Nautilus: Pelagic Mollusc

    @middy/http-security-headers
    TypeScript icon, indicating that this package has built-in type declarations

    3.0.3 • Public • Published

    Middy http-security-headers middleware

    Middy logo

    HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda

    Applies best practice security headers to responses. It's a simplified port of [HelmetJS](https://helmetjs.github.io/). See HelmetJS documentation for more details.

    npm version npm install size GitHub Actions CI status badge
    Standard Code Style Known Vulnerabilities Language grade: JavaScript Core Infrastructure Initiative (CII) Best Practices
    Chat on Gitter Ask questions on StackOverflow

    You can read the documentation at: https://middy.js.org/docs/middlewares//http-security-headers

    Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.

    Install

    To install this middleware you can use NPM:

    npm install --save @middy/http-security-headers

    Options

    Setting an option to false to cause that rule to be ignored.

    All Responses

    • originAgentCluster: Default to {} to include
    • referrerPolicy: Default to { policy: 'no-referrer' }
    • strictTransportSecurity: Default to { maxAge: 15552000, includeSubDomains: true, preload: true }
    • X-dnsPrefetchControl: Default to { allow: false }
    • X-downloadOptions: Default to { action: 'noopen' }
    • X-poweredBy: Default to { server: '' } to remove Server and X-Powered-By
    • X-contentTypeOptions: Default to { action: 'nosniff' }

    HTML Responses

    • contentSecurityPolicy: Default to { 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }
    • crossOriginEmbedderPolicy: Default to { policy: 'require-corp' }
    • crossOriginOpenerPolicy: Default to { policy: 'same-origin' }
    • crossOriginResourcePolicy: Default to { policy: 'same-origin' }
    • permissionsPolicy: Default to { *:'', ... } where all allowed values are set to disable
    • reportTo: Defaults to { maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' } which won't report by default, needs setting
    • X-frameOptions: Default to { action: 'deny' }
    • X-xssProtection: Defaults to { reportUri: '' }'

    Sample usage

    import middy from '@middy/core'
    import httpSecurityHeaders from '@middy/http-security-headers'
    
    const handler = middy((event, context) => {
      return {}
    })
    
    handler
      .use(httpSecurityHeaders())

    Middy documentation and examples

    For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.

    Contributing

    Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.

    License

    Licensed under MIT License. Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the Middy team.

    FOSSA Status

    Install

    npm i @middy/http-security-headers

    Homepage

    middy.js.org

    DownloadsWeekly Downloads

    11,374

    Version

    3.0.3

    License

    MIT

    Unpacked Size

    19.3 kB

    Total Files

    6

    Last publish

    Collaborators

    • lmammino
    • middyjs
    • willfarrell