@middy/http-security-headers - npm Package Compare versions

Comparing version 2.5.6 to 2.5.7

index.js

@@ -1,5 +0,8 @@
-const { normalizeHttpResponse } = require('@middy/util')
+"use strict";
 
-// Code and Defaults heavily based off https://helmetjs.github.io/
+const {
+  normalizeHttpResponse
+} = require('@middy/util'); // Code and Defaults heavily based off https://helmetjs.github.io/
 
+
 const defaults = {
@@ -36,2 +39,3 @@ // contentDisposition: {
     policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+
   },
@@ -44,8 +48,5 @@ referrerPolicy: {
   }
-}
-
-const helmet = {}
-const helmetHtmlOnly = {}
-
-// OWASP ASVS 14.4.2
+};
+const helmet = {};
+const helmetHtmlOnly = {}; // OWASP ASVS 14.4.2
 // API Gateway strips out this header :(
@@ -56,113 +57,118 @@ // helmet.content = (headers, config) => {
 // }
-
 // contentSecurityPolicy - N/A - no HTML
 // featurePolicy - N/A - no HTML
-
 // crossdomain - N/A - For Adobe products
+// https://github.com/helmetjs/dns-Prefetch-control
 
-// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-  return headers
-}
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
+  return headers;
+}; // expectCt - in-progress spec
+// https://github.com/helmetjs/frameguard
 
-// expectCt - in-progress spec
 
-// https://github.com/helmetjs/frameguard
 helmetHtmlOnly.frameguard = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-  return headers
-}
+  headers['X-Frame-Options'] = config.action.toUpperCase();
+  return headers;
+}; // https://github.com/helmetjs/hide-powered-by
 
-// https://github.com/helmetjs/hide-powered-by
+
 helmet.hidePoweredBy = (headers, config) => {
   if (config.setTo) {
-    headers['X-Powered-By'] = config.setTo
+    headers['X-Powered-By'] = config.setTo;
   } else {
-    Reflect.deleteProperty(headers, 'Server')
-    Reflect.deleteProperty(headers, 'X-Powered-By')
+    Reflect.deleteProperty(headers, 'Server');
+    Reflect.deleteProperty(headers, 'X-Powered-By');
   }
-  return headers
-}
 
-// hpkp - deprecated
+  return headers;
+}; // hpkp - deprecated
+// https://github.com/helmetjs/hsts
 
-// https://github.com/helmetjs/hsts
+
 helmet.hsts = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
+  let header = 'max-age=' + Math.round(config.maxAge);
+
   if (config.includeSubDomains) {
-    header += '; includeSubDomains'
+    header += '; includeSubDomains';
   }
+
   if (config.preload) {
-    header += '; preload'
+    header += '; preload';
   }
-  headers['Strict-Transport-Security'] = header
-  return headers
-}
 
-// https://github.com/helmetjs/ienoopen
+  headers['Strict-Transport-Security'] = header;
+  return headers;
+}; // https://github.com/helmetjs/ienoopen
+
+
 helmet.ieNoOpen = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-  return headers
-}
+  headers['X-Download-Options'] = config.action;
+  return headers;
+}; // noCache - N/A - separate middleware
+// https://github.com/helmetjs/dont-sniff-mimetype
 
-// noCache - N/A - separate middleware
 
-// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.noSniff = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-  return headers
-}
+  headers['X-Content-Type-Options'] = config.action;
+  return headers;
+}; // https://github.com/helmetjs/referrer-policy
 
-// https://github.com/helmetjs/referrer-policy
+
 helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-  return headers
-}
+  headers['Referrer-Policy'] = config.policy;
+  return headers;
+}; // https://github.com/helmetjs/crossdomain
 
-// https://github.com/helmetjs/crossdomain
+
 helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-  return headers
-}
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
+  return headers;
+}; // https://github.com/helmetjs/x-xss-protection
 
-// https://github.com/helmetjs/x-xss-protection
+
 helmetHtmlOnly.xssFilter = (headers, config) => {
-  let header = '1; mode=block'
+  let header = '1; mode=block';
+
   if (config.reportUri) {
-    header += '; report=' + config.reportUri
+    header += '; report=' + config.reportUri;
   }
-  headers['X-XSS-Protection'] = header
-  return headers
-}
 
+  headers['X-XSS-Protection'] = header;
+  return headers;
+};
+
 const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
+  const options = { ...defaults,
+    ...opts
+  };
 
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    request.response = normalizeHttpResponse(request.response)
+  const httpSecurityHeadersMiddlewareAfter = async request => {
+    var _request$response$hea, _request$response$hea2;
 
-    Object.keys(helmet).forEach((key) => {
-      const config = { ...defaults[key], ...options[key] }
-      request.response.headers = helmet[key](request.response.headers, config)
-    })
+    request.response = normalizeHttpResponse(request.response);
+    Object.keys(helmet).forEach(key => {
+      const config = { ...defaults[key],
+        ...options[key]
+      };
+      request.response.headers = helmet[key](request.response.headers, config);
+    });
 
-    if (request.response.headers?.['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        const config = { ...defaults[key], ...options[key] }
-        request.response.headers = helmetHtmlOnly[key](
-          request.response.headers,
-          config
-        )
-      })
+    if ((_request$response$hea = request.response.headers) !== null && _request$response$hea !== void 0 && (_request$response$hea2 = _request$response$hea['Content-Type']) !== null && _request$response$hea2 !== void 0 && _request$response$hea2.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach(key => {
+        const config = { ...defaults[key],
+          ...options[key]
+        };
+        request.response.headers = helmetHtmlOnly[key](request.response.headers, config);
+      });
     }
-  }
+  };
 
-  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter
-
+  const httpSecurityHeadersMiddlewareOnError = httpSecurityHeadersMiddlewareAfter;
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-module.exports = httpSecurityHeadersMiddleware
+  };
+};
+
+module.exports = httpSecurityHeadersMiddleware;

package.json

 {
   "name": "@middy/http-security-headers",
-  "version": "2.5.6",
+  "version": "2.5.7",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
@@ -51,9 +51,9 @@ "type": "commonjs",
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "0c789f55b4adf691f977b0d9904d1a805bb3bb2b",
+  "gitHead": "3983c4b138e1a4d7fcb3ed805d3b8832fff06fc1",
   "dependencies": {
-    "@middy/util": "^2.5.6"
+    "@middy/util": "^2.5.7"
   },
   "devDependencies": {
-    "@middy/core": "^2.5.6"
+    "@middy/core": "^2.5.7"
   }
 }

No alert changes

Improved metrics

Total package byte prevSize

10770

increased by3.11%

Worsened metrics

Lines of code

174

decreased by-1.69%

Dependency changes

• Updated@middy/util@^2.5.7