hpkp - npm Package Compare versions

Comparing version 2.0.0 to 2.0.1

index.js

@@ -5,17 +5,10 @@ var badArgumentsError = new Error('hpkp must be called with a maxAge and at least two SHA-256s (one actually used and another kept as a backup).')
   var options = parseOptions(passedOptions)
-  var headerKey = getHeaderKey(options)
+  var headerName = getHeaderName(options)
   var headerValue = getHeaderValue(options)
 
   return function hpkp (req, res, next) {
-    var setHeader = true
-    var setIf = options.setIf
-
-    if (setIf) {
-      setHeader = setIf(req, res)
+    if (options.setIf(req, res)) {
+      res.setHeader(headerName, headerValue)
     }
 
-    if (setHeader) {
-      res.setHeader(headerKey, headerValue)
-    }
-
     next()
@@ -32,7 +25,7 @@ }
   var sha256s = options.sha256s
-  var setIf = options.setIf
+  var setIf = options.setIf || function () { return true }
 
   if (!maxAge || maxAge <= 0) { throw badArgumentsError }
   if (!sha256s || sha256s.length < 2) { throw badArgumentsError }
-  if (setIf && (typeof setIf !== 'function')) {
+  if (typeof setIf !== 'function') {
     throw new TypeError('setIf must be a function.')
@@ -53,3 +46,3 @@ }
 
-function getHeaderKey (options) {
+function getHeaderName (options) {
   var header = 'Public-Key-Pins'
@@ -56,0 +49,0 @@ if (options.reportOnly) {

package.json

@@ -6,7 +6,7 @@ {
   "contributors": [
-    "Evan Hahn <me@evanhahn.com> (http://evanhahn.com)",
+    "Evan Hahn <me@evanhahn.com> (https://evanhahn.com)",
     "Tom Delmas <tdelmas@gmail.com> (https://tdelmas.ovh)"
   ],
   "description": "HTTP Public Key Pinning (HPKP) middleware",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "keywords": [
@@ -32,6 +32,6 @@ "helmet",
   "devDependencies": {
-    "connect": "^3.5.0",
-    "mocha": "^3.1.2",
-    "standard": "^8.5.0",
-    "supertest": "^2.0.1"
+    "connect": "^3.7.0",
+    "mocha": "^8.1.1",
+    "standard": "^14.3.4",
+    "supertest": "^4.0.2"
   },
@@ -38,0 +38,0 @@ "standard": {

README.md

 HTTP Public Key Pinning (HPKP) middleware
 =========================================
 [![Build Status](https://travis-ci.org/helmetjs/hpkp.svg?branch=master)](https://travis-ci.org/helmetjs/hpkp)
-[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
 
-[_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md)
+**This header has been deprecated citing risks of misuse, and therefore is not recommeded.** This module (`hpkp`) will not receive any new feature development but will still be maintained.
 
 Adds Public Key Pinning headers to Express/Connect applications. To learn more about HPKP, check out [the spec](https://tools.ietf.org/html/rfc7469), [the article on MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), and [this tutorial](https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/).
 
+**Be very careful when deploying this**—you can easily misuse this header and cause problems. Chrome has dropped support for HPKP citing risks of misuse.
+
 Usage:
 
 ```js
-var express = require('express')
-var hpkp = require('hpkp')
+const express = require('express')
+const hpkp = require('hpkp')
 
-var app = express()
+const app = express()
 
-var ninetyDaysInSeconds = 7776000
+const ninetyDaysInSeconds = 7776000
 app.use(hpkp({
@@ -28,3 +29,3 @@ maxAge: ninetyDaysInSeconds,
   // This is optional.
-  setIf: function (req, res) {
+  setIf(req, res) {
     return req.secure
@@ -31,0 +32,0 @@ }

No alert changes

Improved metrics

Total package byte prevSize

5520

increased by0.9%

Number of lines in readme file

38

increased by2.7%

Worsened metrics

Number of package files

4

decreased by-20%

Lines of code

53

decreased by-8.62%

No dependency changes