hpkp - npm Package Compare versions

Comparing version 1.0.0 to 1.1.0

index.js

@@ -9,3 +9,13 @@ var badArgumentsError = new Error('hpkp must be called with a maxAge and at least two SHA-256s (one actually used and another kept as a backup).')
   return function hpkp (req, res, next) {
-    res.setHeader(headerKey, headerValue)
+    var setHeader = true
+    var setIf = options.setIf
+
+    if (setIf) {
+      setHeader = setIf(req, res)
+    }
+
+    if (setHeader) {
+      res.setHeader(headerKey, headerValue)
+    }
+
     next()
@@ -22,5 +32,9 @@ }
   var sha256s = options.sha256s
+  var setIf = options.setIf
 
   if (!maxAge || maxAge <= 0) { throw badArgumentsError }
   if (!sha256s || sha256s.length < 2) { throw badArgumentsError }
+  if (setIf && (typeof setIf !== 'function')) {
+    throw new TypeError('setIf must be a function.')
+  }
 
@@ -34,3 +48,4 @@ if (options.reportOnly && !options.reportUri) { throw badArgumentsError }
     reportUri: options.reportUri,
-    reportOnly: options.reportOnly
+    reportOnly: options.reportOnly,
+    setIf: setIf
   }
@@ -37,0 +52,0 @@ }

package.json

@@ -10,3 +10,3 @@ {
   "description": "HTTP Public Key Pinning (HPKP) middleware",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "keywords": [
@@ -31,6 +31,6 @@ "helmet",
   "devDependencies": {
-    "connect": "^3.4.0",
-    "mocha": "^2.3.4",
-    "standard": "^5.4.1",
-    "supertest": "^1.1.0"
+    "connect": "^3.4.1",
+    "mocha": "^2.4.5",
+    "standard": "^6.0.7",
+    "supertest": "^1.2.0"
   },
@@ -37,0 +37,0 @@ "standard": {

README.md

@@ -6,2 +6,4 @@ HTTP Public Key Pinning (HPKP) middleware
 
+[_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md)
+
 Adds Public Key Pinning headers to Express/Connect applications. To learn more about HPKP, check out [the spec](https://tools.ietf.org/html/rfc7469), [the article on MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), and [this tutorial](https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/).
@@ -22,4 +24,10 @@
   includeSubdomains: true,         // optional
-  reportUri: 'http://example.com'  // optional
-  reportOnly: false                // optional
+  reportUri: 'http://example.com', // optional
+  reportOnly: false,               // optional
+
+  // Set the header based on a condition.
+  // This is optional.
+  setIf: function (req, res) {
+    return req.secure
+  }
 }))
@@ -26,0 +34,0 @@ ```

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Number of lines in readme file

35

increased by29.63%

Number of medium supply chain risk alerts

0

decreased by-100%

Worsened metrics

Total package byte prevSize

5226

decreased by-42.37%

Number of package files

5

decreased by-28.57%

Lines of code

58

decreased by-63.29%

No dependency changes