Security News
NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
express-negotiator
Advanced tools
Express/connect middleware that does HTTP content negotiation for static files
Express/connect middleware for doing content negotiation with static files on disc. Heavily inspired by Apache's mod_negotiation.
Negotiator rewrites req.url
to the negotiated file name based on
these factors (in descending order of importance):
req.url
matches a file name on disc exactlylocale
GET parameteroptions.cookieName
)Accept-Language
and Accept
headers... and of course the availability of suitable files on disc. If no
acceptable match is found, req.url
is left untouched.
Like mod_negotiation
, express-negotiator
interprets the extensions
of the files on disc as an unordered set. A file called foo.html.fr
would be treated the same as one called foo.fr.html
except when the
request url specifies an exact match.
The negotiator middleware is intended to run right before static
pointed at the same directory as options.root
.
If options.cookieName
is specified, the cookieParser
middleware
must also be in the middleware chain.
When the url is rewritten, negotiator sets the ETag header to the same
value as the static
middleware would
("<size>-<modificationTime>"
), but with the negotiated Content-Type
and locale id bits suffixed. This prevents false positive 304
responses with If-None-Match
when the same client (or reverse proxy)
requests the same url later with different headers (eg. after a locale
cookie change). That would happen if the files happened to have the
same size and modification times.
Also, the If-Modified-Since
header is removed since that would cause
the static
middleware to reply 304 Not Modified
in similar
situations. ETags are a superior concept anyway.
Make sure you have node.js and npm installed, then run:
$ npm install express-negotiator
var express = require('express'),
negotiator = require('express-negotiator'),
root = '/path/to/static/files',
app = express.createServer();
app
.use(express.cookieParser())
.use(negotiator({root: root, cookieName: 'mycookie'}))
.use(express.static(root))
.listen(1337);
If the root dir contains the files index.en.html
, index.da.html
,
and foo.png
these example requests would be rewritten as follows:
GET / HTTP/1.1
Accept: text/html
Accept-Language: en
=> /index.en.html
Response ETag: "<size>-<modificationTime>-text/html-en"
GET /?locale=da HTTP/1.1
Accept: text/html
Accept-Language: en
=> /index.da.html
Response ETag: "<size>-<modificationTime>-text/html-da"
GET /index HTTP/1.1
Cookie: mycookie=da
Accept: text/html
Accept-Language: en
=> /index.da.html
Response ETag: "<size>-<modificationTime>-text/html-da"
GET /foo HTTP/1.1
Accept: image/*
=> /foo.png
Response ETag: "<size>-<modificationTime>-image/png"
See the test suite for more examples.
express-negotiator is licensed under a standard 3-clause BSD license
-- see the LICENSE
file for details.
FAQs
Express/connect middleware that does HTTP content negotiation for static files
The npm package express-negotiator receives a total of 2,788 weekly downloads. As such, express-negotiator popularity was classified as popular.
We found that express-negotiator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.