@middy/http-security-headers - npm Package Compare versions

Comparing version 3.0.0-alpha.3 to 3.0.0-alpha.4

index.js

@@ -1,35 +0,11 @@
-import { normalizeHttpResponse } from '@middy/util'
-
-// Code and Defaults heavily based off https://helmetjs.github.io/
-
+import { normalizeHttpResponse } from '@middy/util';
 const defaults = {
   contentSecurityPolicy: {
-    // Fetch directives
-    // 'child-src': '', // fallback default-src
-    // 'connect-src': '', // fallback default-src
     'default-src': "'none'",
-    // 'font-src':'', // fallback default-src
-    // 'frame-src':'', // fallback child-src > default-src
-    // 'img-src':'', // fallback default-src
-    // 'manifest-src':'', // fallback default-src
-    // 'media-src':'', // fallback default-src
-    // 'object-src':'', // fallback default-src
-    // 'prefetch-src':'', // fallback default-src
-    // 'script-src':'', // fallback default-src
-    // 'script-src-elem':'', // fallback script-src > default-src
-    // 'script-src-attr':'', // fallback script-src > default-src
-    // 'style-src':'', // fallback default-src
-    // 'style-src-elem':'', // fallback style-src > default-src
-    // 'style-src-attr':'', // fallback style-src > default-src
-    // 'worker-src':'', // fallback child-src > script-src > default-src
-    // Document directives
     'base-uri': "'none'",
     sandbox: '',
-    // Navigation directives
     'form-action': "'none'",
     'frame-ancestors': "'none'",
     'navigate-to': "'none'",
-    // Reporting directives
     'report-to': 'csp',
-    // Other directives
     'require-trusted-types-for': "'script'",
@@ -62,3 +38,2 @@ 'trusted-types': "'none'",
   permissionsPolicy: {
-    // Standard
     accelerometer: '',
@@ -91,3 +66,2 @@ 'ambient-light-sensor': '',
     'xr-spatial-tracking': '',
-    // Proposed
     'clipboard-read': '',
@@ -97,3 +71,2 @@ 'clipboard-write': '',
     'speaker-selection': '',
-    // Experimental
     'conversion-measurement': '',
@@ -111,3 +84,3 @@ 'focus-without-user-activation': '',
   permittedCrossDomainPolicies: {
-    policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
+    policy: 'none'
   },
@@ -136,150 +109,140 @@ poweredBy: {
   }
-}
+};
+const helmet = {};
+const helmetHtmlOnly = {};
 
-const helmet = {}
-const helmetHtmlOnly = {}
+helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
+  let header = Object.keys(config).map(policy => config[policy] ? `${policy} ${config[policy]}` : '').filter(str => str).join('; ');
 
-// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
-  let header = Object.keys(config)
-    .map(policy => config[policy] ? `${policy} ${config[policy]}` : '')
-    .filter(str => str)
-    .join('; ')
   if (config.sandbox === '') {
-    header += '; sandbox'
+    header += '; sandbox';
   }
+
   if (config['upgrade-insecure-requests'] === '') {
-    header += '; upgrade-insecure-requests'
+    header += '; upgrade-insecure-requests';
   }
-  headers['Content-Security-Policy'] = header
-}
-// crossdomain - N/A - for Adobe products
+
+  headers['Content-Security-Policy'] = header;
+};
+
 helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
-  headers['Cross-Origin-Embedder-Policy'] = config.policy
-}
+  headers['Cross-Origin-Embedder-Policy'] = config.policy;
+};
+
 helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
-  headers['Cross-Origin-Opener-Policy'] = config.policy
-}
+  headers['Cross-Origin-Opener-Policy'] = config.policy;
+};
+
 helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
-  headers['Cross-Origin-Resource-Policy'] = config.policy
-}
+  headers['Cross-Origin-Resource-Policy'] = config.policy;
+};
 
-// expectCt - DEPRECATED
-// hpkp - DEPRECATED
-
-// https://www.permissionspolicy.com/
 helmetHtmlOnly.permissionsPolicy = (headers, config) => {
-  headers['Permissions-Policy'] = Object.keys(config)
-    .map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`)
-    .join(', ')
-}
+  headers['Permissions-Policy'] = Object.keys(config).map(policy => `${policy}=${policy === '*' ? '*' : `(${config[policy]})`}`).join(', ');
+};
 
 helmet.originAgentCluster = (headers, config) => {
-  headers['Origin-Agent-Cluster'] = '?1'
-}
+  headers['Origin-Agent-Cluster'] = '?1';
+};
 
-// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy
-}
+  headers['Referrer-Policy'] = config.policy;
+};
 
 helmetHtmlOnly.reportTo = (headers, config) => {
-  headers['Report-To'] = Object.keys(config)
-    .map(group => (config[group] && group !== 'includeSubdomains') ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '')
-    .filter(str => str)
-    .join(', ')
-}
+  headers['Report-To'] = Object.keys(config).map(group => config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '').filter(str => str).join(', ');
+};
 
-// https://github.com/helmetjs/hsts
 helmet.strictTransportSecurity = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge)
+  let header = 'max-age=' + Math.round(config.maxAge);
+
   if (config.includeSubDomains) {
-    header += '; includeSubDomains'
+    header += '; includeSubDomains';
   }
+
   if (config.preload) {
-    header += '; preload'
+    header += '; preload';
   }
-  headers['Strict-Transport-Security'] = header
-}
 
-// noCache - N/A - separate middleware
+  headers['Strict-Transport-Security'] = header;
+};
 
-// X-* //
-// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.contentTypeOptions = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action
-}
+  headers['X-Content-Type-Options'] = config.action;
+};
 
-// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'
-}
+  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
+};
 
-// https://github.com/helmetjs/ienoopen
 helmet.downloadOptions = (headers, config) => {
-  headers['X-Download-Options'] = config.action
-}
+  headers['X-Download-Options'] = config.action;
+};
 
-// https://github.com/helmetjs/frameOptions
 helmetHtmlOnly.frameOptions = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase()
-}
+  headers['X-Frame-Options'] = config.action.toUpperCase();
+};
 
-// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy
-}
+  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
+};
 
-// https://github.com/helmetjs/hide-powered-by
 helmet.poweredBy = (headers, config) => {
   if (config.server) {
-    headers['X-Powered-By'] = config.server
+    headers['X-Powered-By'] = config.server;
   } else {
-    delete headers.Server
-    delete headers['X-Powered-By']
+    delete headers.Server;
+    delete headers['X-Powered-By'];
   }
-}
+};
 
-// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssProtection = (headers, config) => {
-  let header = '1; mode=block'
+  let header = '1; mode=block';
+
   if (config.reportTo) {
-    header += '; report=' + config.reportTo
+    header += '; report=' + config.reportTo;
   }
-  headers['X-XSS-Protection'] = header
-}
 
+  headers['X-XSS-Protection'] = header;
+};
+
 const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults, ...opts }
+  const options = { ...defaults,
+    ...opts
+  };
 
-  const httpSecurityHeadersMiddlewareAfter = async (request) => {
-    normalizeHttpResponse(request)
+  const httpSecurityHeadersMiddlewareAfter = async request => {
+    var _request$response$hea;
 
-    Object.keys(helmet).forEach((key) => {
-      if (!options[key]) return
-      const config = { ...defaults[key], ...options[key] }
-      helmet[key](request.response.headers, config)
-    })
+    normalizeHttpResponse(request);
+    Object.keys(helmet).forEach(key => {
+      if (!options[key]) return;
+      const config = { ...defaults[key],
+        ...options[key]
+      };
+      helmet[key](request.response.headers, config);
+    });
 
-    if (request.response.headers['Content-Type']?.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach((key) => {
-        if (!options[key]) return
-        const config = { ...defaults[key], ...options[key] }
-        helmetHtmlOnly[key](
-          request.response.headers,
-          config
-        )
-      })
+    if ((_request$response$hea = request.response.headers['Content-Type']) !== null && _request$response$hea !== void 0 && _request$response$hea.includes('text/html')) {
+      Object.keys(helmetHtmlOnly).forEach(key => {
+        if (!options[key]) return;
+        const config = { ...defaults[key],
+          ...options[key]
+        };
+        helmetHtmlOnly[key](request.response.headers, config);
+      });
     }
-  }
-  const httpSecurityHeadersMiddlewareOnError = async (request) => {
-    if (request.response === undefined) return
-    return httpSecurityHeadersMiddlewareAfter(request)
-  }
+  };
+
+  const httpSecurityHeadersMiddlewareOnError = async request => {
+    if (request.response === undefined) return;
+    return httpSecurityHeadersMiddlewareAfter(request);
+  };
+
   return {
     after: httpSecurityHeadersMiddlewareAfter,
     onError: httpSecurityHeadersMiddlewareOnError
-  }
-}
-export default httpSecurityHeadersMiddleware
+  };
+};
+
+export default httpSecurityHeadersMiddleware;

package.json

 {
   "name": "@middy/http-security-headers",
-  "version": "3.0.0-alpha.3",
+  "version": "3.0.0-alpha.4",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
@@ -53,9 +53,9 @@ "type": "module",
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "1441158711580313765e6d156046ef0fade0d156",
+  "gitHead": "d4bea7f4e21f6a9bbb1f6f6908361169598b9e53",
   "dependencies": {
-    "@middy/util": "^3.0.0-alpha.3"
+    "@middy/util": "^3.0.0-alpha.4"
   },
   "devDependencies": {
-    "@middy/core": "^3.0.0-alpha.3"
+    "@middy/core": "^3.0.0-alpha.4"
   }
 }

Fixed alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Number of medium supply chain risk alerts

0

decreased by-100%

Worsened metrics

Total package byte prevSize

13681

decreased by-11.43%

Lines of code

245

decreased by-15.52%

Dependency changes

• Updated@middy/util@^3.0.0-alpha.4