Middy http-security-headers middleware
HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda
Applies best practice security headers to responses. It's a simplified port of [HelmetJS](https://helmetjs.github.io/). See HelmetJS documentation for more details.
You can read the documentation at: https://middy.js.org/docs/middlewares//http-security-headers
Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.
Install
To install this middleware you can use NPM:
npm install --save @middy/http-security-headers
Options
Setting an option to false
to cause that rule to be ignored.
All Responses
-
originAgentCluster
: Default to{}
to include -
referrerPolicy
: Default to{ policy: 'no-referrer' }
-
strictTransportSecurity
: Default to{ maxAge: 15552000, includeSubDomains: true, preload: true }
- X-
dnsPrefetchControl
: Default to{ allow: false }
- X-
downloadOptions
: Default to{ action: 'noopen' }
- X-
poweredBy
: Default to{ server: '' }
to removeServer
andX-Powered-By
- X-
contentTypeOptions
: Default to{ action: 'nosniff' }
HTML Responses
-
contentSecurityPolicy
: Default to{ 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }
-
crossOriginEmbedderPolicy
: Default to{ policy: 'require-corp' }
-
crossOriginOpenerPolicy
: Default to{ policy: 'same-origin' }
-
crossOriginResourcePolicy
: Default to{ policy: 'same-origin' }
-
permissionsPolicy
: Default to{ *:'', ... }
where all allowed values are set to disable -
reportTo
: Defaults to{ maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' }
which won't report by default, needs setting - X-
frameOptions
: Default to{ action: 'deny' }
- X-
xssProtection
: Defaults to{ reportUri: '' }'
Sample usage
import middy from '@middy/core'
import httpSecurityHeaders from '@middy/http-security-headers'
const handler = middy((event, context) => {
return {}
})
handler
.use(httpSecurityHeaders())
Middy documentation and examples
For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.
Contributing
Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.
License
Licensed under MIT License. Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the Middy team.