UNPKG

tl-shared-security

Version:

Enterprise-grade security module for frontend and backend applications with comprehensive protection against XSS, CSRF, SQL injection, and other security vulnerabilities

105 lines 3.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.securityHeaders = exports.SecurityHeaders = void 0; class SecurityHeaders { constructor(options) { this.options = { xssProtection: true, contentTypeOptions: true, frameOptions: 'deny', referrerPolicy: 'strict-origin-when-cross-origin', strictTransportSecurity: { maxAge: 15552000, // 180 days includeSubDomains: true, preload: false, }, ...options, }; } /** * Applies security headers to the document using meta tags * Only works in browser environment */ applyToDocument() { if (typeof document === 'undefined') { return; } const head = document.head || document.getElementsByTagName('head')[0]; // X-XSS-Protection if (this.options.xssProtection) { this.addMetaTag(head, 'X-XSS-Protection', '1; mode=block'); } // X-Content-Type-Options if (this.options.contentTypeOptions) { this.addMetaTag(head, 'X-Content-Type-Options', 'nosniff'); } // X-Frame-Options if (this.options.frameOptions) { this.addMetaTag(head, 'X-Frame-Options', this.options.frameOptions.toUpperCase()); } // Referrer-Policy if (this.options.referrerPolicy) { this.addMetaTag(head, 'Referrer-Policy', this.options.referrerPolicy); } // Strict-Transport-Security if (this.options.strictTransportSecurity) { const { maxAge, includeSubDomains, preload } = this.options.strictTransportSecurity; let value = `max-age=${maxAge}`; if (includeSubDomains) value += '; includeSubDomains'; if (preload) value += '; preload'; this.addMetaTag(head, 'Strict-Transport-Security', value); } } /** * Gets security headers for server-side rendering * @returns Object with security headers */ getHeaders() { const headers = {}; // X-XSS-Protection if (this.options.xssProtection) { headers['X-XSS-Protection'] = '1; mode=block'; } // X-Content-Type-Options if (this.options.contentTypeOptions) { headers['X-Content-Type-Options'] = 'nosniff'; } // X-Frame-Options if (this.options.frameOptions) { headers['X-Frame-Options'] = this.options.frameOptions.toUpperCase(); } // Referrer-Policy if (this.options.referrerPolicy) { headers['Referrer-Policy'] = this.options.referrerPolicy; } // Strict-Transport-Security if (this.options.strictTransportSecurity) { const { maxAge, includeSubDomains, preload } = this.options.strictTransportSecurity; let value = `max-age=${maxAge}`; if (includeSubDomains) value += '; includeSubDomains'; if (preload) value += '; preload'; headers['Strict-Transport-Security'] = value; } return headers; } addMetaTag(head, httpEquiv, content) { // Remove existing meta tag const existingTag = document.querySelector(`meta[http-equiv="${httpEquiv}"]`); if (existingTag) { existingTag.remove(); } // Create new meta tag const meta = document.createElement('meta'); meta.httpEquiv = httpEquiv; meta.content = content; head.appendChild(meta); } } exports.SecurityHeaders = SecurityHeaders; // Export default instance exports.securityHeaders = new SecurityHeaders(); //# sourceMappingURL=security-headers.js.map