npm - slower - Versions diffs - 1.1.10 → 1.1.12 - Mend

slower 1.1.10 → 1.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/router.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const http = require('http');
 const fs = require('fs');
-const { noop, slugify, isSparseEqual, last, renderDynamicHTML, setSocketLocals } = require('./utils');
+const { noop, slugify, isSparseEqual, last, renderDynamicHTML, setSocketLocals, setSocketSecurityHeaders } = require('./utils');
 class Route {
     constructor (path, type, callback) {
@@ -33,6 +33,7 @@ class SlowerRouter {
     }
     constructor () {
+        this.strictHeaders = false;
         this.routes = [];
         this.middleware = [noop];
         this.fallback = noop;
@@ -40,6 +41,20 @@ class SlowerRouter {
         this.blockedMethodCallback = noop;
     }
+    enableStrictHeaders () {
+        // This activates the responses with many security-related response headers.
+        //  It is not enabled by default, as some header are very restrictive
+        this.strictHeaders = true;
+        return this;
+    }
+    disableStrictHeaders () {
+        // This deactivates the responses with many security-related response headers.
+        //  It is not enabled by default, as some headers are very restrictive
+        this.strictHeaders = false;
+        return this;
+    }
     /**
      * Defines a route for a determined request method
      * @category Router
@@ -291,6 +306,10 @@ class SlowerRouter {
             try {
                 // Sets local req.session object
                 setSocketLocals(req);
+                // Sets security headers in req.headers
+                // This is set before custom callbacks are applies
+                // so it is possible to override all of the headers
+                if (!!this.strictHeaders) setSocketSecurityHeaders(req);
                 // Runs all middlewares
                 for (let i = 0; i < middle.length; i++) { middle[i](req, res); }
                 // Only respond to allowed methods with callbacks, else, use the default empty response.

package/lib/utils.js CHANGED Viewed

@@ -86,6 +86,59 @@ const setSocketLocals = (socket) => {
     return socket;
 }
+const setSocketSecurityHeaders = (req) => {
+    // This should be set in a regular website:
+    // Forces the use of HTTPS for a long time, including subDomains - and prevent MitM attacks
+    // Does not work in servers that don't allow HTTPS (like this one)
+    // req.setHeader('Strict-Transport-Security', ['max-age=31536000', 'includeSubDomains']); // Only works on HTTPS
+    // This blocks requests with MIME type different from style/css and */script
+    // TODO test this - probably gonna break the server, as MIMEs are not overriden here
+    // req.setHeader('X-Content-Type-Options', 'nosniff');
+    // This deines the main security policy - Usually, when using a website,
+    // this should be highly customized, but, for simple sites, it can be leaved like that:
+    req.setHeader('Content-Security-Policy', [
+        'default-src=none',
+        'script-src=self',
+        'connect-src=self',
+        'img-src=self',
+        'style-src=self',
+        'frame-ancestors=none',
+        'form-action=self',
+        // 'upgrade-insecure-requests' // Only works on HTTPS
+    ]);
+    // Isolates the browsing context exclusively to same-origin documents.
+    // Cross-origin documents are not loaded in the same browsing context.
+    req.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
+    // The HTTP Cross-Origin-Resource-Policy response header conveys a desire
+    // that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
+    req.setHeader('Cross-Origin-Resource-Policy', 'same-site');
+    // A new HTTP response header that instructs the browser
+    // to prevent synchronous scripting access between same-site cross-origin pages.
+    req.setHeader('Origin-Agent-Cluster', '?1');
+    // Blocks information about the website when sending
+    // local requests or redirections to other sites
+    req.setHeader('Referrer-Policy', 'no-referrer');
+    // Enabling this makes all URLs in a page (even the cross domain ones)
+    // to be prefetched - This is dangerouns in terms of DNS queries
+    req.setHeader('X-DNS-Prefetch-Control', 'off');
+    // A legacy header, just for IE, and is highly dangerous
+    // Not setting this as disabled can cause malicious
+    // HTML+JS code to be loaded in the wrong context
+    req.setHeader('X-Download-Options', 'noopen');
+    // Blocks attempts to display the website as an IFrame
+    // If another website tries to display this website as a frame,
+    // this header will block it
+    req.setHeader('X-Frame-Options', 'DENY');
+    // Set the unnecessary XSS-Protection legacy header to disabled
+    // This header increases the number of vulnerabilities, and is used only in IE
+    req.setHeader('X-XSS-Protection', 0);
+    // Remove X-Powered-By - This header allows attackers to
+    // gather information about the application engine
+    if (req.hasHeader('X-Powered-By')) req.removeHeader('X-Powered-By');
+}
 const toBool = [() => true, () => false];
-module.exports = { noop, slugify, isSparseEqual, toBool, last, renderDynamicHTML, setSocketLocals };
+module.exports = { noop, slugify, isSparseEqual, toBool, last, renderDynamicHTML, setSocketLocals, setSocketSecurityHeaders };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "slower",
-  "version": "1.1.10",
-  "description": "",
+  "version": "1.1.12",
+  "description": "A package for simple HTTP server routing.",
   "main": "index.js",
   "directories": {
     "lib": "lib"
@@ -10,6 +10,6 @@
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
-  "author": "",
+  "author": "no.mad.devtech@gmail.com",
   "license": "ISC"
 }

package/readme.md CHANGED Viewed

@@ -63,4 +63,24 @@ a socket will receive the modified socket instead.
 during the lifetime of a single connection. Useful for keeping short-life local variables.
 - In HTTP ```http.IncomingMessage``` instances, the 'socket' instance is found over 'request'.
-So, considering the common callback of ```(req, res)```, the session container will be ```req.session```
+So, considering the common callback of ```(req, res)```, the session container will be ```req.session```
+### API security headers implementation:
+ - It is possible to enforce a higher set of security headers on responses
+   without having to set them manually. The API 'enableStrictHeaders' and 'disableStrictHeaders'
+   methods do exacly that. The strict headers are disabled by default, as some resources are too strict,
+   but it is also possible to enable them all, and then set a middleware to override any header.
+ - Headers set by 'enableStrictHeaders':
+    Content-Security-Policy: default-src=none; script-src=self; connect-src=self; img-src=self;
+        style-src=self; frame-ancestors=none; form-action=self;
+    Cross-Origin-Opener-Policy:  same-origin
+    Cross-Origin-Resource-Policy: same-site
+    Origin-Agent-Cluster: ?1
+    Referrer-Policy: no-referrer
+    Strict-Transport-Security: max-age=31536000; includeSubDomains // temporarily disabled for maintenance
+    X-Content-Type-Options: nosniff // temporarily disabled for maintenance
+    X-DNS-Prefetch-Control: off
+    X-Download-Options: noopen
+    X-Frame-Options: DENY
+    X-Powered-By: (This header is removed if a response includes it)
+    X-XSS-Protection: 0