UNPKG

hono

Version:

Web framework built on Web Standards

hono.dev

honojs/hono

100 lines (99 loc) 5.05 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/** * @module * Secure Headers Middleware for Hono. */ import type { Context } from '../../context'; import type { MiddlewareHandler } from '../../types'; export type SecureHeadersVariables = { secureHeadersNonce?: string; }; export type ContentSecurityPolicyOptionHandler = (ctx: Context, directive: string) => string; type ContentSecurityPolicyOptionValue = (string | ContentSecurityPolicyOptionHandler)[]; interface ContentSecurityPolicyOptions { defaultSrc?: ContentSecurityPolicyOptionValue; baseUri?: ContentSecurityPolicyOptionValue; childSrc?: ContentSecurityPolicyOptionValue; connectSrc?: ContentSecurityPolicyOptionValue; fontSrc?: ContentSecurityPolicyOptionValue; formAction?: ContentSecurityPolicyOptionValue; frameAncestors?: ContentSecurityPolicyOptionValue; frameSrc?: ContentSecurityPolicyOptionValue; imgSrc?: ContentSecurityPolicyOptionValue; manifestSrc?: ContentSecurityPolicyOptionValue; mediaSrc?: ContentSecurityPolicyOptionValue; objectSrc?: ContentSecurityPolicyOptionValue; reportTo?: string; sandbox?: ContentSecurityPolicyOptionValue; scriptSrc?: ContentSecurityPolicyOptionValue; scriptSrcAttr?: ContentSecurityPolicyOptionValue; scriptSrcElem?: ContentSecurityPolicyOptionValue; styleSrc?: ContentSecurityPolicyOptionValue; styleSrcAttr?: ContentSecurityPolicyOptionValue; styleSrcElem?: ContentSecurityPolicyOptionValue; upgradeInsecureRequests?: ContentSecurityPolicyOptionValue; workerSrc?: ContentSecurityPolicyOptionValue; } interface ReportToOptions { group: string; max_age: number; endpoints: ReportToEndpoint[]; } interface ReportToEndpoint { url: string; } interface ReportingEndpointOptions { name: string; url: string; } type overridableHeader = boolean | string; interface SecureHeadersOptions { contentSecurityPolicy?: ContentSecurityPolicyOptions; crossOriginEmbedderPolicy?: overridableHeader; crossOriginResourcePolicy?: overridableHeader; crossOriginOpenerPolicy?: overridableHeader; originAgentCluster?: overridableHeader; referrerPolicy?: overridableHeader; reportingEndpoints?: ReportingEndpointOptions[]; reportTo?: ReportToOptions[]; strictTransportSecurity?: overridableHeader; xContentTypeOptions?: overridableHeader; xDnsPrefetchControl?: overridableHeader; xDownloadOptions?: overridableHeader; xFrameOptions?: overridableHeader; xPermittedCrossDomainPolicies?: overridableHeader; xXssProtection?: overridableHeader; removePoweredBy?: boolean; } export declare const NONCE: ContentSecurityPolicyOptionHandler; /** * Secure Headers Middleware for Hono. * * @see {@link https://hono.dev/docs/middleware/builtin/secure-headers} * * @param {Partial<SecureHeadersOptions>} [customOptions] - The options for the secure headers middleware. * @param {ContentSecurityPolicyOptions} [customOptions.contentSecurityPolicy] - Settings for the Content-Security-Policy header. * @param {overridableHeader} [customOptions.crossOriginEmbedderPolicy=false] - Settings for the Cross-Origin-Embedder-Policy header. * @param {overridableHeader} [customOptions.crossOriginResourcePolicy=true] - Settings for the Cross-Origin-Resource-Policy header. * @param {overridableHeader} [customOptions.crossOriginOpenerPolicy=true] - Settings for the Cross-Origin-Opener-Policy header. * @param {overridableHeader} [customOptions.originAgentCluster=true] - Settings for the Origin-Agent-Cluster header. * @param {overridableHeader} [customOptions.referrerPolicy=true] - Settings for the Referrer-Policy header. * @param {ReportingEndpointOptions[]} [customOptions.reportingEndpoints] - Settings for the Reporting-Endpoints header. * @param {ReportToOptions[]} [customOptions.reportTo] - Settings for the Report-To header. * @param {overridableHeader} [customOptions.strictTransportSecurity=true] - Settings for the Strict-Transport-Security header. * @param {overridableHeader} [customOptions.xContentTypeOptions=true] - Settings for the X-Content-Type-Options header. * @param {overridableHeader} [customOptions.xDnsPrefetchControl=true] - Settings for the X-DNS-Prefetch-Control header. * @param {overridableHeader} [customOptions.xDownloadOptions=true] - Settings for the X-Download-Options header. * @param {overridableHeader} [customOptions.xFrameOptions=true] - Settings for the X-Frame-Options header. * @param {overridableHeader} [customOptions.xPermittedCrossDomainPolicies=true] - Settings for the X-Permitted-Cross-Domain-Policies header. * @param {overridableHeader} [customOptions.xXssProtection=true] - Settings for the X-XSS-Protection header. * @param {boolean} [customOptions.removePoweredBy=true] - Settings for remove X-Powered-By header. * @returns {MiddlewareHandler} The middleware handler function. * * @example * ```ts * const app = new Hono() * app.use(secureHeaders()) * ``` */ export declare const secureHeaders: (customOptions?: SecureHeadersOptions) => MiddlewareHandler; export {};