@middy/http-security-headers - npm Package Compare versions

Comparing version 4.6.1 to 4.6.2

index.js

 import { normalizeHttpResponse } from '@middy/util';
+// Code and Defaults heavily based off https://helmetjs.github.io/
 const defaults = {
     contentSecurityPolicy: {
+        // Fetch directives
+        // 'child-src': '', // fallback default-src
+        // 'connect-src': '', // fallback default-src
         'default-src': "'none'",
+        // 'font-src':'', // fallback default-src
+        // 'frame-src':'', // fallback child-src > default-src
+        // 'img-src':'', // fallback default-src
+        // 'manifest-src':'', // fallback default-src
+        // 'media-src':'', // fallback default-src
+        // 'object-src':'', // fallback default-src
+        // 'prefetch-src':'', // fallback default-src
+        // 'script-src':'', // fallback default-src
+        // 'script-src-elem':'', // fallback script-src > default-src
+        // 'script-src-attr':'', // fallback script-src > default-src
+        // 'style-src':'', // fallback default-src
+        // 'style-src-elem':'', // fallback style-src > default-src
+        // 'style-src-attr':'', // fallback style-src > default-src
+        // 'worker-src':'', // fallback child-src > script-src > default-src
+        // Document directives
         'base-uri': "'none'",
         sandbox: '',
+        // Navigation directives
         'form-action': "'none'",
         'frame-ancestors': "'none'",
         'navigate-to': "'none'",
+        // Reporting directives
         'report-to': 'csp',
+        // Other directives
         'require-trusted-types-for': "'script'",
@@ -38,2 +60,3 @@ 'trusted-types': "'none'",
     permissionsPolicy: {
+        // Standard
         accelerometer: '',
@@ -66,2 +89,3 @@ 'ambient-light-sensor': '',
         'xr-spatial-tracking': '',
+        // Proposed
         'clipboard-read': '',
@@ -71,2 +95,3 @@ 'clipboard-write': '',
         'speaker-selection': '',
+        // Experimental
         'conversion-measurement': '',
@@ -84,3 +109,3 @@ 'focus-without-user-activation': '',
     permittedCrossDomainPolicies: {
-        policy: 'none'
+        policy: 'none' // none, master-only, by-content-type, by-ftp-filename, all
     },
@@ -112,2 +137,4 @@ poweredBy: {
 const helmetHtmlOnly = {};
+// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{
@@ -123,2 +150,3 @@ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; ');
 };
+// crossdomain - N/A - for Adobe products
 helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{
@@ -133,2 +161,5 @@ headers['Cross-Origin-Embedder-Policy'] = config.policy;
 };
+// DEPRECATED: expectCt
+// DEPRECATED: hpkp
+// https://www.permissionspolicy.com/
 helmetHtmlOnly.permissionsPolicy = (headers, config)=>{
@@ -140,2 +171,3 @@ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', ');
 };
+// https://github.com/helmetjs/referrer-policy
 helmet.referrerPolicy = (headers, config)=>{
@@ -150,2 +182,3 @@ headers['Referrer-Policy'] = config.policy;
 };
+// https://github.com/helmetjs/hsts
 helmet.strictTransportSecurity = (headers, config)=>{
@@ -161,17 +194,25 @@ let header = 'max-age=' + Math.round(config.maxAge);
 };
+// noCache - N/A - separate middleware
+// X-* //
+// https://github.com/helmetjs/dont-sniff-mimetype
 helmet.contentTypeOptions = (headers, config)=>{
     headers['X-Content-Type-Options'] = config.action;
 };
+// https://github.com/helmetjs/dns-Prefetch-control
 helmet.dnsPrefetchControl = (headers, config)=>{
     headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off';
 };
+// https://github.com/helmetjs/ienoopen
 helmet.downloadOptions = (headers, config)=>{
     headers['X-Download-Options'] = config.action;
 };
+// https://github.com/helmetjs/frameOptions
 helmetHtmlOnly.frameOptions = (headers, config)=>{
     headers['X-Frame-Options'] = config.action.toUpperCase();
 };
+// https://github.com/helmetjs/crossdomain
 helmet.permittedCrossDomainPolicies = (headers, config)=>{
     headers['X-Permitted-Cross-Domain-Policies'] = config.policy;
 };
+// https://github.com/helmetjs/hide-powered-by
 helmet.poweredBy = (headers, config)=>{
@@ -185,2 +226,3 @@ if (config.server) {
 };
+// https://github.com/helmetjs/x-xss-protection
 helmetHtmlOnly.xssProtection = (headers, config)=>{
@@ -187,0 +229,0 @@ let header = '1; mode=block';

package.json

 {
   "name": "@middy/http-security-headers",
-  "version": "4.6.1",
+  "version": "4.6.2",
   "description": "Applies best practice security headers to responses. It's a simplified port of HelmetJS",
@@ -71,9 +71,9 @@ "type": "module",
   },
-  "gitHead": "253ed0e4ca95623decbade03938a07d837a1eba2",
+  "gitHead": "8b03a01abf5a9c08231ec5ced775e87f8be8f67d",
   "dependencies": {
-    "@middy/util": "4.6.1"
+    "@middy/util": "4.6.2"
   },
   "devDependencies": {
-    "@middy/core": "4.6.1"
+    "@middy/core": "4.6.2"
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

34444

increased by21.29%

Lines of code

854

increased by17.31%

Dependency changes

• + Added@middy/util@4.6.2(transitive)

• - Removed@middy/util@4.6.1(transitive)

• Updated@middy/util@4.6.2