Skip to content

Commit

Permalink
docs: include new option
Browse files Browse the repository at this point in the history
  • Loading branch information
willfarrell committed Oct 26, 2024
1 parent 38e121a commit d6e914b
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 15 deletions.
5 changes: 2 additions & 3 deletions packages/http-security-headers/__tests__/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -274,9 +274,8 @@ test('It should support report only mode', async (t) => {

handler.use(
httpSecurityHeaders({
contentSecurityPolicy: {
reportOnly: true
}
contentSecurityPolicy: {},
contentSecurityPolicyReportOnly: true
})
)

Expand Down
5 changes: 3 additions & 2 deletions packages/http-security-headers/index.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ interface Options {
xssProtection?: {
reportUri?: string
}
contentSecurityPolicy?: Record<string, string | boolean>
contentSecurityPolicy?: Record<string, string>
contentSecurityPolicyReportOnly?: boolean
crossOriginEmbedderPolicy?: {
policy?: string
}
Expand All @@ -54,7 +55,7 @@ interface Options {

type WithFalseValues<T> = { [K in keyof T]: T[K] | false }

declare function httpSecurityHeaders (
declare function httpSecurityHeaders(
options?: WithFalseValues<Options>
): middy.MiddlewareObj

Expand Down
33 changes: 27 additions & 6 deletions packages/http-security-headers/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ const defaults = {
// Other directives
'require-trusted-types-for': "'script'",
'trusted-types': "'none'",
'upgrade-insecure-requests': '',
reportOnly: false
'upgrade-insecure-requests': ''
},
contentSecurityPolicyReportOnly: false,
contentTypeOptions: {
action: 'nosniff'
},
Expand Down Expand Up @@ -114,11 +114,16 @@ const defaults = {
referrerPolicy: {
policy: 'no-referrer'
},
reportingEndpoints: {
csp: '',
permissions: ''
},
reportTo: {
maxAge: 365 * 24 * 60 * 60,
default: '',
includeSubdomains: true,
csp: '',
permissions: '',
staple: '',
xss: ''
},
Expand All @@ -137,9 +142,8 @@ const helmetHtmlOnly = {}

// *** https://github.com/helmetjs/helmet/tree/main/middlewares *** //
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
helmetHtmlOnly.contentSecurityPolicy = (reportOnly) => (headers, config) => {
let header = Object.keys(config)
.filter((policy) => policy !== 'reportOnly')
.map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
.filter((str) => str)
.join('; ')
Expand All @@ -150,7 +154,7 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
header += '; upgrade-insecure-requests'
}

const cspHeaderName = config.reportOnly
const cspHeaderName = reportOnly
? 'Content-Security-Policy-Report-Only'
: 'Content-Security-Policy'
headers[cspHeaderName] = header
Expand Down Expand Up @@ -188,6 +192,7 @@ helmet.referrerPolicy = (headers, config) => {
headers['Referrer-Policy'] = config.policy
}

// DEPRECATED by reportingEndpoints
helmetHtmlOnly.reportTo = (headers, config) => {
headers['Report-To'] = Object.keys(config)
.map((group) => {
Expand All @@ -203,6 +208,15 @@ helmetHtmlOnly.reportTo = (headers, config) => {
.join(', ')
}

helmet.reportingEndpoints = (headers, config) => {
headers['Reporting-Endpoints'] = Object.keys(config)
.map((group) => {
return config[group] && group + '-endpoint=' + config[group]
})
.filter((str) => str)
.join(', ')
}

// https://github.com/helmetjs/hsts
helmet.strictTransportSecurity = (headers, config) => {
let header = 'max-age=' + Math.round(config.maxAge)
Expand Down Expand Up @@ -280,7 +294,14 @@ const httpSecurityHeadersMiddleware = (opts = {}) => {
Object.keys(helmetHtmlOnly).forEach((key) => {
if (!options[key]) return
const config = { ...defaults[key], ...options[key] }
helmetHtmlOnly[key](request.response.headers, config)
if (key === 'contentSecurityPolicy') {
helmetHtmlOnly[key](options.contentSecurityPolicyReportOnly)(
request.response.headers,
config
)
} else {
helmetHtmlOnly[key](request.response.headers, config)
}
})
}
}
Expand Down
8 changes: 5 additions & 3 deletions website/docs/middlewares/http-security-headers.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,8 @@ To install this middleware you can use NPM:
npm install --save @middy/http-security-headers
```

## Options

## Features
- `dnsPrefetchControl` controls browser DNS prefetching
- `expectCt` for handling Certificate Transparency (Future Feature)
- `frameguard` to prevent clickjacking
- `hidePoweredBy` to remove the Server/X-Powered-By header
- `hsts` for HTTP Strict Transport Security
Expand All @@ -24,6 +22,10 @@ npm install --save @middy/http-security-headers
- `referrerPolicy` to hide the Referer header
- `xssFilter` adds some small XSS protections

## Options

There are a lot, see [source](https://github.com/middyjs/middy/blob/main/packages/http-security-headers/index.js#L5)

## Sample usage

```javascript
Expand Down
3 changes: 2 additions & 1 deletion website/docs/upgrade/4-5.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ No change
### [http-content-encoding](/docs/middlewares/http-content-encoding)

- Use `preferredLanguage` from `context` instead of `event` (See http-content-negotiation). **Breaking Change**
- Add in `Vary` support ([#1253](https://github.com/middyjs/middy/issues/1253)) **Breaking Change**

### [http-content-negotiation](/docs/middlewares/http-content-negotiation)

Expand Down Expand Up @@ -98,7 +99,7 @@ No change

### [http-security-headers](/docs/middlewares/http-security-headers)

No change
- Add in support for `Content-Security-Policy-Report-Only` ([#1248](https://github.com/middyjs/middy/issues/1248))

### [http-urlencode-body-parser](/docs/middlewares/http-urlencode-body-parser)

Expand Down

0 comments on commit d6e914b

Please sign in to comment.