"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(module, "exports", { enumerable: true, get: function() { return _default; } }); const _util = require("@middy/util"); const defaults = { contentSecurityPolicy: { 'default-src': "'none'", 'base-uri': "'none'", sandbox: '', 'form-action': "'none'", 'frame-ancestors': "'none'", 'navigate-to': "'none'", 'report-to': 'csp', 'require-trusted-types-for': "'script'", 'trusted-types': "'none'", 'upgrade-insecure-requests': '' }, contentTypeOptions: { action: 'nosniff' }, crossOriginEmbedderPolicy: { policy: 'require-corp' }, crossOriginOpenerPolicy: { policy: 'same-origin' }, crossOriginResourcePolicy: { policy: 'same-origin' }, dnsPrefetchControl: { allow: false }, downloadOptions: { action: 'noopen' }, frameOptions: { action: 'deny' }, originAgentCluster: {}, permissionsPolicy: { accelerometer: '', 'ambient-light-sensor': '', autoplay: '', battery: '', camera: '', 'cross-origin-isolated': '', 'display-capture': '', 'document-domain': '', 'encrypted-media': '', 'execution-while-not-rendered': '', 'execution-while-out-of-viewport': '', fullscreen: '', geolocation: '', gyroscope: '', 'keyboard-map': '', magnetometer: '', microphone: '', midi: '', 'navigation-override': '', payment: '', 'picture-in-picture': '', 'publickey-credentials-get': '', 'screen-wake-lock': '', 'sync-xhr': '', usb: '', 'web-share': '', 'xr-spatial-tracking': '', 'clipboard-read': '', 'clipboard-write': '', gamepad: '', 'speaker-selection': '', 'conversion-measurement': '', 'focus-without-user-activation': '', hid: '', 'idle-detection': '', 'interest-cohort': '', serial: '', 'sync-script': '', 'trust-token-redemption': '', 'window-placement': '', 'vertical-scroll': '' }, permittedCrossDomainPolicies: { policy: 'none' }, poweredBy: { server: '' }, referrerPolicy: { policy: 'no-referrer' }, reportTo: { maxAge: 365 * 24 * 60 * 60, default: '', includeSubdomains: true, csp: '', staple: '', xss: '' }, strictTransportSecurity: { maxAge: 180 * 24 * 60 * 60, includeSubDomains: true, preload: true }, xssProtection: { reportTo: 'xss' } }; const helmet = {}; const helmetHtmlOnly = {}; helmetHtmlOnly.contentSecurityPolicy = (headers, config)=>{ let header = Object.keys(config).map((policy)=>config[policy] ? `${policy} ${config[policy]}` : '').filter((str)=>str).join('; '); if (config.sandbox === '') { header += '; sandbox'; } if (config['upgrade-insecure-requests'] === '') { header += '; upgrade-insecure-requests'; } headers['Content-Security-Policy'] = header; }; helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config)=>{ headers['Cross-Origin-Embedder-Policy'] = config.policy; }; helmetHtmlOnly.crossOriginOpenerPolicy = (headers, config)=>{ headers['Cross-Origin-Opener-Policy'] = config.policy; }; helmetHtmlOnly.crossOriginResourcePolicy = (headers, config)=>{ headers['Cross-Origin-Resource-Policy'] = config.policy; }; helmetHtmlOnly.permissionsPolicy = (headers, config)=>{ headers['Permissions-Policy'] = Object.keys(config).map((policy)=>`${policy}=${config[policy] === '*' ? '*' : '(' + config[policy] + ')'}`).join(', '); }; helmet.originAgentCluster = (headers, config)=>{ headers['Origin-Agent-Cluster'] = '?1'; }; helmet.referrerPolicy = (headers, config)=>{ headers['Referrer-Policy'] = config.policy; }; helmetHtmlOnly.reportTo = (headers, config)=>{ headers['Report-To'] = Object.keys(config).map((group)=>{ const includeSubdomains = group === 'default' ? `, "include_subdomains": ${config.includeSubdomains}` : ''; return config[group] && group !== 'includeSubdomains' ? `{ "group": "default", "max_age": ${config.maxAge}, "endpoints": [ { "url": "${config[group]}" } ]${includeSubdomains} }` : ''; }).filter((str)=>str).join(', '); }; helmet.strictTransportSecurity = (headers, config)=>{ let header = 'max-age=' + Math.round(config.maxAge); if (config.includeSubDomains) { header += '; includeSubDomains'; } if (config.preload) { header += '; preload'; } headers['Strict-Transport-Security'] = header; }; helmet.contentTypeOptions = (headers, config)=>{ headers['X-Content-Type-Options'] = config.action; }; helmet.dnsPrefetchControl = (headers, config)=>{ headers['X-DNS-Prefetch-Control'] = config.allow ? 'on' : 'off'; }; helmet.downloadOptions = (headers, config)=>{ headers['X-Download-Options'] = config.action; }; helmetHtmlOnly.frameOptions = (headers, config)=>{ headers['X-Frame-Options'] = config.action.toUpperCase(); }; helmet.permittedCrossDomainPolicies = (headers, config)=>{ headers['X-Permitted-Cross-Domain-Policies'] = config.policy; }; helmet.poweredBy = (headers, config)=>{ if (config.server) { headers['X-Powered-By'] = config.server; } else { delete headers.Server; delete headers['X-Powered-By']; } }; helmetHtmlOnly.xssProtection = (headers, config)=>{ let header = '1; mode=block'; if (config.reportTo) { header += '; report=' + config.reportTo; } headers['X-XSS-Protection'] = header; }; const httpSecurityHeadersMiddleware = (opts = {})=>{ const options = { ...defaults, ...opts }; const httpSecurityHeadersMiddlewareAfter = async (request)=>{ (0, _util.normalizeHttpResponse)(request); Object.keys(helmet).forEach((key)=>{ if (!options[key]) return; const config = { ...defaults[key], ...options[key] }; helmet[key](request.response.headers, config); }); if (request.response.headers['Content-Type']?.includes('text/html')) { Object.keys(helmetHtmlOnly).forEach((key)=>{ if (!options[key]) return; const config = { ...defaults[key], ...options[key] }; helmetHtmlOnly[key](request.response.headers, config); }); } }; const httpSecurityHeadersMiddlewareOnError = async (request)=>{ if (request.response === undefined) return; httpSecurityHeadersMiddlewareAfter(request); }; return { after: httpSecurityHeadersMiddlewareAfter, onError: httpSecurityHeadersMiddlewareOnError }; }; const _default = httpSecurityHeadersMiddleware;