rawUrl.match(URL_REGEX);
         if (!match) {
             throw new Error(`Invalid UrlImpl: ${rawUrl}`);
         }
         this.protocol = match[1];
-        this.hostname = match[3];
-        this.port = match[4] || '';
-        this.pathname = match[5] || '/';
-        this.search = match[6] || '';
-        this.hash = match[7] || '';
+        this.username = match[3] || '';
+        this.password = match[4] || '';
+        this.hostname = match[6];
+        this.port = match[7] || '';
+        this.pathname = match[8] || '/';
+        this.search = match[9] || '';
+        this.hash = match[10] || '';
+        this.urlUtils = new CustomImplUrlUtils();
     }
     get href() {
-        return `${this.origin}${this.pathname}${this.search}${this.hash}`;
+        return `${this.protocol}//${this.credentials}${this.host}${this.pathname}${this.search}${this.hash}`;
     }
     get origin() {
         return `${this.protocol}//${this.host}`;
@@ -43,7 +49,7 @@ export class UrlImpl {
         }
     }
     get searchParams() {
-        return new UrlSearchParamsImpl(new CustomImplUrlUtils(), this.search);
+        return new UrlSearchParamsImpl(this.urlUtils, this.search);
     }
     isDefaultPort(port) {
         const PROTOCOL_TO_DEFAULT_PORT = {
@@ -52,4 +58,17 @@ export class UrlImpl {
         };
         return PROTOCOL_TO_DEFAULT_PORT[this.protocol] === port;
     }
+    get credentials() {
+        if (!this.username && !this.password) {
+            return '';
+        }
+        let credentials = '';
+        if (this.username) {
+            credentials += this.urlUtils.encodeUriComponent(this.username);
+        }
+        if (this.password) {
+            credentials += `:${this.urlUtils.encodeUriComponent(this.password)}`;
+        }
+        return `${credentials}@`;
+    }
 }

package/lib/esm/logger/LoggerBase.js

@@ -45,4 +45,7 @@ export class LoggerBase {
         };
         this.logs.push(logRecord);
     }
+    clearLogs() {
+        this.logs = [];
+    }
 }

package/lib/esm/phase/flow/PostEnforceFlow.js

@@ -3,7 +3,7 @@ export class PostEnforceFlow extends CompositePhase {
     constructor(config, { products, activityClient }) {
         super([
             new EnrichContextFromResponsePhase(config, products),
-            new ModifyOutgoingResponsePhase(Object.values(products)),
+            new ModifyOutgoingResponsePhase(config, Object.values(products)),
             new SendAsyncActivitiesOnResponsePhase(activityClient),
         ]);
     }

package/lib/esm/phase/impl/CreateBlockResponsePhase.js

@@ -39,7 +39,7 @@ export class CreateBlockResponsePhase {
     }
     async addHeadersToResponse(response, context) {
         if (!context.isMobile && context.pxhd?.source === PXHDSource.RISK) {
-            response = PXHDUtils.addPxhdToMinimalResponse(context, response);
+            response = PXHDUtils.addPxhdToMinimalResponse(this.config, context, response);
         }
         if (this.config.corsSupportEnabled && this.cors?.isCorsRequest(context)) {
             const corsHeaders = await this.cors.getCorsBlockHeaders(context);

package/lib/esm/phase/impl/ModifyOutgoingResponsePhase.js

@@ -1,13 +1,15 @@
 import { PXHDSource, PXHDUtils } from '../../pxhd';
 export class ModifyOutgoingResponsePhase {
+    config;
     products;
-    constructor(products) {
+    constructor(config, products) {
+        this.config = config;
         this.products = products;
     }
     async execute(context) {
         await Promise.all(this.products.map((product) => product?.modifyOutgoingResponse(context)));
         if (context.pxhd?.source === PXHDSource.RISK) {
-            PXHDUtils.addPxhdToOutgoingResponse(context, context.response);
+            PXHDUtils.addPxhdToOutgoingResponse(this.config, context, context.response);
         }
         return { done: false };
     }

package/lib/esm/phase/impl/SendLogsPhase.js

@@ -9,6 +9,7 @@ export class SendLogsPhase {
         if (context.shouldSendLogs) {
             await this.logServiceClient.sendLogs(context, this.config.logger.getLogs());
         }
+        this.config.logger.clearLogs();
         return { done: false };
     }
 }

package/lib/esm/products/bot_defender/first_party/DefaultBotDefenderFirstParty.js

@@ -31,6 +31,9 @@ export class DefaultBotDefenderFirstParty {
             return { defaultResponse };
         }
         const url = this.getThirdPartySensorScriptUrl();
+        if (!url) {
+            return { defaultResponse };
+        }
         const request = await this.getOutgoingRequest(url, context);
         this.config.logger.debug(`proxying first party sensor script ${context.requestData.url.pathname} to ${url}`);
         return { request, defaultResponse };
@@ -41,6 +44,9 @@ export class DefaultBotDefenderFirstParty {
             return { defaultResponse };
         }
         const url = this.getThirdPartyXhrUrl(context, prefix);
+        if (!url) {
+            return { defaultResponse };
+        }
         const request = await this.getOutgoingRequest(url, context);
         this.config.logger.debug(`proxying first party XHR request ${context.requestData.url.pathname} to ${url}`);
         return { request, defaultResponse };
@@ -59,13 +65,16 @@ export class DefaultBotDefenderFirstParty {
             return { defaultResponse };
         }
         const url = this.getThirdPartyCaptchaScriptUrl(context);
+        if (!url) {
+            return { defaultResponse };
+        }
         const request = await this.getOutgoingRequest(url, context);
         this.config.logger.debug(`proxying first party captcha script ${context.requestData.url.pathname} to ${url}`);
         return { request, defaultResponse };
     }
     async getOutgoingRequest(url, { requestData, vid }) {
         return new OutgoingRequestImpl({
-            url: url,
+            url: url.href,
             method: requestData.method,
             headers: this.prepareFirstPartyHeaders(url, requestData, vid),
             body: requestData.request.body,
@@ -89,8 +98,7 @@ export class DefaultBotDefenderFirstParty {
         return headers;
     }
     setHostHeader(headers, url) {
-        const { host } = this.urlUtils.createUrl(url);
-        headers[HOST_HEADER_NAME] = [host];
+        headers[HOST_HEADER_NAME] = [url.host];
     }
     setXffHeader(headers, ip) {
         const xffValue = headers[X_FORWARDED_FOR_HEADER_NAME] || [];
@@ -101,16 +109,43 @@ export class DefaultBotDefenderFirstParty {
         headers[X_PX_ENFORCER_TRUE_IP_HEADER_NAME] = [ip];
     }
     getThirdPartySensorScriptUrl() {
-        return `${this.config.backendClientUrl}/${this.config.appId}/main.min.js`;
+        try {
+            return this.urlUtils.createUrl(`${this.config.backendClientUrl}/${this.config.appId}/main.min.js`);
+        }
+        catch (e) {
+            this.config.logger.debug(`unable to create third party sensor URL: ${e}`);
+            return null;
+        }
     }
     getThirdPartyCaptchaScriptUrl(context) {
-        const originalUrl = context.requestData.url;
-        const { appId, backendCaptchaUrl } = this.config;
-        return `${backendCaptchaUrl}/${appId}${FirstPartySuffix.CAPTCHA}.js${originalUrl.search}`;
+        try {
+            const originalUrl = context.requestData.url;
+            const { appId, backendCaptchaUrl } = this.config;
+            return this.urlUtils.createUrl(`${backendCaptchaUrl}/${appId}${FirstPartySuffix.CAPTCHA}.js${originalUrl.search}`);
+        }
+        catch (e) {
+            this.config.logger.debug(`unable to create third party captcha URL: ${e}`);
+            return null;
+        }
     }
     getThirdPartyXhrUrl(context, prefix) {
-        const originalUrl = context.requestData.url;
-        const { backendCollectorUrl } = this.config;
-        return `${backendCollectorUrl}${originalUrl.pathname.replace(prefix, '')}${originalUrl.search}`;
+        try {
+            const originalUrl = context.requestData.url;
+            const pathname = originalUrl.pathname.replace(prefix, '');
+            const thirdPartyUrl = this.urlUtils.createUrl(`${this.config.backendCollectorUrl}${pathname}${originalUrl.search}`);
+            const { host } = this.urlUtils.createUrl(this.config.backendCollectorUrl);
+            if (!this.isValidThirdPartyUrl(thirdPartyUrl, host, pathname)) {
+                this.config.logger.debug(`invalid third party url: ${thirdPartyUrl}`);
+                return null;
+            }
+            return thirdPartyUrl;
+        }
+        catch (e) {
+            this.config.logger.debug(`unable to create third party XHR URL: ${e}`);
+            return null;
+        }
+    }
+    isValidThirdPartyUrl(url, expectedHost, expectedPath) {
+        return url.host.toLowerCase() === expectedHost.toLowerCase() && url.pathname.startsWith(expectedPath);
     }
 }

package/lib/esm/pxhd/PXHDUtils.js

@@ -4,25 +4,26 @@ export var PXHDUtils;
 (function (PXHDUtils) {
     PXHDUtils.PXHD_SAMESITE_VALUE = 'Lax';
     PXHDUtils.PXHD_PATH_VALUE = '/';
-    PXHDUtils.addPxhdToOutgoingResponse = (context, response) => {
+    PXHDUtils.addPxhdToOutgoingResponse = (config, context, response) => {
         if (!context?.pxhd) {
             return;
         }
-        const setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd);
+        const setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd, config.securedPxhdEnabled);
         response.headers.append(SET_COOKIE_HEADER_NAME, setPxhdCookie);
     };
-    PXHDUtils.addPxhdToMinimalResponse = (context, response) => {
+    PXHDUtils.addPxhdToMinimalResponse = (config, context, response) => {
         if (context?.pxhd) {
-            const setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd);
+            const setPxhdCookie = PXHDUtils.getPxhdCookieValue(context.pxhd, config.securedPxhdEnabled);
             return MinimalResponseUtils.appendHeader(response, SET_COOKIE_HEADER_NAME, setPxhdCookie);
         }
         return response;
     };
-    PXHDUtils.getPxhdCookieValue = (pxhd) => {
+    PXHDUtils.getPxhdCookieValue = (pxhd, isSecure) => {
         const value = `${PXHD_COOKIE_NAME}=${pxhd.value}`;
+        const secure = isSecure ? 'Secure' : '';
         const domain = pxhd.domain && `domain=${pxhd.domain}`;
         const path = `path=${PXHDUtils.PXHD_PATH_VALUE}`;
         const sameSite = `SameSite=${PXHDUtils.PXHD_SAMESITE_VALUE}`;
-        return [value, domain, path, sameSite].filter(Boolean).join('; ');
+        return [value, secure, domain, path, sameSite].filter(Boolean).join('; ');
     };
 })(PXHDUtils || (PXHDUtils = {}));

package/lib/esm/utils/constants.js

@@ -9,5 +9,5 @@ export const X_PX_BYPASS_REASON_HEADER_NAME = 'x-px-bypass-reason';
 export const PUSH_DATA_HMAC_HEADER_NAME = 'x-px-pushdata';
 export const PUSH_DATA_FEATURE_HEADER_NAME = 'x-px-feature';
 export const EMAIL_ADDRESS_REGEX = /^[a-zA-Z0-9_+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/;
-export const URL_REGEX = /^(https?\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/;
-export const CORE_MODULE_VERSION = 'JS Core 0.13.0';
+export const URL_REGEX = /^(https?\:)\/\/(([^@\s:]+):?([^@\s]*)@)?(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/;
+export const CORE_MODULE_VERSION = 'JS Core 0.14.0';

package/lib/types/config/ConfigurationBase.d.ts

@@ -97,4 +97,5 @@ export declare abstract class ConfigurationBase<Req, Res, ParamsType extends Con
     get remoteConfigRetryIntervalMs(): number;
     get remoteConfigMaxFetchAttempts(): number;
     get urlDecodeReservedCharacters(): boolean;
+    get securedPxhdEnabled(): boolean;
 }

package/lib/types/config/IConfiguration.d.ts

@@ -337,6 +337,10 @@ export interface IConfiguration<Req, Res, ParamsType extends ConfigurationParams
      * Whether reserved URL characters should be percent-decoded when parsing the incoming request URL.
      */
     readonly urlDecodeReservedCharacters: boolean;
+    /**
+     * Whether to add the Secure attribute when setting the PXHD cookie.
+     */
+    readonly securedPxhdEnabled: boolean;
     /**
      * Returns an object representation of the current configuration.
      */