serverless-openapi-documenter 0.0.61 → 0.0.63

package/README.md

@@ -61,6 +61,9 @@ Options:
 #### Model Details
 * [Models](#models)
 * [Notes on Schemas](#notes-on-schemas)
+#### Response Headers
+* [CORS](#cors)
+* [OWASP Secure Headers](#owasp)
 
 ### OpenAPI Mapping
 
@@ -729,6 +732,80 @@ You can automatically generate CORS response headers by setting `cors` at the fu
 
 The generator will interpret your settings for CORS and automatically add the response headers.  If for whatever reason you wish to override these, you can set them via the above `responseHeaders` setting and it'll apply your overrides.
 
+##### OWASP
+
+You can make use of the [OWASP Secure Headers](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies) to generate response headers.  These are a selection of response headers with default values that OWASP recommends returning with your response to help secure your application.
+
+The OWASP Secure Headers Project contains a set of recommended headers to return with recommended values, when generating the documentation, the generator will attempt to get the latest version of this document and apply the latest recommendations.  If you do not allow outside connections, it will default to a version of recommendations from **2023-05-26 12:22:30 UTC**.
+
+Like CORS, if you have already set any of the OWASP Secure headers via `responseHeaders`, it will not overwrite them.
+
+To make use of OWASP Secure Headers, you can use the following:
+
+###### All OWASP Secure Headers
+
+```yml
+methodResponse:
+  - statusCode: 200
+    responseBody:
+      description: Success
+    responseModels:
+      application/json: "CreateResponse"
+    owasp: true
+```
+
+This will use the full set of OWASP Secure Headers and their recommended values.  Some of these might not be appropriate for your application.
+
+###### Subset of OWASP Secure Headers
+
+```yml
+methodResponse:
+  - statusCode: 200
+    responseBody:
+      description: Success
+    responseModels:
+      application/json: "CreateResponse"
+    owasp:
+      cacheControl: true
+      referrerPolicy: true
+```
+
+This will set only the `cacheControl` and `referrerPolicy` response header with the default recommendations.
+
+The full list of OWASP Secure Headers you can set are:
+
+* cacheControl - Cache-Control,
+* clearSiteData - Clear-Site-Data,
+* contentSecurityPolicy - Content-Security-Policy,
+* crossOriginEmbedderPolicy - Cross-Origin-Embedder-Policy,
+* crossOriginOpenerPolicy - Cross-Origin-Opener-Policy,
+* crossOriginResourcePolicy - Cross-Origin-Resource-Policy,
+* permissionsPolicy - Permissions-Policy,
+* pragma - Pragma,
+* referrerPolicy - Referrer-Policy,
+* strictTransportSecurity - Strict-Transport-Security,
+* xContentTypeOptions - X-Content-Type-Options,
+* xFrameOptions - X-Frame-Options,
+* xPermittedCrossDomainPolicies - X-Permitted-Cross-Domain-Policies
+
+###### Subset of OWASP Secure Headers with user defined values
+
+If you wish to override the OWASP Secure Headers, you can write your `methodResponse` like:
+
+```yml
+methodResponse:
+  - statusCode: 200
+    responseBody:
+      description: Success
+    responseModels:
+      application/json: "CreateResponse"
+    owasp:
+      cacheControl:
+        value: no-store
+```
+
+This will set the `Cache-Control` Response Header to have a value of "no-store" rather than any value the OWASP Secure Headers Project recommends.
+
 ## Example configuration
 
 Please view the example [serverless.yml](test/serverless-tests/serverless%202/serverless.yml).

package/json/owasp.json

@@ -0,0 +1,57 @@
+{
+    "last_update_utc": "2023-05-26 12:22:30",
+    "headers": [
+      {
+        "name": "Cache-Control",
+        "value": "no-store, max-age=0"
+      },
+      {
+        "name": "Clear-Site-Data",
+        "value": "\"cache\",\"cookies\",\"storage\""
+      },
+      {
+        "name": "Content-Security-Policy",
+        "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+      },
+      {
+        "name": "Cross-Origin-Embedder-Policy",
+        "value": "require-corp"
+      },
+      {
+        "name": "Cross-Origin-Opener-Policy",
+        "value": "same-origin"
+      },
+      {
+        "name": "Cross-Origin-Resource-Policy",
+        "value": "same-origin"
+      },
+      {
+        "name": "Permissions-Policy",
+        "value": "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
+      },
+      {
+        "name": "Pragma",
+        "value": "no-cache"
+      },
+      {
+        "name": "Referrer-Policy",
+        "value": "no-referrer"
+      },
+      {
+        "name": "Strict-Transport-Security",
+        "value": "max-age=31536000 ; includeSubDomains"
+      },
+      {
+        "name": "X-Content-Type-Options",
+        "value": "nosniff"
+      },
+      {
+        "name": "X-Frame-Options",
+        "value": "deny"
+      },
+      {
+        "name": "X-Permitted-Cross-Domain-Policies",
+        "value": "none"
+      }
+    ]
+  }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-openapi-documenter",
-  "version": "0.0.61",
+  "version": "0.0.63",
   "description": "Generate OpenAPI v3 documentation and Postman Collections from your Serverless Config",
   "main": "index.js",
   "keywords": [
@@ -38,7 +38,7 @@
     "json-schema-for-openapi": "^0.3.2",
     "lodash.isequal": "^4.5.0",
     "oas-validator": "^5.0.8",
-    "openapi-to-postmanv2": "^4.12.0",
+    "openapi-to-postmanv2": "^4.13.0",
     "swagger2openapi": "^7.0.8",
     "uuid": "^9.0.0"
   },

package/src/definitionGenerator.js

@@ -6,6 +6,7 @@ const { v4: uuid } = require('uuid')
 const validator = require('oas-validator');
 
 const SchemaHandler = require('./schemaHandler')
+const oWASP = require('./owasp')
 
 class DefinitionGenerator {
     constructor(serverless, options = {}) {
@@ -41,7 +42,7 @@ class DefinitionGenerator {
 
         this.DEFAULT_CORS_HEADERS = {
             'Access-Control-Allow-Origin': {
-                description: 'The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.',
+                description: 'The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin). - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)',
                 schema: {
                     type: 'string',
                     default: '*',
@@ -49,7 +50,7 @@ class DefinitionGenerator {
                 }
             },
             'Access-Control-Allow-Credentials': {
-                description: `The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to the frontend JavaScript code when the request's credentials mode (Request.credentials) is include`,
+                description: `The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to the frontend JavaScript code when the request's credentials mode ([Request.credentials](https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials)) is include. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials)`,
                 schema: {
                     type: 'boolean',
                     default: true
@@ -68,6 +69,8 @@ class DefinitionGenerator {
     async parse() {
         this.createInfo()
 
+        await oWASP.getLatest()
+
         await this.schemaHandler.addModelsToOpenAPI()
             .catch(err => {
                 throw err
@@ -379,21 +382,44 @@ class DefinitionGenerator {
                     })
             }
 
+            let owaspHeaders = {}
+            if (response.owasp) {
+                if (typeof response.owasp === 'boolean') {
+                    owaspHeaders = await this.createResponseHeaders(oWASP.DEFAULT_OWASP_HEADERS)
+                        .catch(err => {
+                            throw err
+                        })
+                } else {
+                    owaspHeaders = await this.createResponseHeaders(oWASP.getHeaders(response.owasp))
+                        .catch(err => {
+                            throw err
+                        })
+                }
+            }
 
             const corsHeaders = await this.corsHeaders()
                 .catch(err => {
                     throw err;
                 })
 
-            if (obj.headers) {
-                for (const key in corsHeaders) {
+            const addHeaders = (headers) => {
+                for (const key in headers) {
                     if (!(key in obj.headers) && (obj.headers[key] = {})) {
-                        obj.headers[key] = corsHeaders[key]
+                        obj.headers[key] = headers[key]
                     }
                 }
+            }
+
+            if (obj.headers) {
+                addHeaders(corsHeaders)
+                addHeaders(owaspHeaders)
             } else {
-                if (Object.keys(corsHeaders).length)
+                if (Object.keys(corsHeaders).length) {
                     obj.headers = corsHeaders
+                    addHeaders(owaspHeaders)
+                } else {
+                    obj.headers = owaspHeaders
+                }
             }
 
             Object.assign(responses, { [response.statusCode]: obj })

package/src/owasp.js

@@ -0,0 +1,141 @@
+'use strict'
+
+const https = require('https')
+
+const defaultOWASP = require('../json/owasp.json')
+
+/**
+ * @typedef {Object} Header
+ * @property {string} name - The name of the header
+ * @property {string} value - The default value of the header
+ */
+
+/**
+ * @typedef {Object} OWASPHeaders
+ * @property {string} last_update_utc - When the headers were last updated in UTC
+ * @property {Array.<Header>} headers - An array of headers
+ */
+
+class OWASP {
+    constructor() {
+        this.DEFAULT_OWASP_HEADERS = {
+            "Cache-Control": {
+                description: 'The Cache-Control HTTP header field holds directives (instructions) — in both requests and responses — that control [caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching) in browsers and shared caches (e.g. Proxies, CDNs). - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control)',
+            },
+            "Clear-Site-Data": {
+                description: 'The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored by a client browser for their origins. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data)',
+            },
+            "Content-Security-Policy": {
+                description: 'The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks ([Cross-site scripting](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting)). - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)',
+            },
+            "Cross-Origin-Embedder-Policy": {
+                description: 'The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy)',
+            },
+            "Cross-Origin-Opener-Policy": {
+                description: 'The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy)',
+            },
+            "Cross-Origin-Resource-Policy": {
+                description: 'Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy)',
+            },
+            "Permissions-Policy": {
+                description: 'The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in a document or within any [<iframe>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) elements in the document. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy)',
+            },
+            "Pragma": {
+                description: 'The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) HTTP/1.1 header. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma)',
+                deprecated: true,
+            },
+            "Referrer-Policy": {
+                description: 'The Referrer-Policy [HTTP header](https://developer.mozilla.org/en-US/docs/Glossary/HTTP_header) controls how much [referrer information](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) (sent with the [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header) should be included with requests. Aside from the HTTP header, you can [set this policy in HTML](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html). - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)',
+            },
+            "Strict-Transport-Security": {
+                description: 'The HTTP Strict-Transport-Security response header (often abbreviated as [HSTS](https://developer.mozilla.org/en-US/docs/Glossary/HSTS)) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)',
+            },
+            "X-Content-Type-Options": {
+                description: 'The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the [MIME types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) advertised in the [Content-Type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type) headers should be followed and not be changed. The header allows you to avoid [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing) by saying that the MIME types are deliberately configured. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)',
+            },
+            "X-Frame-Options": {
+                description: 'The X-Frame-Options [HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP) response header can be used to indicate whether or not a browser should be allowed to render a page in a [<frame>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame), [<iframe>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe), [<embed>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/embed) or [<object>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object). Sites can use this to avoid [click-jacking](https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#click-jacking) attacks, by ensuring that their content is not embedded into other sites. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)',
+            },
+            "X-Permitted-Cross-Domain-Policies": {
+                description: "A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can't write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header. - [OWASP Link](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies)",
+            }
+        }
+
+        this.headerMap = {
+            cacheControl: 'Cache-Control',
+            clearSiteData: 'Clear-Site-Data',
+            contentSecurityPolicy: 'Content-Security-Policy',
+            crossOriginEmbedderPolicy: 'Cross-Origin-Embedder-Policy',
+            crossOriginOpenerPolicy: 'Cross-Origin-Opener-Policy',
+            crossOriginResourcePolicy: 'Cross-Origin-Resource-Policy',
+            permissionsPolicy: 'Permissions-Policy',
+            pragma: 'Pragma',
+            referrerPolicy: 'Referrer-Policy',
+            strictTransportSecurity: 'Strict-Transport-Security',
+            xContentTypeOptions: 'X-Content-Type-Options',
+            xFrameOptions: 'X-Frame-Options',
+            xPermittedCrossDomainPolicies: 'X-Permitted-Cross-Domain-Policies'
+        }
+    }
+
+    async getLatest() {
+        const headerJSON = await new Promise((resolve, reject) => {
+            const req = https.get('https://owasp.org/www-project-secure-headers/ci/headers_add.json', (res) => {
+                let data = []
+
+                if (res.statusCode !== 200) {
+                    resolve(defaultOWASP)
+                }
+
+                res.on('error', (err) => {
+                    resolve(defaultOWASP)
+                })
+
+                res.on('data', (chunk) => {
+                    data.push(chunk)
+                })
+
+                res.on('end', () => {
+                    resolve(JSON.parse(Buffer.concat(data).toString()))
+                })
+            })
+                .on('error', (err) => {
+                    resolve(defaultOWASP)
+                })
+
+            req.end()
+        })
+
+        this.populateDefaults(headerJSON)
+    }
+
+    /**
+     * @funtion populateDefaults
+     * @param {OWASPHeaders} headerJSON
+     */
+    populateDefaults(headerJSON) {
+        for (const header of headerJSON.headers) {
+            if (this.DEFAULT_OWASP_HEADERS?.[header.name]) {
+                Object.assign(this.DEFAULT_OWASP_HEADERS[header.name], {schema: {type: 'string', default: header.value}})
+            } else {
+                Object.assign(this.DEFAULT_OWASP_HEADERS, {[header.name]: {schema: {type: 'string', default: header.value}}})
+            }
+        }
+    }
+
+    getHeaders(headerList) {
+        const obj = {}
+        for (const headerName of Object.keys(headerList)) {
+            const defaultHeader = this.DEFAULT_OWASP_HEADERS[this.headerMap[headerName]]
+            Object.assign(obj, {[this.headerMap[headerName]]: defaultHeader})
+
+            if (typeof headerList[headerName] !== 'boolean') {
+                obj[this.headerMap[headerName]].schema.default = headerList[headerName].value
+            }
+        }
+
+        return obj
+    }
+}
+
+module.exports = new OWASP()

package/test/json/newOWASP.json

@@ -0,0 +1,57 @@
+{
+    "last_update_utc": "2023-05-26 12:22:30",
+    "headers": [
+      {
+        "name": "Cache-Control",
+        "value": "no-store, max-age=0"
+      },
+      {
+        "name": "Clear-Site-Data",
+        "value": "\"cache\",\"cookies\",\"storage\""
+      },
+      {
+        "name": "Content-Security-Policy",
+        "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+      },
+      {
+        "name": "Cross-Origin-Embedder-Policy",
+        "value": "credentialless"
+      },
+      {
+        "name": "Cross-Origin-Opener-Policy",
+        "value": "same-origin"
+      },
+      {
+        "name": "Cross-Origin-Resource-Policy",
+        "value": "same-origin"
+      },
+      {
+        "name": "Permissions-Policy",
+        "value": "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
+      },
+      {
+        "name": "Pragma",
+        "value": "no-cache"
+      },
+      {
+        "name": "Referrer-Policy",
+        "value": "no-referrer"
+      },
+      {
+        "name": "Strict-Transport-Security",
+        "value": "max-age=31536000 ; includeSubDomains"
+      },
+      {
+        "name": "X-Content-Type-Options",
+        "value": "nosniff"
+      },
+      {
+        "name": "X-Frame-Options",
+        "value": "deny"
+      },
+      {
+        "name": "X-Permitted-Cross-Domain-Policies",
+        "value": "none"
+      }
+    ]
+  }

package/test/unit/owasp.spec.js

@@ -0,0 +1,113 @@
+'use strict'
+
+const expect = require('chai').expect
+const nock = require('nock')
+
+const owasp = require('../../src/owasp')
+
+const owaspJSON = require('../../json/owasp.json')
+const newOWASPJSON = require('../json/newOWASP.json')
+
+describe(`owasp`, function () {
+    describe(`getLatest`, function () {
+        it(`populates the defaults from the included OWASP release when the online version can not be reached`, async function() {
+            nock('https://owasp.org')
+                .get('/www-project-secure-headers/ci/headers_add.json')
+                .reply(404, {})
+
+            await owasp.getLatest()
+                .catch(err => {
+                    console.error(err)
+                    expect(err).to.be.undefined
+                })
+
+            expect(owasp.DEFAULT_OWASP_HEADERS['Permissions-Policy']).to.have.property('schema')
+            const permissionsPolicyDefault = owaspJSON.headers.filter(obj => obj.name === 'Permissions-Policy')
+            expect(owasp.DEFAULT_OWASP_HEADERS['Permissions-Policy'].schema.default).to.be.equal(permissionsPolicyDefault[0].value)
+            expect(Object.keys(owasp.DEFAULT_OWASP_HEADERS).length).to.be.equal(13)
+        });
+
+        it(`populates the defaults with information from a new OWASP release`, async function() {
+            nock('https://owasp.org')
+                .get('/www-project-secure-headers/ci/headers_add.json')
+                .reply(200, newOWASPJSON)
+
+            await owasp.getLatest()
+                .catch(err => {
+                    console.error(err)
+                    expect(err).to.be.undefined
+                })
+
+            expect(owasp.DEFAULT_OWASP_HEADERS['Cross-Origin-Embedder-Policy']).to.have.property('schema')
+            const newCrossOriginEmbedderPolicy = newOWASPJSON.headers.filter(obj => obj.name === 'Cross-Origin-Embedder-Policy')
+            expect(owasp.DEFAULT_OWASP_HEADERS['Cross-Origin-Embedder-Policy'].schema.default).to.be.equal(newCrossOriginEmbedderPolicy[0].value)
+            expect(Object.keys(owasp.DEFAULT_OWASP_HEADERS).length).to.be.equal(13)
+        });
+
+        it(`does not remove any defaults not contained in a new release`, async function() {
+            const newOWASPJSONMissing = JSON.parse(JSON.stringify(newOWASPJSON))
+
+            const headers = newOWASPJSONMissing.headers.filter(obj => obj.name !== 'Pragma')
+            newOWASPJSONMissing.headers = headers
+
+            nock('https://owasp.org')
+                .get('/www-project-secure-headers/ci/headers_add.json')
+                .reply(200, newOWASPJSONMissing)
+
+            await owasp.getLatest()
+                .catch(err => {
+                    console.error(err)
+                    expect(err).to.be.undefined
+                })
+
+            expect(owasp.DEFAULT_OWASP_HEADERS).to.have.property('Pragma')
+            expect(Object.keys(owasp.DEFAULT_OWASP_HEADERS).length).to.be.equal(13)
+        });
+
+        it(`adds any properties contained in a new release`, async function() {
+            const newOWASPJSONAdded = JSON.parse(JSON.stringify(newOWASPJSON))
+            newOWASPJSONAdded.headers.push({name: 'x-added', value: 'true'})
+
+            nock('https://owasp.org')
+                .get('/www-project-secure-headers/ci/headers_add.json')
+                .reply(200, newOWASPJSONAdded)
+
+            await owasp.getLatest()
+                .catch(err => {
+                    console.error(err)
+                    expect(err).to.be.undefined
+                })
+
+            expect(owasp.DEFAULT_OWASP_HEADERS).to.have.property('x-added')
+            expect(owasp.DEFAULT_OWASP_HEADERS['x-added']).to.have.property('schema')
+            expect(owasp.DEFAULT_OWASP_HEADERS['x-added'].schema.default).to.be.equal('true')
+            expect(Object.keys(owasp.DEFAULT_OWASP_HEADERS).length).to.be.equal(14)
+        });
+    });
+
+    describe(`getHeaders`, function () {
+        it(`brings back default headers from a list`, function() {
+            const headerOptions = {cacheControl: true, xFrameOptions: true}
+            const headers = owasp.getHeaders(headerOptions)
+
+            expect(Object.keys(headers).length).to.be.equal(2)
+        });
+
+        it(`brings back default headers from a list with new schema defaults when values are provided`, function() {
+            const headerOptions = {
+                referrerPolicy: {
+                    value: 'true'
+                },
+                crossOriginOpenerPolicy: {
+                    value: 'strict'
+                }
+            }
+
+            const headers = owasp.getHeaders(headerOptions)
+
+            expect(Object.keys(headers).length).to.be.equal(2)
+
+            expect(headers['Cross-Origin-Opener-Policy'].schema.default === 'strict')
+        });
+    });
+});