Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
http-headers-js
Advanced tools
Http constants for mime-types, headers, tracking-statuses, methods, content-encodings, csp, response codes and cache-control instructions
Current version 1.0.10
Provides standard and common non-standard http headers, mime-types, methods, content codings, response statuses, CSP directives and sources, cache-control instructions and tracking statuses.
All headers are capitalized, hence Access-Control-Request-Method
All mime-types are lowercase, hence video/mpeg
All content codings are lowercase, hence deflate
All methods are uppercase, hence POST
All response codes are integer numbers, hence 404
All Cache-Control instructions are lowercase, hence min-fresh
All CSP directives and sources are lowercase, hence unsafe-eval
Key names constructed from uppercase values, -
, +
and .
substituted with _
, hence
Headers.STRICT_TRANSPORT_SECURITY //Strict-Transport-Security
MimeTypes.Application.XOP_XML //application/xop+xml
MimeTypes.Model.X3D_VRML //model/x3d+vrml
ContentEncodings.X_GZIP //x-gzip
MimeTypes.Image.VND_WAP_WBMP //image/vnd.wap.wbmp
ResponseCodes.I_AM_A_TEAPOT //418
CacheControls.MAX_AGE //max-age
CSPS.UNSAFE_EVAL //unsafe-eval
Install local
npm install http-headers-js --save
Available at the moment
let {
Headers,
TrackingStatuses,
MimeTypes,
Methods,
ContentEncodings,
ResponseCodes,
CacheControls,
RespCodeIs,
CSPD,
CSPS
} = require('http-headers-js');
Import and usage, as exemplified by express js middleware
let { Headers } = require('http-headers-js');
/* code */
isLoggedIn: function (req, res, next) {
let token = req.get(Headers.AUTHORIZATION);
if (token == null) {
return res.status(401).send("Not authorized");
}
OAuth.get(token) //some library to check token
.then(function (user) {
if (user == null) {
return res.status(401).send("Not authorized");
}
next();
})
}
/*code*/
const { MimeTypes } = require('http-headers-js');
class ExtensionFilter {
static getExtensionByContentType (contentType) {
switch (contentType) {
case MimeTypes.Application.PDF:
return "PDF";
case MimeTypes.Vnd.MS.WORD_2007:
return "DOCX";
defaut:
return null;
}
}
}
To use mime types first access type, then subtype:
MimeTypes.Application.SOAP_XML //application/soap+xml
MimeTypes.Application.X.WWW_FORM_URLENCODED //application/x-www-form-urlencoded
MimeTypes.X.WWW_FORM_URLENCODED //application/x-www-form-urlencoded
MimeTypes.Vnd.Od.TEXT //application/vnd.oasis.opendocument.text
MimeTypes.Vnd.MS.EXCEL //application/vnd.ms-excel
MimeTypes.Vnd.MS.EXCEL_2007 //application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
MimeTypes.Pkcs.X_PKCS7_CERTREQRESP //application/x-pkcs7-certreqresp
There are also two duplicates for mime types. One is MimeTypes.X
and MimeType.Application.X
, another is MimeTypes.Pkcs
and MimeTypes.Application.Pkcs
CSPS contains two sets of values - common and with QTD suffix. QTD values are quoted:
CSPS.SELF //string "self"
CSPS.SELF_QTD //string "'self'"
There are 5 functions to check response code:
RespCodeIs.Info
RespCodeIs.Success
RespCodeIs.Redirect
RespCodeIs.ClientErr
RespCodeIs.ServerErr
All functions take number argument, like
RespCodeIs.ServerErr(500) //return true
RespCodeIs.ServerErr(ResponseCodes.INTERNAL_SERVER_ERROR) //return true
RespCodeIs.ClientErr(ResponseCodes.USE_PROXY) //return false
No additional dependencies for production, mocha
and chai
for testing.
npm test
Issues? Write to sypachev_s_s@mail.ru
CacheControls
RespCodeIs
ResponseCodes
Early-Data
, Downlink
, Save-Data
, Referrer-Policy
, Content-Security-Policy-Report-Only
,
Expect-CT
, Public-Key-Pins-Report-Only
, X-Download-Options
, X-Permitted-Cross-Domain-Policies
, Sec-WebSocket-...
, Large-Allocation
, Server-Timing
, SourceMap
,
X-DNS-Prefetch-Control
, X-Robots-Tag
VIEWPORT-WIDTH
to VIEWPORT_WIDTH
, 3GPP
to _3GPP
(_3GPP2
), VND.RN_REALAUDIO
to VND_RN_REALAUDIO
, VND.WAVE
to VND_WAVE
, VND.MICROSOFT.ICON
to VND_MICROSOFT_ICON
, VND.WAP.WBMP
to VND_WAP_WBMP
Content-Version
, Derived-From
, Alternates
, MIME-Version
, Public
, Title
headersContentEncodings
Methods
Last-Event-ID
, DPR
, Content-DPR
, Accept-CH
, Accept-CH-Lifetime
, Width
, Viewport-Width
, Keep-Alive
headersFAQs
Http constants for mime-types, headers, tracking-statuses, methods, content-encodings, csp, response codes and cache-control instructions
The npm package http-headers-js receives a total of 280 weekly downloads. As such, http-headers-js popularity was classified as not popular.
We found that http-headers-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.