Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The vary npm package is a utility for manipulating the HTTP Vary header. It allows developers to programmatically append values to the Vary header of an HTTP response, ensuring that the correct header is constructed for proper handling of HTTP caching, content negotiation, and other mechanisms that might vary the response based on certain aspects of the request.
Appending to the Vary header
This feature allows you to append a field to the Vary header of an HTTP response. In the code sample, the 'User-Agent' field is added to the Vary header, indicating that the response may vary based on the 'User-Agent' header of the request.
"use strict";
const http = require('http');
const vary = require('vary');
http.createServer((req, res) => {
vary(res, 'User-Agent');
res.end('Response varies based on User-Agent header.');
}).listen(3000);
Appending multiple fields
This feature allows you to append multiple fields to the Vary header at once. In the code sample, both 'User-Agent' and 'Accept-Encoding' are added to the Vary header, indicating that the response may vary based on both of these request headers.
"use strict";
const http = require('http');
const vary = require('vary');
http.createServer((req, res) => {
vary(res, 'User-Agent, Accept-Encoding');
res.end('Response varies based on User-Agent and Accept-Encoding headers.');
}).listen(3000);
The 'fresh' package is an HTTP response freshness testing library that evaluates whether a response is still 'fresh' in the context of request and response headers. It is similar to 'vary' in that it deals with HTTP headers, but 'fresh' focuses on cache validation while 'vary' focuses on managing the Vary header.
The 'negotiator' package is an HTTP content negotiation library that supports media types, charsets, encodings, languages, and more. It is similar to 'vary' in that it assists with content negotiation, but 'negotiator' provides a higher-level API for selecting the best response based on the client's request, whereas 'vary' is specifically for manipulating the Vary header.
Manipulate the HTTP Vary header
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install vary
var vary = require('vary')
Adds the given header field
to the Vary
response header of res
.
This can be a string of a single field, a string of a valid Vary
header, or an array of multiple fields.
This will append the header if not already listed, otherwise leaves it listed in the current location.
// Append "Origin" to the Vary header of the response
vary(res, 'Origin')
Adds the given header field
to the Vary
response header string header
.
This can be a string of a single field, a string of a valid Vary
header,
or an array of multiple fields.
This will append the header if not already listed, otherwise leaves it listed in the current location. The new header string is returned.
// Get header string appending "Origin" to "Accept, User-Agent"
vary.append('Accept, User-Agent', 'Origin')
var http = require('http')
var vary = require('vary')
http.createServer(function onRequest (req, res) {
// about to user-agent sniff
vary(res, 'User-Agent')
var ua = req.headers['user-agent'] || ''
var isMobile = /mobi|android|touch|mini/i.test(ua)
// serve site, depending on isMobile
res.setHeader('Content-Type', 'text/html')
res.end('You are (probably) ' + (isMobile ? '' : 'not ') + 'a mobile user')
})
$ npm test
FAQs
Manipulate the HTTP Vary header
The npm package vary receives a total of 26,656,566 weekly downloads. As such, vary popularity was classified as popular.
We found that vary demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.