Skip to content

Commit

Permalink
feat(http-security-headers): support report only mode
Browse files Browse the repository at this point in the history
  • Loading branch information
naorpeled committed Oct 26, 2024
1 parent f50d235 commit 4670e8a
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 4 deletions.
25 changes: 25 additions & 0 deletions packages/http-security-headers/__tests__/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -268,3 +268,28 @@ test('It should apply security headers if error is handled', async (t) => {
equal(response.headers['X-Frame-Options'], undefined)
equal(response.headers['X-XSS-Protection'], undefined)
})

test('It should support report only mode', async (t) => {
const handler = middy(() => createHtmlObjectResponse())

handler.use(
httpSecurityHeaders({
contentSecurityPolicy: {
reportOnly: true
}
})
)

const event = {
httpMethod: 'GET'
}

const response = await handler(event, defaultContext)

equal(response.statusCode, 200)
equal(response.headers['Content-Security-Policy'], undefined)
equal(
response.headers['Content-Security-Policy-Report-Only'],
"default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; navigate-to 'none'; report-to csp; require-trusted-types-for 'script'; trusted-types 'none'; sandbox; upgrade-insecure-requests"
)
})
4 changes: 3 additions & 1 deletion packages/http-security-headers/index.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,9 @@ interface Options {
xssProtection?: {
reportUri?: string
}
contentSecurityPolicy?: Record<string, string>
contentSecurityPolicy?: Record<string, string> & {
reportOnly?: boolean
}
crossOriginEmbedderPolicy?: {
policy?: string
}
Expand Down
10 changes: 8 additions & 2 deletions packages/http-security-headers/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ const defaults = {
// Other directives
'require-trusted-types-for': "'script'",
'trusted-types': "'none'",
'upgrade-insecure-requests': ''
'upgrade-insecure-requests': '',
reportOnly: false
},
contentTypeOptions: {
action: 'nosniff'
Expand Down Expand Up @@ -138,6 +139,7 @@ const helmetHtmlOnly = {}
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
let header = Object.keys(config)
.filter((policy) => policy !== 'reportOnly')
.map((policy) => (config[policy] ? `${policy} ${config[policy]}` : ''))
.filter((str) => str)
.join('; ')
Expand All @@ -147,7 +149,11 @@ helmetHtmlOnly.contentSecurityPolicy = (headers, config) => {
if (config['upgrade-insecure-requests'] === '') {
header += '; upgrade-insecure-requests'
}
headers['Content-Security-Policy'] = header

const cspHeaderName = config.reportOnly
? 'Content-Security-Policy-Report-Only'
: 'Content-Security-Policy'
headers[cspHeaderName] = header
}
// crossdomain - N/A - for Adobe products
helmetHtmlOnly.crossOriginEmbedderPolicy = (headers, config) => {
Expand Down
3 changes: 2 additions & 1 deletion packages/http-security-headers/index.test-d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ middleware = httpSecurityHeaders({
},
contentSecurityPolicy: {
'default-src': "'none'",
sandbox: ''
sandbox: '',
reportOnly: true
},
crossOriginEmbedderPolicy: {
policy: 'require-corp'
Expand Down

0 comments on commit 4670e8a

Please sign in to comment.