remix-utils

/** * The secure headers middleware simplifies the setup of security headers. Inspired in part by the version from Hono `secureHeaders` middleware. * * ```ts * import { unstable_createSecureHeadersMiddleware } from "remix-utils/middleware/secure-headers"; * * export const [secureHeadersMiddleware] = * unstable_createSecureHeadersMiddleware(); * ``` * * To use it, you need to add it to the `unstable_middleware` array in your `app/root.tsx` file. * * ```ts * import { secureHeadersMiddleware } from "~/middleware/secure-headers.server"; * export const unstable_middleware = [secureHeadersMiddleware]; * ``` * * Now, every response will have the security header responses. * * The secure headers middleware middleware can be customized by passing an options object to the `unstable_createSecureHeadersMiddleware` function. * * The options let's you configure the headers key values. The middleware accepts the same options as the Hono Secure Headers Middleware. * @author [Floryan Simar](https://github.com/TheYoxy) * @module Middleware/Secure Headers * @see {@link https://hono.dev/docs/middleware/builtin/secure-headers | Hono Secure Headers Middleware} */ import type { unstable_MiddlewareFunction } from "react-router"; /** * Secure Headers Middleware for React-router. * * @param {Partial<SecureHeadersOptions>} [customOptions] - The options for the secure headers middleware. * @param {ContentSecurityPolicyOptions} [customOptions.contentSecurityPolicy] - Settings for the Content-Security-Policy header. * @param {ContentSecurityPolicyOptions} [customOptions.contentSecurityPolicyReportOnly] - Settings for the Content-Security-Policy-Report-Only header. * @param {overridableHeader} [customOptions.crossOriginEmbedderPolicy=false] - Settings for the Cross-Origin-Embedder-Policy header. * @param {overridableHeader} [customOptions.crossOriginResourcePolicy=true] - Settings for the Cross-Origin-Resource-Policy header. * @param {overridableHeader} [customOptions.crossOriginOpenerPolicy=true] - Settings for the Cross-Origin-Opener-Policy header. * @param {overridableHeader} [customOptions.originAgentCluster=true] - Settings for the Origin-Agent-Cluster header. * @param {overridableHeader} [customOptions.referrerPolicy=true] - Settings for the Referrer-Policy header. * @param {ReportingEndpointOptions[]} [customOptions.reportingEndpoints] - Settings for the Reporting-Endpoints header. * @param {ReportToOptions[]} [customOptions.reportTo] - Settings for the Report-To header. * @param {overridableHeader} [customOptions.strictTransportSecurity=true] - Settings for the Strict-Transport-Security header. * @param {overridableHeader} [customOptions.xContentTypeOptions=true] - Settings for the X-Content-Type-Options header. * @param {overridableHeader} [customOptions.xDnsPrefetchControl=true] - Settings for the X-DNS-Prefetch-Control header. * @param {overridableHeader} [customOptions.xDownloadOptions=true] - Settings for the X-Download-Options header. * @param {overridableHeader} [customOptions.xFrameOptions=true] - Settings for the X-Frame-Options header. * @param {overridableHeader} [customOptions.xPermittedCrossDomainPolicies=true] - Settings for the X-Permitted-Cross-Domain-Policies header. * @param {overridableHeader} [customOptions.xXssProtection=true] - Settings for the X-XSS-Protection header. * @param {boolean} [customOptions.removePoweredBy=true] - Settings for remove X-Powered-By header. * @param {PermissionsPolicyOptions} [customOptions.permissionsPolicy] - Settings for the Permissions-Policy header. * @returns {MiddlewareHandler} The middleware handler function. */ export declare function unstable_createSecureHeadersMiddleware(customOptions?: unstable_createSecureHeadersMiddleware.SecureHeadersOptions): unstable_createSecureHeadersMiddleware.ReturnType; export declare namespace unstable_createSecureHeadersMiddleware { interface SecureHeadersOptions { contentSecurityPolicy?: ContentSecurityPolicyOptions; contentSecurityPolicyReportOnly?: ContentSecurityPolicyOptions; crossOriginEmbedderPolicy?: overridableHeader; crossOriginResourcePolicy?: overridableHeader; crossOriginOpenerPolicy?: overridableHeader; originAgentCluster?: overridableHeader; referrerPolicy?: overridableHeader; reportingEndpoints?: Array<ReportingEndpointOptions>; reportTo?: Array<ReportToOptions>; strictTransportSecurity?: overridableHeader; xContentTypeOptions?: overridableHeader; xDnsPrefetchControl?: overridableHeader; xDownloadOptions?: overridableHeader; xFrameOptions?: overridableHeader; xPermittedCrossDomainPolicies?: overridableHeader; xXssProtection?: overridableHeader; removePoweredBy?: boolean; permissionsPolicy?: PermissionsPolicyOptions; } type ReturnType = [unstable_MiddlewareFunction<Response>]; interface Logger { error(...message: string[]): void; warn(...message: string[]): void; info(...message: string[]): void; debug(...message: string[]): void; } } type PermissionsPolicyDirective = StandardizedFeatures | ProposedFeatures | ExperimentalFeatures; /** * These features have been declared in a published version of the respective * specification. */ type StandardizedFeatures = "accelerometer" | "ambientLightSensor" | "attributionReporting" | "autoplay" | "battery" | "bluetooth" | "camera" | "chUa" | "chUaArch" | "chUaBitness" | "chUaFullVersion" | "chUaFullVersionList" | "chUaMobile" | "chUaModel" | "chUaPlatform" | "chUaPlatformVersion" | "chUaWow64" | "computePressure" | "crossOriginIsolated" | "directSockets" | "displayCapture" | "encryptedMedia" | "executionWhileNotRendered" | "executionWhileOutOfViewport" | "fullscreen" | "geolocation" | "gyroscope" | "hid" | "identityCredentialsGet" | "idleDetection" | "keyboardMap" | "magnetometer" | "microphone" | "midi" | "navigationOverride" | "payment" | "pictureInPicture" | "publickeyCredentialsGet" | "screenWakeLock" | "serial" | "storageAccess" | "syncXhr" | "usb" | "webShare" | "windowManagement" | "xrSpatialTracking"; /** * These features have been proposed, but the definitions have not yet been * integrated into their respective specs. */ type ProposedFeatures = "clipboardRead" | "clipboardWrite" | "gemepad" | "sharedAutofill" | "speakerSelection"; /** * These features generally have an explainer only, but may be available for * experimentation by web developers. */ type ExperimentalFeatures = "allScreensCapture" | "browsingTopics" | "capturedSurfaceControl" | "conversionMeasurement" | "digitalCredentialsGet" | "focusWithoutUserActivation" | "joinAdInterestGroup" | "localFonts" | "runAdAuction" | "smartCard" | "syncScript" | "trustTokenRedemption" | "unload" | "verticalScroll"; export interface SecureHeadersVariables { secureHeadersNonce?: string; } type ContentSecurityPolicyOptionValue = Array<string>; interface ContentSecurityPolicyOptions { defaultSrc?: ContentSecurityPolicyOptionValue; baseUri?: ContentSecurityPolicyOptionValue; childSrc?: ContentSecurityPolicyOptionValue; connectSrc?: ContentSecurityPolicyOptionValue; fontSrc?: ContentSecurityPolicyOptionValue; formAction?: ContentSecurityPolicyOptionValue; frameAncestors?: ContentSecurityPolicyOptionValue; frameSrc?: ContentSecurityPolicyOptionValue; imgSrc?: ContentSecurityPolicyOptionValue; manifestSrc?: ContentSecurityPolicyOptionValue; mediaSrc?: ContentSecurityPolicyOptionValue; objectSrc?: ContentSecurityPolicyOptionValue; reportTo?: string; sandbox?: ContentSecurityPolicyOptionValue; scriptSrc?: ContentSecurityPolicyOptionValue; scriptSrcAttr?: ContentSecurityPolicyOptionValue; scriptSrcElem?: ContentSecurityPolicyOptionValue; styleSrc?: ContentSecurityPolicyOptionValue; styleSrcAttr?: ContentSecurityPolicyOptionValue; styleSrcElem?: ContentSecurityPolicyOptionValue; upgradeInsecureRequests?: ContentSecurityPolicyOptionValue; workerSrc?: ContentSecurityPolicyOptionValue; } interface ReportToOptions { group: string; max_age: number; endpoints: Array<ReportToEndpoint>; } interface ReportToEndpoint { url: string; } interface ReportingEndpointOptions { name: string; url: string; } type PermissionsPolicyValue = "*" | "self" | "src" | "none" | (string & {}); type PermissionsPolicyOptions = Partial<Record<PermissionsPolicyDirective, Array<PermissionsPolicyValue> | boolean>>; type overridableHeader = boolean | string; export {};