hpkp - npm Package Compare versions

Comparing version 0.2.0 to 0.3.0

index.js

@@ -22,5 +22,14 @@ var badArgumentsError = new Error('hpkp must be called with a maxAge and at least two SHA-256s (one actually used and another kept as a backup).');
 
-  if (!maxAge || (maxAge <= 0)) { throw badArgumentsError; }
-  if (!sha256s || (sha256s.length < 2)) { throw badArgumentsError; }
+  if (!maxAge || maxAge <= 0) { throw badArgumentsError; }
+  if (!sha256s || sha256s.length < 2) { throw badArgumentsError; }
 
+  var reportOnly;
+  if (options.reportOnly === undefined) {
+    reportOnly = Boolean(options.reportUri);
+  } else {
+    reportOnly = options.reportOnly;
+  }
+
+  if (reportOnly && !options.reportUri) { throw badArgumentsError; }
+
   return {
@@ -30,3 +39,4 @@ maxAge: maxAge,
     includeSubdomains: options.includeSubdomains,
-    reportUri: options.reportUri
+    reportUri: options.reportUri,
+    reportOnly: reportOnly
   };
@@ -37,3 +47,3 @@ }
   var header = 'Public-Key-Pins';
-  if (options.reportUri) {
+  if (options.reportOnly) {
     header += '-Report-Only';
@@ -40,0 +50,0 @@ }

package.json

@@ -10,3 +10,3 @@ {
   "description": "HTTP Public Key Pinning (HPKP) middleware",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "keywords": [
@@ -13,0 +13,0 @@ "helmet",

README.md

@@ -22,2 +22,2 @@ # HTTP Public Key Pinning (HPKP) middleware
 
-Specifying a `report-uri` changes the header from `Public-Key-Pins` to `Public-Key-Pins-Report-Only`.
+Specifying a `report-uri` changes the header from `Public-Key-Pins` to `Public-Key-Pins-Report-Only`. To reverse this, set another option: `reportOnly: false`. This behavior will change in the 1.0 release.

test/index.js

@@ -40,2 +40,12 @@ var hpkp = require('..');
 
+    it('can disable Report-Only with a report URI', function (done) {
+      test({
+        maxage: 10000,
+        sha256s: ['abc123', 'xyz456'],
+        reportUri: 'http://example.com',
+        reportOnly: false
+      })
+      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10; report-uri="http://example.com"', done);
+    });
+
     it('changes the header when using a report URI and includes subdomains', function (done) {
@@ -108,4 +118,12 @@ test({ maxage: 10000, sha256s: ['abc123', 'xyz456'], reportUri: 'http://example.com', includeSubdomains: true })
 
+    it('fails if called with reportOnly: true but no reportUri', function () {
+      assert.throws(callWith({
+        maxage: 10000,
+        sha256s: ['abc123', 'xyz456'],
+        reportOnly: true
+      }));
+    });
+
   });
 
 });

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

8968

increased by11.61%

Lines of code

153

increased by18.6%

No dependency changes