@middy/http-security-headers
Version:
Applies best practice security headers to responses. It's a simplified port of HelmetJS
66 lines (60 loc) • 1.45 kB
TypeScript
// Copyright 2017 - 2026 will Farrell, Luciano Mammino, and Middy contributors.
// SPDX-License-Identifier: MIT
import type middy from "@middy/core";
export interface Options {
dnsPrefetchControl?: {
allow?: boolean;
};
frameOptions?: {
action?: string;
};
poweredBy?: boolean;
strictTransportSecurity?: {
maxAge?: number;
includeSubDomains?: boolean;
preload?: boolean;
};
downloadOptions?: {
action?: string;
};
contentTypeOptions?: {
action?: string;
};
originAgentCluster?: boolean;
referrerPolicy?: {
policy?: string;
};
xssProtection?: boolean;
contentSecurityPolicy?: Record<string, string>;
contentSecurityPolicyReportOnly?: boolean;
crossOriginEmbedderPolicy?: {
policy?: string;
};
crossOriginOpenerPolicy?: {
policy?: string;
};
crossOriginResourcePolicy?: {
policy?: string;
};
permissionsPolicy?: Record<string, string>;
reportingEndpoints?: Record<string, string>;
permittedCrossDomainPolicies?: {
policy?: string;
};
reportTo?: {
maxAge?: number;
default?: string;
includeSubdomains?: boolean;
csp?: string;
staple?: string;
xss?: string;
};
}
type WithBoolValues<T> = { [K in keyof T]: T[K] | boolean };
declare function httpSecurityHeaders(
options?: WithBoolValues<Options>,
): middy.MiddlewareObj<unknown, unknown, Error>;
export declare function httpSecurityHeadersValidateOptions(
options?: Record<string, unknown>,
): void;
export default httpSecurityHeaders;