UNPKG

next-secure-headers

Version:

Sets secure response headers for Next.js.

github.com/jagaapple/next-secure-headers

jagaapple/next-secure-headers

72 lines (71 loc) 3.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
/// <reference types="node" /> import * as React from "react"; import { ServerResponse } from "http"; import type { ContentSecurityPolicyOption, ExpectCTOption, ForceHTTPSRedirectOption, FrameGuardOption, NoopenOption, NosniffOption, ReferrerPolicyOption, XSSProtectionOption } from "./rules"; declare type Options = Partial<{ /** * This is to set "Content-Security-Policy" or "Content-Security-Policy-Report-Only" header and it's to prevent to load and * execute non-allowed resources. * If you give true to `reportOnly` , this sets "Content-Security-Policy-Report-Only" to value instead of * "Content-Security-Policy". */ contentSecurityPolicy: ContentSecurityPolicyOption; /** * This is to set "Expect-CT" header and it's to tell browsers to expect Certificate Transparency. */ expectCT: ExpectCTOption; /** * This is to set "Strict-Transport-Security (HSTS)" header and it's to prevent man-in-the-middle attacks during redirects from HTTP to HTTPS. * To enable this is highly recommended if you use HTTPS (SSL) on your servers. * By default, this sets `max-age` to two years (63,072,000 seconds). * @default [true, { maxAge: 63072000 }] */ forceHTTPSRedirect: ForceHTTPSRedirectOption; /** * This is to set "X-Frame-Options" header and it's to prevent clickjacking attacks. * `"deny"` is highly recommended if you don't use frame elements such as `iframe` . * @default "deny" */ frameGuard: FrameGuardOption; /** * This is to set "X-Download-Options" header and it's to prevent to open downloaded files automatically for IE8+ (MIME Handling attacks). * @default "noopen" */ noopen: NoopenOption; /** * This is to set "X-Content-Type-Options" header and it's to prevent MIME Sniffing attacks. * @default "nosniff" */ nosniff: NosniffOption; /** * This is to set "Referrer-Policy" header and it's to prevent to be got referrer by other servers. * You can specify one or more values for legacy browsers which does not support a specific value. */ referrerPolicy: ReferrerPolicyOption; /** * This is to set "X-XSS-Protection" header and it's to prevent XSS attacks. * If you specify `"sanitize"` , this sets the header to `"1"` and browsers will sanitize unsafe area. * If you specify `"block-rendering"` , this sets the header to `"1; mode=block"` and browsers will block rendering a page. * "X-XSS-Protection" blocks many XSS attacks, but Content Security Policy is recommended to use compared to this. * @default "sanitize" */ xssProtection: XSSProtectionOption; }>; export declare const createHeadersObject: (options?: Options) => Record<string, string>; export declare const createSecureHeaders: (options?: Options) => { key: string; value: string; }[]; declare type NextPageContext = { res?: ServerResponse; }; declare type NextAppContext = { ctx?: NextPageContext; }; declare type NextComponent<P = any, IP = {}> = React.ComponentType<P> & { getInitialProps?(context: NextPageContext & NextAppContext): IP | Promise<IP>; }; export declare const withSecureHeaders: (options?: Options) => (ChildComponent: NextComponent) => React.FunctionComponent<any> & { getInitialProps?(context: NextPageContext & NextAppContext): {} | Promise<{}>; }; export {};