Skip to content
Snippets Groups Projects
Select Git revision
  • 86b701f66636999edf4cabdfe8b52a96637cb667
  • main default protected
  • develop
  • 2.3.1
  • 2.3.0
  • 2.2.3
  • 2.2.2
7 results

index.js

Blame
  • index.js 4.50 KiB
    
    module.exports = function(options = {}) {
      let security = {}
      security.options = options
    
    
      security.setHeaders = function(req, res, next) {
          if(!security.options) options = {}
          else options = security.options
    
    
          if (typeof options.CacheControl === 'undefined') {
            options.CacheControl = 'no-cache, no-store, must-revalidate'
          }
          if (options.CacheControl !== false) {
            res.set('Cache-Control', options.CacheControl)
          }
    
          if (typeof options.Pragma === 'undefined') {
            options.Pragma = 'no-cache'
          }
          if (options.Pragma !== false) {
            res.set('Pragma', options.Pragma)
          }
    
          if (typeof options.Expires === 'undefined') {
            options.Expires = '0'
          }
          if (options.Expires !== false) {
            res.set('Expires', options.Expires)
          }
    
          if (typeof options.ContentSecurityPolicy === 'undefined') {
            options.ContentSecurityPolicy = 'default-src \'self\'; frame-ancestors \'none\''
          }
          if (options.ContentSecurityPolicy !== false) {
            res.set('Content-Security-Policy', options.ContentSecurityPolicy )
          }
    
          if (typeof options.XXSSProtection === 'undefined') {
            options.XXSSProtection = '1; mode=block'
          }
          if (options.XXSSProtection !== false) {
            res.set('X-XSS-Protection', options.XXSSProtection)
          }
    
          if (typeof options.XDNSPrefetchControl === 'undefined') {
            options.XDNSPrefetchControl = 'off'
          }
          if (options.XDNSPrefetchControl !== false) {
            res.set('X-DNS-Prefetch-Control', options.XDNSPrefetchControl)
          }
    
          if (typeof options.ExpectCT === 'undefined') {
            options.ExpectCT = 'enforce; max-age=30; report-uri="/_report"'
          }
          if (options.ExpectCT !== false) {
            res.set('Expect-CT', options.ExpectCT)
          }
    
          if (typeof options.XFrameOptions === 'undefined') {
            options.XFrameOptions = 'deny'
          }
          if (options.XFrameOptions !== false) {
            res.set('X-Frame-Options', options.XFrameOptions)
          }
    
          if (typeof options.XPoweredBy === 'undefined') {
            options.XPoweredBy = true
          }
          if (options.XPoweredBy !== false) {
            res.removeHeader('X-Powered-By')
          }
    
          if (typeof options.StrictTransportSecurity === 'undefined') {
            options.StrictTransportSecurity = 'max-age=30'
          }
          if (options.StrictTransportSecurity !== false) {
            res.set('Strict-Transport-Security', options.StrictTransportSecurity)
          }
    
          if (typeof options.XDownloadOptions === 'undefined') {
            options.XDownloadOptions = 'noopen'
          }
          if (options.XDownloadOptions !== false) {
            res.set('X-Download-Options', options.XDownloadOptions)
          }
    
          if (typeof options.XContentTypeOptions === 'undefined') {
            options.XContentTypeOptions = 'nosniff'
          }
          if (options.XContentTypeOptions !== false) {
            res.set('X-Content-Type-Options', options.XContentTypeOptions )
          }
    
          if (typeof options.XPermittedCrossDomainPolicies === 'undefined') {
            options.XPermittedCrossDomainPolicies = 'none'
          }
          if (options.XPermittedCrossDomainPolicies !== false) {
            res.set('X-Permitted-Cross-Domain-Policies', options.XPermittedCrossDomainPolicies)
          }
    
          if (typeof options.ReferrerPolicy === 'undefined') {
            options.ReferrerPolicy = 'no-referrer'
          }
          if (options.ReferrerPolicy !== false) {
            res.set('Referrer-Policy', options.ReferrerPolicy)
          }
    
    
          if (typeof options.allowedMethods === 'undefined') {
            options.allowedMethods = ['GET', 'POST', 'PUT', 'DELETE']
          }
          if (!options.allowedMethods.includes(req.method)) {
            res.status(405).end()
          }
    
          if (typeof options.onlyDefinedRoutes === 'undefined') {
            options.onlyDefinedRoutes = false
          }
          if (options.onlyDefinedRoutes) {
            if (!options.definedRoutes) {
              options.definedRoutes = []
            }
            let isAllowed = false;
            for (const allowedRoute of options.definedRoutes) {
              if (allowedRoute.startsWith('REGEX:')) {
                let regexString = allowedRoute.split('REGEX:')[1];
                let regexp = new RegExp(regexString);
                if (regexp.test(req.originalUrl)) {
                  isAllowed= true;
                }
              } else {
                if (req.originalUrl === allowedRoute) {
                  isAllowed = true;
                }
              }
            }
            if (!isAllowed) { 
              res.status(405).end()
            }
          }
    
          next()
        }
    
      return security;
    }