New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More

@middy/http-security-headers

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@middy/http-security-headers

Applies best practice security headers to responses. It's a simplified port of HelmetJS


Version published
Weekly downloads
36K
decreased by-12.76%
Maintainers
3
Weekly downloads
 
Created

Middy http-security-headers middleware

Middy logo

HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda

Applies best practice security headers to responses. It's a simplified port of [HelmetJS](https://helmetjs.github.io/). See HelmetJS documentation for more details.

npm version npm install size GitHub Actions CI status badge
Standard Code Style Known Vulnerabilities Language grade: JavaScript Core Infrastructure Initiative (CII) Best Practices
Chat on Gitter Ask questions on StackOverflow

You can read the documentation at: https://middy.js.org/docs/middlewares//http-security-headers

Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.

Install

To install this middleware you can use NPM:

npm install --save @middy/http-security-headers

Options

Setting an option to false to cause that rule to be ignored.

All Responses

  • originAgentCluster: Default to {} to include
  • referrerPolicy: Default to { policy: 'no-referrer' }
  • strictTransportSecurity: Default to { maxAge: 15552000, includeSubDomains: true, preload: true }
  • X-dnsPrefetchControl: Default to { allow: false }
  • X-downloadOptions: Default to { action: 'noopen' }
  • X-poweredBy: Default to { server: '' } to remove Server and X-Powered-By
  • X-contentTypeOptions: Default to { action: 'nosniff' }

HTML Responses

  • contentSecurityPolicy: Default to { 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }
  • crossOriginEmbedderPolicy: Default to { policy: 'require-corp' }
  • crossOriginOpenerPolicy: Default to { policy: 'same-origin' }
  • crossOriginResourcePolicy: Default to { policy: 'same-origin' }
  • permissionsPolicy: Default to { *:'', ... } where all allowed values are set to disable
  • reportTo: Defaults to { maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' } which won't report by default, needs setting
  • X-frameOptions: Default to { action: 'deny' }
  • X-xssProtection: Defaults to { reportUri: '' }'

Sample usage

import middy from '@middy/core'
import httpSecurityHeaders from '@middy/http-security-headers'

const handler = middy((event, context) => {
  return {}
})

handler
  .use(httpSecurityHeaders())

Middy documentation and examples

For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.

Contributing

Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.

License

Licensed under MIT License. Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the Middy team.

FOSSA Status

FAQs

Package last updated on 19 Jun 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts