@middy/http-security-headers

Applies best practice security headers to responses. It's a simplified port of HelmetJS

Downloads in past

Stats

StarsIssuesVersionUpdatedCreatedSize
@middy/http-security-headers
3,04263.5.08 hours ago3 years agoMinified + gzip package size for @middy/http-security-headers in KB

Readme

Middy http-security-headers middleware
Middy logo

HTTP security headers middleware for the middy framework, the stylish Node.js middleware engine for AWS Lambda

Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.

<img src="https://badge.fury.io/js/%40middy%2Fhttp-security-headers.svg" alt="npm version" style="max-width:100%;">
<img src="https://packagephobia.com/badge?p=@middy/http-security-headers" alt="npm install size" style="max-width:100%;">
<img src="https://github.com/middyjs/middy/actions/workflows/tests.yml/badge.svg?branch=main&event=push" alt="GitHub Actions CI status badge" style="max-width:100%;">

<a href="https://standardjs.com/">
 <img src="https://img.shields.io/badge/code_style-standard-brightgreen.svg" alt="Standard Code Style"  style="max-width:100%;">
<img src="https://snyk.io/test/github/middyjs/middy/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/middyjs/middy" style="max-width:100%;">
<img src="https://img.shields.io/lgtm/grade/javascript/g/middyjs/middy.svg?logo=lgtm&logoWidth=18" alt="Language grade: JavaScript" style="max-width:100%;">
<img src="https://bestpractices.coreinfrastructure.org/projects/5280/badge" alt="Core Infrastructure Initiative (CII) Best Practices"  style="max-width:100%;">

<img src="https://badges.gitter.im/gitterHQ/gitter.svg" alt="Chat on Gitter" style="max-width:100%;">
<img src="https://img.shields.io/badge/StackOverflow-[middy]-yellow" alt="Ask questions on StackOverflow" style="max-width:100%;">

You can read the documentation at: https://middy.js.org/docs/middlewares//http-security-headers


Applies best practice security headers to responses. It's a simplified port of HelmetJS. See HelmetJS documentation for more details.

Install

To install this middleware you can use NPM:
npm install --save @middy/http-security-headers

Options

Setting an option to false to cause that rule to be ignored.

All Responses

  • originAgentCluster: Default to {} to include
  • referrerPolicy: Default to { policy: 'no-referrer' }
  • strictTransportSecurity: Default to { maxAge: 15552000, includeSubDomains: true, preload: true }
  • X-dnsPrefetchControl: Default to { allow: false }
  • X-downloadOptions: Default to { action: 'noopen' }
  • X-poweredBy: Default to { server: '' } to remove Server and X-Powered-By
  • X-contentTypeOptions: Default to { action: 'nosniff' }

HTML Responses

  • contentSecurityPolicy: Default to { 'default-src': "'none'", 'base-uri':"'none'", 'sandbox':'', 'form-action':"'none'", 'frame-ancestors':"'none'", 'navigate-to':"'none'", 'report-to':'csp', 'require-trusted-types-for':"'script'", 'trusted-types':"'none'", 'upgrade-insecure-requests':'' }
  • crossOriginEmbedderPolicy: Default to { policy: 'require-corp' }
  • crossOriginOpenerPolicy: Default to { policy: 'same-origin' }
  • crossOriginResourcePolicy: Default to { policy: 'same-origin' }
  • permissionsPolicy: Default to { *:'', ... } where all allowed values are set to disable
  • reportTo: Defaults to { maxAge: 31536000, default: '', includeSubdomains: true, csp: '', staple:'', xss: '' } which won't report by default, needs setting
  • X-frameOptions: Default to { action: 'deny' }
  • X-xssProtection: Defaults to { reportUri: '' }'

Sample usage

import middy from '@middy/core'
import httpSecurityHeaders from '@middy/http-security-headers'

const handler = middy((event, context) => {
  return {}
})

handler
  .use(httpSecurityHeaders())

Middy documentation and examples

For more documentation and examples, refers to the main Middy monorepo on GitHub or Middy official website.

Contributing

Everyone is very welcome to contribute to this repository. Feel free to raise issues or to submit Pull Requests.

License

Licensed under MIT License. Copyright (c) 2017-2022 Luciano Mammino, will Farrell, and the Middy team.
FOSSA Status