nestjs-security-module/dist/security/security.module.js

A plug-and-play NestJS security module with CORS, Helmet, rate limiting, audit logging, CSP, XSS sanitization, and more.

"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var SecurityModule_1;
Object.defineProperty(exports, "__esModule", { value: true });
exports.SecurityModule = void 0;
const common_1 = require("@nestjs/common");
const helmet_1 = require("helmet");
const audit_log_middleware_1 = require("./middlewares/audit-log.middleware");
const rate_limit_middleware_1 = require("./middlewares/rate-limit.middleware");
let SecurityModule = class SecurityModule {
    static { SecurityModule_1 = this; }
    static options;
    static enableCors = false;
    static corsOptions = undefined;
    static sanitizeEnabled = false;
    static forRoot(options) {
        this.options = options;
        this.sanitizeEnabled = !!options.sanitize;
        const imports = [];
        const providers = [];
        return {
            module: SecurityModule_1,
            imports,
            providers,
        };
    }
    static register(options) {
        this.options = options;
        this.sanitizeEnabled = !!options.sanitize;
        this.enableCors = !!options.cors;
        this.corsOptions =
            typeof options.cors === 'object' ? options.cors : undefined;
        return {
            module: SecurityModule_1,
        };
    }
    configure(consumer) {
        const options = SecurityModule_1.options;
        if (options.helmet !== false) {
            consumer.apply((0, helmet_1.default)()).forRoutes('*');
        }
        if (options.cors) {
            SecurityModule_1.enableCors = true;
            SecurityModule_1.corsOptions =
                typeof options.cors === 'object' ? options.cors : undefined;
        }
        if (options.rateLimit) {
            consumer
                .apply((0, rate_limit_middleware_1.createRateLimitMiddleware)(options.rateLimit))
                .forRoutes('*');
        }
        if (options.auditLog) {
            consumer.apply((0, audit_log_middleware_1.createAuditLogMiddleware)()).forRoutes('*');
        }
        if (options.csp) {
            const cspConfig = typeof options.csp === 'object'
                ? options.csp
                : {
                    useDefaults: true,
                    directives: {
                        'default-src': ["'self'"],
                        'script-src': ["'self'"],
                        'style-src': ["'self'", "'unsafe-inline'"],
                        'img-src': ["'self'", 'data:'],
                    },
                };
            consumer.apply(helmet_1.default.contentSecurityPolicy(cspConfig)).forRoutes('*');
        }
        if (options.xFrameOptions) {
            const frameValue = typeof options.xFrameOptions === 'string'
                ? options.xFrameOptions.toLowerCase()
                : 'sameorigin';
            consumer
                .apply(helmet_1.default.frameguard({
                action: frameValue,
            }))
                .forRoutes('*');
        }
        if (options.referrerPolicy) {
            const policy = typeof options.referrerPolicy === 'object'
                ? options.referrerPolicy
                : { policy: 'no-referrer' };
            consumer.apply(helmet_1.default.referrerPolicy(policy)).forRoutes('*');
        }
        if (options.hsts) {
            const hstsConfig = typeof options.hsts === 'object'
                ? options.hsts
                : { maxAge: 60 * 60 * 24 * 180 };
            consumer.apply(helmet_1.default.hsts(hstsConfig)).forRoutes('*');
        }
        if (options.xContentTypeOptions !== false) {
            consumer.apply(helmet_1.default.noSniff()).forRoutes('*');
        }
        if (options.expectCt) {
            const expectCtConfig = typeof options.expectCt === 'object'
                ? options.expectCt
                : { maxAge: 86400, enforce: true };
            consumer
                .apply((req, res, next) => {
                res.setHeader('Expect-CT', `max-age=${expectCtConfig.maxAge}${expectCtConfig.enforce ? ', enforce' : ''}`);
                next();
            })
                .forRoutes('*');
        }
        if (options.permissionsPolicy) {
            const policy = Object.entries(options.permissionsPolicy)
                .map(([key, val]) => `${key}=(${val.join(' ')})`)
                .join(', ');
            consumer
                .apply((req, res, next) => {
                res.setHeader('Permissions-Policy', policy);
                next();
            })
                .forRoutes('*');
        }
        if (options.crossOriginEmbedderPolicy !== false) {
            const coep = typeof options.crossOriginEmbedderPolicy === 'object'
                ? options.crossOriginEmbedderPolicy
                : {};
            consumer.apply(helmet_1.default.crossOriginEmbedderPolicy(coep)).forRoutes('*');
        }
    }
};
exports.SecurityModule = SecurityModule;
exports.SecurityModule = SecurityModule = SecurityModule_1 = __decorate([
    (0, common_1.Module)({})
], SecurityModule);
//# sourceMappingURL=security.module.js.map