@middy/http-security-headers - npm Package Compare versions

Comparing version 3.0.0-alpha.6 to 3.0.0-alpha.7

index.js

@@ -1,243 +0,3 @@
-import { normalizeHttpResponse } from '@middy/util';
-const defaults = {
-  contentSecurityPolicy: {
-    'default-src': "'none'",
-    'base-uri': "'none'",
-    sandbox: '',
-    'form-action': "'none'",
-    'frame-ancestors': "'none'",
-    'navigate-to': "'none'",
-    'report-to': 'csp',
-    'require-trusted-types-for': "'script'",
-    'trusted-types': "'none'",
-    'upgrade-insecure-requests': ''
-  },
-  contentTypeOptions: {
-    action: 'nosniff'
-  },
-  crossOriginEmbedderPolicy: {
-    policy: 'require-corp'
-  },
-  crossOriginOpenerPolicy: {
-    policy: 'same-origin'
-  },
-  crossOriginResourcePolicy: {
-    policy: 'same-origin'
-  },
-  dnsPrefetchControl: {
-    allow: false
-  },
-  downloadOptions: {
-    action: 'noopen'
-  },
-  frameOptions: {
-    action: 'deny'
-  },
-  originAgentCluster: {},
-  permissionsPolicy: {
-    accelerometer: '',
-    'ambient-light-sensor': '',
-    autoplay: '',
-    battery: '',
-    camera: '',
-    'cross-origin-isolated': '',
-    'display-capture': '',
-    'document-domain': '',
-    'encrypted-media': '',
-    'execution-while-not-rendered': '',
-    'execution-while-out-of-viewport': '',
-    fullscreen: '',
-    geolocation: '',
-    gyroscope: '',
-    'keyboard-map': '',
-    magnetometer: '',
-    microphone: '',
-    midi: '',
-    'navigation-override': '',
-    payment: '',
-    'picture-in-picture': '',
-    'publickey-credentials-get': '',
-    'screen-wake-lock': '',
-    'sync-xhr': '',
-    usb: '',
-    'web-share': '',
-    'xr-spatial-tracking': '',
-    'clipboard-read': '',
-    'clipboard-write': '',
-    gamepad: '',
-    'speaker-selection': '',
-    'conversion-measurement': '',
-    'focus-without-user-activation': '',
-    hid: '',
-    'idle-detection': '',
-    'interest-cohort': '',
-    serial: '',
-    'sync-script': '',
-    'trust-token-redemption': '',
-    'window-placement': '',
-    'vertical-scroll': ''
-  },
-  permittedCrossDomainPolicies: {
-    policy: 'none'
-  },
-  poweredBy: {
-    server: ''
-  },
-  referrerPolicy: {
-    policy: 'no-referrer'
-  },
-  reportTo: {
-    maxAge: 365 * 24 * 60 * 60,
-    default: '',
-    includeSubdomains: true,
-    csp: '',
-    staple: '',
-    xss: ''
-  },
-  strictTransportSecurity: {
-    maxAge: 180 * 24 * 60 * 60,
-    includeSubDomains: true,
-    preload: true
-  },
-  xssProtection: {
-    reportTo: 'xss'
-  }
-};
-const helmet = {};
-const helmetHtmlOnly = {};
+import{normalizeHttpResponse}from'@middy/util';const defaults={contentSecurityPolicy:{'default-src':"'none'",'base-uri':"'none'",sandbox:'','form-action':"'none'",'frame-ancestors':"'none'",'navigate-to':"'none'",'report-to':'csp','require-trusted-types-for':"'script'",'trusted-types':"'none'",'upgrade-insecure-requests':''},contentTypeOptions:{action:'nosniff'},crossOriginEmbedderPolicy:{policy:'require-corp'},crossOriginOpenerPolicy:{policy:'same-origin'},crossOriginResourcePolicy:{policy:'same-origin'},dnsPrefetchControl:{allow:false},downloadOptions:{action:'noopen'},frameOptions:{action:'deny'},originAgentCluster:{},permissionsPolicy:{accelerometer:'','ambient-light-sensor':'',autoplay:'',battery:'',camera:'','cross-origin-isolated':'','display-capture':'','document-domain':'','encrypted-media':'','execution-while-not-rendered':'','execution-while-out-of-viewport':'',fullscreen:'',geolocation:'',gyroscope:'','keyboard-map':'',magnetometer:'',microphone:'',midi:'','navigation-override':'',payment:'','picture-in-picture':'','publickey-credentials-get':'','screen-wake-lock':'','sync-xhr':'',usb:'','web-share':'','xr-spatial-tracking':'','clipboard-read':'','clipboard-write':'',gamepad:'','speaker-selection':'','conversion-measurement':'','focus-without-user-activation':'',hid:'','idle-detection':'','interest-cohort':'',serial:'','sync-script':'','trust-token-redemption':'','window-placement':'','vertical-scroll':''},permittedCrossDomainPolicies:{policy:'none'},poweredBy:{server:''},referrerPolicy:{policy:'no-referrer'},reportTo:{maxAge:365*24*60*60,default:'',includeSubdomains:true,csp:'',staple:'',xss:''},strictTransportSecurity:{maxAge:180*24*60*60,includeSubDomains:true,preload:true},xssProtection:{reportTo:'xss'}};const helmet={};const helmetHtmlOnly={};helmetHtmlOnly.contentSecurityPolicy=(headers,config)=>{let header=Object.keys(config).map(policy=>config[policy]?`${policy} ${config[policy]}`:'').filter(str=>str).join('; ');if(config.sandbox===''){header+='; sandbox'}if(config['upgrade-insecure-requests']===''){header+='; upgrade-insecure-requests'}headers['Content-Security-Policy']=header};helmetHtmlOnly.crossOriginEmbedderPolicy=(headers,config)=>{headers['Cross-Origin-Embedder-Policy']=config.policy};helmetHtmlOnly.crossOriginOpenerPolicy=(headers,config)=>{headers['Cross-Origin-Opener-Policy']=config.policy};helmetHtmlOnly.crossOriginResourcePolicy=(headers,config)=>{headers['Cross-Origin-Resource-Policy']=config.policy};helmetHtmlOnly.permissionsPolicy=(headers,config)=>{headers['Permissions-Policy']=Object.keys(config).map(policy=>`${policy}=${config[policy]==='*'?'*':`(${config[policy]})`}`).join(', ')};helmet.originAgentCluster=(headers,config)=>{headers['Origin-Agent-Cluster']='?1'};helmet.referrerPolicy=(headers,config)=>{headers['Referrer-Policy']=config.policy};helmetHtmlOnly.reportTo=(headers,config)=>{headers['Report-To']=Object.keys(config).map(group=>config[group]&&group!=='includeSubdomains'?`{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group==='default'?`, "include_subdomains": ${config.includeSubdomains}`:''} }`:'').filter(str=>str).join(', ')};helmet.strictTransportSecurity=(headers,config)=>{let header='max-age='+Math.round(config.maxAge);if(config.includeSubDomains){header+='; includeSubDomains'}if(config.preload){header+='; preload'}headers['Strict-Transport-Security']=header};helmet.contentTypeOptions=(headers,config)=>{headers['X-Content-Type-Options']=config.action};helmet.dnsPrefetchControl=(headers,config)=>{headers['X-DNS-Prefetch-Control']=config.allow?'on':'off'};helmet.downloadOptions=(headers,config)=>{headers['X-Download-Options']=config.action};helmetHtmlOnly.frameOptions=(headers,config)=>{headers['X-Frame-Options']=config.action.toUpperCase()};helmet.permittedCrossDomainPolicies=(headers,config)=>{headers['X-Permitted-Cross-Domain-Policies']=config.policy};helmet.poweredBy=(headers,config)=>{if(config.server){headers['X-Powered-By']=config.server}else{delete headers.Server;delete headers['X-Powered-By']}};helmetHtmlOnly.xssProtection=(headers,config)=>{let header='1; mode=block';if(config.reportTo){header+='; report='+config.reportTo}headers['X-XSS-Protection']=header};const httpSecurityHeadersMiddleware=(opts={})=>{const options={...defaults,...opts};const httpSecurityHeadersMiddlewareAfter=async request=>{normalizeHttpResponse(request);Object.keys(helmet).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmet[key](request.response.headers,config)});if(request.response.headers['Content-Type']?.includes('text/html')){Object.keys(helmetHtmlOnly).forEach(key=>{if(!options[key])return;const config={...defaults[key],...options[key]};helmetHtmlOnly[key](request.response.headers,config)})}};const httpSecurityHeadersMiddlewareOnError=async request=>{if(request.response===undefined)return;return httpSecurityHeadersMiddlewareAfter(request)};return{after:httpSecurityHeadersMiddlewareAfter,onError:httpSecurityHeadersMiddlewareOnError}};export default httpSecurityHeadersMiddleware
 
-helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
-  let header = Object.keys(config).map(policy => config[policy] ? `${policy} ${config[policy]}` : '').filter(str => str).join('; ');
-
-  if (config.sandbox === '') {
-    header += '; sandbox';
-  }
-
-  if (config['upgrade-insecure-requests'] === '') {
-    header += '; upgrade-insecure-requests';
-  }
-
-  headers['Content-Security-Policy'] = header;
-};
-
-helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
-  headers['Cross-Origin-Embedder-Policy'] = config.policy;
-};
-
-helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config) => {
-  headers['Cross-Origin-Opener-Policy'] = config.policy;
-};
-
-helmetHtmlOnly.crossOriginResourcePolicy = (headers, config) => {
-  headers['Cross-Origin-Resource-Policy'] = config.policy;
-};
-
-helmetHtmlOnly.permissionsPolicy = (headers, config) => {
-  headers['Permissions-Policy'] = Object.keys(config).map(policy => `${policy}=${config[policy] === '*' ? '*' : `(${config[policy]})`}`).join(', ');
-};
-
-helmet.originAgentCluster = (headers, config) => {
-  headers['Origin-Agent-Cluster'] = '?1';
-};
-
-helmet.referrerPolicy = (headers, config) => {
-  headers['Referrer-Policy'] = config.policy;
-};
-
-helmetHtmlOnly.reportTo = (headers, config) => {
-  headers['Report-To'] = Object.keys(config).map(group => config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''} }` : '').filter(str => str).join(', ');
-};
-
-helmet.strictTransportSecurity = (headers, config) => {
-  let header = 'max-age=' + Math.round(config.maxAge);
-
-  if (config.includeSubDomains) {
-    header += '; includeSubDomains';
-  }
-
-  if (config.preload) {
-    header += '; preload';
-  }
-
-  headers['Strict-Transport-Security'] = header;
-};
-
-helmet.contentTypeOptions = (headers, config) => {
-  headers['X-Content-Type-Options'] = config.action;
-};
-
-helmet.dnsPrefetchControl = (headers, config) => {
-  headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
-};
-
-helmet.downloadOptions = (headers, config) => {
-  headers['X-Download-Options'] = config.action;
-};
-
-helmetHtmlOnly.frameOptions = (headers, config) => {
-  headers['X-Frame-Options'] = config.action.toUpperCase();
-};
-
-helmet.permittedCrossDomainPolicies = (headers, config) => {
-  headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
-};
-
-helmet.poweredBy = (headers, config) => {
-  if (config.server) {
-    headers['X-Powered-By'] = config.server;
-  } else {
-    delete headers.Server;
-    delete headers['X-Powered-By'];
-  }
-};
-
-helmetHtmlOnly.xssProtection = (headers, config) => {
-  let header = '1; mode=block';
-
-  if (config.reportTo) {
-    header += '; report=' + config.reportTo;
-  }
-
-  headers['X-XSS-Protection'] = header;
-};
-
-const httpSecurityHeadersMiddleware = (opts = {}) => {
-  const options = { ...defaults,
-    ...opts
-  };
-
-  const httpSecurityHeadersMiddlewareAfter = async request => {
-    var _request$response$hea;
-
-    normalizeHttpResponse(request);
-    Object.keys(helmet).forEach(key => {
-      if (!options[key]) return;
-      const config = { ...defaults[key],
-        ...options[key]
-      };
-      helmet[key](request.response.headers, config);
-    });
-
-    if ((_request$response$hea = request.response.headers['Content-Type']) !== null && _request$response$hea !== void 0 && _request$response$hea.includes('text/html')) {
-      Object.keys(helmetHtmlOnly).forEach(key => {
-        if (!options[key]) return;
-        const config = { ...defaults[key],
-          ...options[key]
-        };
-        helmetHtmlOnly[key](request.response.headers, config);
-      });
-    }
-  };
-
-  const httpSecurityHeadersMiddlewareOnError = async request => {
-    if (request.response === undefined) return;
-    return httpSecurityHeadersMiddlewareAfter(request);
-  };
-
-  return {
-    after: httpSecurityHeadersMiddlewareAfter,
-    onError: httpSecurityHeadersMiddlewareOnError
-  };
-};
-
-export default httpSecurityHeadersMiddleware;
+//# sourceMappingURL=index.js.map

package.json

 {
   "name": "@middy/http-security-headers",
-  "version": "3.0.0-alpha.6",
+  "version": "3.0.0-alpha.7",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
@@ -53,9 +53,9 @@ "type": "module",
   "homepage": "https://github.com/middyjs/middy#readme",
-  "gitHead": "176660ed3e0716d6bfb635c77251b301e0e24720",
+  "gitHead": "5cef39ebe49c201f97d71bb0680004de4b82cb91",
   "dependencies": {
-    "@middy/util": "^3.0.0-alpha.6"
+    "@middy/util": "^3.0.0-alpha.7"
   },
   "devDependencies": {
-    "@middy/core": "^3.0.0-alpha.6"
+    "@middy/core": "^3.0.0-alpha.7"
   }
 }

README.md

@@ -1,26 +0,36 @@
-# Middy http-security-headers middleware
-
 <div align="center">
-  <img alt="Middy logo" src="https://raw.githubusercontent.com/middyjs/middy/main/docs/img/middy-logo.png"/>
-</div>
-
-<div align="center">
+  <h1>Middy http-security-headers middleware</h1>
+  <img alt="Middy logo" src="https://raw.githubusercontent.com/middyjs/middy/main/docs/img/middy-logo.svg"/>
   <p><strong>HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda</strong></p>
   <p>Applies best practice security headers to responses. It's a simplified port of [HelmetJS](https://helmetjs.github.io/). See HelmetJS documentation for more details.</p>
-</div>
-
-<div align="center">
 <p>
-  <a href="http://badge.fury.io/js/%40middy%2Fhttp-security-headers">
+  <a href="https://www.npmjs.com/package/@middy/http-security-headers?activeTab=versions">
     <img src="https://badge.fury.io/js/%40middy%2Fhttp-security-headers.svg" alt="npm version" style="max-width:100%;">
   </a>
+  <a href="https://packagephobia.com/result?p=@middy/http-security-headers">
+    <img src="https://packagephobia.com/badge?p=@middy/http-security-headers" alt="npm install size" style="max-width:100%;">
+  </a>
+  <a href="https://github.com/middyjs/middy/actions">
+    <img src="https://github.com/middyjs/middy/workflows/Tests/badge.svg" alt="GitHub Actions test status badge" style="max-width:100%;">
+  </a>
+  <br/>
+   <a href="https://standardjs.com/">
+    <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
+  </a>
   <a href="https://snyk.io/test/github/middyjs/middy">
     <img src="https://snyk.io/test/github/middyjs/middy/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/middyjs/middy" style="max-width:100%;">
   </a>
-  <a href="https://standardjs.com/">
-    <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
+  <a href="https://lgtm.com/projects/g/middyjs/middy/context:javascript">
+    <img src="https://img.shields.io/lgtm/grade/javascript/g/middyjs/middy.svg?logo=lgtm&logoWidth=18" alt="Language grade: JavaScript" style="max-width:100%;">
   </a>
+  <a href="https://bestpractices.coreinfrastructure.org/projects/5280">
+    <img src="https://bestpractices.coreinfrastructure.org/projects/5280/badge" alt="Core Infrastructure Initiative (CII) Best Practices"  style="max-width:100%;">
+  </a>
+  <br/>
   <a href="https://gitter.im/middyjs/Lobby">
-    <img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter"  style="max-width:100%;">
+    <img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter" style="max-width:100%;">
   </a>
+  <a href="https://stackoverflow.com/questions/tagged/middy?sort=Newest&uqlId=35052">
+    <img src="https://img.shields.io/badge/StackOverflow-[middy]-yellow" alt="Ask questions on StackOverflow" style="max-width:100%;">
+  </a>
 </p>
@@ -27,0 +37,0 @@ </div>

New alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Number of lines in readme file

103

increased by10.75%

Worsened metrics

Total package byte prevSize

13515

decreased by-1.27%

Lines of code

52

decreased by-78.78%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• Updated@middy/util@^3.0.0-alpha.7