onsaliyo/DiscofyAPI
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

API inicial

Browse Source
This commit is contained in:
onsaliyo
2021-03-25 17:23:36 +01:00
commit 218326c402
1878 changed files with 274122 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

793
node_modules/helmet/CHANGELOG.md generated vendored Normal file
View File

@@ -0,0 +1,793 @@
# Changelog
## 4.4.1 - 2021-01-18
### Changed
- Shrink the published package by about 2.5 kB
## 4.4.0 - 2021-01-17
### Added
- `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` middleware, disabled by default
## 4.3.1 - 2020-12-27
### Fixed
- `helmet.contentSecurityPolicy`: broken TypeScript types. See [#283](https://github.com/helmetjs/helmet/issues/283)
## 4.3.0 - 2020-12-27
### Added
- `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it
### Changed
- `helmet.frameguard`: slightly improved error messages for non-strings
## 4.2.0 - 2020-11-01
### Added
- `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()`
### Changed
- `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options
- `helmet.expectCt`: `max-age` is now first. See [#264](https://github.com/helmetjs/helmet/pull/264)
## 4.1.1 - 2020-09-10
### Changed
- Fixed a few errors in the README
## 4.1.0 - 2020-08-15
### Added
- `helmet.contentSecurityPolicy`:
- Directive values can now include functions, as they could in Helmet 3. See [#243](https://github.com/helmetjs/helmet/issues/243)
### Changed
- Helmet should now play more nicely with TypeScript
### Removed
- The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://github.com/helmetjs/helmet/issues/235#issuecomment-674016883)
## 4.0.0 - 2020-08-02
See the [Helmet 4 upgrade guide](https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3.
### Added
- `helmet.contentSecurityPolicy`:
- If no `default-src` directive is supplied, an error is thrown
- Directive lists can be any iterable, not just arrays
### Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
- `helmet.contentSecurityPolicy`:
- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See [helmetjs/csp#73](https://github.com/helmetjs/csp/issues/73)
- This middleware is more lenient, allowing more directive names or values
- `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
### Removed
- Dropped support for old Node versions. Node 10+ is now required
- `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
- `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
- `helmet.noCache`. If you still need it, use the `nocache` package on npm.
- `helmet.contentSecurityPolicy`:
- Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://github.com/helmetjs/csp/issues/97)
- Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware)
- Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
- Removed the `loose` option
- Removed support for functions as directive values. You must supply an iterable of strings
- `helmet.frameguard`:
- Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
- `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://github.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://github.com/helmetjs/helmet/issues/224).
- `helmet.hsts`:
- Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://github.com/helmetjs/helmet/issues/231)
- Dropped support for `setIf`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware). See [#232](https://github.com/helmetjs/helmet/issues/232)
- `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with XXSSProtection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with XXSSProtection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
## 3.23.3 - 2020-06-26
### Changed
- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
- `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
## 3.23.2 - 2020-06-23
### Changed
- `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
## 3.23.1 - 2020-06-16
### Changed
- `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
## 3.23.0 - 2020-06-12
### Deprecated
- `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
## 3.22.1 - 2020-06-10
### Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
## 3.22.0 - 2020-03-24
### Changed
- Updated `helmet-csp` to v2.10.0
- Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
### Deprecated
- `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
## 3.21.3 - 2020-02-24
### Changed
- Updated `helmet-csp` to v2.9.5
- Updated `bowser` subdependency from 2.7.0 to 2.9.0
- Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
## 3.21.2 - 2019-10-21
### Changed
- Updated `helmet-csp` to v2.9.4
- Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
## 3.21.1 - 2019-09-20
### Fixed
- Updated `helmet-csp` to v2.9.2
- Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
- Fixed tablet PC detection by updating `bowser` subdependency to latest version
## 3.21.0 - 2019-09-04
### Added
- Updated `x-xss-protection` to v1.3.0
- Added `mode: null` to disable `mode=block`
### Changed
- Updated `helmet-csp` to v2.9.1
- Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
## 3.20.1 - 2019-08-28
### Changed
- Updated `helmet-csp` to v2.9.0
## 3.20.0 - 2019-07-24
### Changed
- Updated `helmet-csp` to v2.8.0
## 3.19.0 - 2019-07-17
### Changed
- Updated `dns-prefetch-control` to v0.2.0
- Updated `dont-sniff-mimetype` to v1.1.0
- Updated `helmet-crossdomain` to v0.4.0
- Updated `hide-powered-by` to v1.1.0
- Updated `x-xss-protection` to v1.2.0
## 3.18.0 - 2019-05-05
### Added
- `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
### Changed
- Updated `expect-ct` to v0.2.0
- Updated `feature-policy` to v0.3.0
- Updated `frameguard` to v3.1.0
- Updated `nocache` to v2.1.0
## 3.17.0 - 2019-05-03
### Added
- `referrerPolicy` now supports multiple values
### Changed
- Updated `referrerPolicy` to v1.2.0
## 3.16.0 - 2019-03-10
### Added
- Add email to `bugs` field in `package.json`
### Changed
- Updated `hsts` to v2.2.0
- Updated `ienoopen` to v1.1.0
- Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
- Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
- Updated Adam Baldwin's contact information
### Deprecated
- `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
* The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
## 3.15.1 - 2019-02-10
### Deprecated
- The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
## 3.15.0 - 2018-11-07
### Added
- `helmet.featurePolicy` now supports four new features
## 3.14.0 - 2018-10-09
### Added
- `helmet.featurePolicy` middleware
## 3.13.0 - 2018-07-22
### Added
- `helmet.permittedCrossDomainPolicies` middleware
## 3.12.2 - 2018-07-20
### Fixed
- Removed `lodash.reduce` dependency from `csp`
## 3.12.1 - 2018-05-16
### Fixed
- `expectCt` should use comma instead of semicolon as delimiter
## 3.12.0 - 2018-03-02
### Added
- `xssFilter` now supports `reportUri` option
## 3.11.0 - 2018-02-09
### Added
- Main Helmet middleware is now named to help with debugging
## 3.10.0 - 2018-01-23
### Added
- `csp` now supports `prefix-src` directive
### Fixed
- `csp` no longer loads JSON files internally, helping some module bundlers
- `false` should be able to disable a CSP directive
## 3.9.0 - 2017-10-13
### Added
- `csp` now supports `strict-dynamic` value
- `csp` now supports `require-sri-for` directive
### Changed
- Removed `connect` dependency
## 3.8.2 - 2017-09-27
### Changed
- Updated `connect` dependency to latest
## 3.8.1 - 2017-07-28
### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
## 3.8.0 - 2017-07-21
### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
## 3.7.0 - 2017-07-21
### Added
- `csp` now supports `report-to` directive
### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
## 3.6.1 - 2017-05-21
### Changed
- Bump `connect` version
## 3.6.0 - 2017-05-04
### Added
- `expectCt` middleware for setting the `Expect-CT` header
## 3.5.0 - 2017-03-06
### Added
- `csp` now supports the `worker-src` directive
## 3.4.1 - 2017-02-24
### Changed
- Bump `connect` version
## 3.4.0 - 2017-01-13
### Added
- `csp` now supports more `sandbox` directives
## 3.3.0 - 2016-12-31
### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
### Changed
- Bump `connect` version
## 3.2.0 - 2016-12-22
### Added
- `csp` now allows `manifest-src` directive
## 3.1.0 - 2016-11-03
### Added
- `csp` now allows `frame-src` directive
## 3.0.0 - 2016-10-28
### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
## 2.3.0 - 2016-09-30
### Added
- `hpkp` middleware now supports the `includeSubDomains` property with a capital D
### Fixed
- `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
## 2.2.0 - 2016-09-16
### Added
- `referrerPolicy` middleware
## 2.1.3 - 2016-09-07
### Changed
- Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
## 2.1.2 - 2016-07-27
### Deprecated
- `nocache`'s `noEtag` option is now deprecated
### Fixed
- `csp` now better handles Firefox on mobile
## 2.1.1 - 2016-06-10
### Changed
- Remove several dependencies from `helmet-csp`
### Fixed
- `frameguard` had a documentation error about its default value
- `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
## 2.1.0 - 2016-05-18
### Added
- `csp` lets you dynamically set `reportOnly`
## 2.0.0 - 2016-04-29
### Added
- Pass configuration to enable/disable default middlewares
### Changed
- `dnsPrefetchControl` middleware is now enabled by default
### Removed
- No more module aliases. There is now just one way to include each middleware
- `frameguard` can no longer be initialized with strings; you must use an object
### Fixed
- Make `hpkp` lowercase in documentation
- Update `hpkp` spec URL in readmes
- Update `frameguard` header name in readme
## 1.3.0 - 2016-03-01
### Added
- `hpkp` has a `setIf` option to conditionally set the header
## 1.2.0 - 2016-02-29
### Added
- `csp` now has a `browserSniff` option to disable all user-agent sniffing
### Changed
- `frameguard` can now be initialized with options
- Add `npmignore` file to speed up installs slightly
## 1.1.0 - 2016-01-12
### Added
- Code of conduct
- `dnsPrefetchControl` middleware
### Fixed
- `csp` readme had syntax errors
## 1.0.2 - 2016-01-08
### Fixed
- `csp` wouldn't recognize `IE Mobile` browsers
- `csp` had some errors in its readme
- Main readme had a syntax error
## 1.0.1 - 2015-12-19
### Fixed
- `csp` with no User Agent would cause errors
## 1.0.0 - 2015-12-18
### Added
- `csp` module supports dynamically-generated values
### Changed
- `csp` directives are now under the `directives` key
- `hpkp`'s `Report-Only` header is now opt-in, not opt-out
- Tweak readmes of every sub-repo
### Removed
- `crossdomain` middleware
- `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
- `maxage` option in the `hpkp` middleware
- `safari5` option from `csp` module
### Fixed
- Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
- Dynamic `csp` policies is no longer recursive
## 0.15.0 - 2015-11-26
### Changed
- `hpkp` allows a `report-uri` without the `Report-Only` header
## 0.14.0 - 2015-11-01
### Added
- `nocache` now sends the `Surrogate-Control` header
### Changed
- `nocache` no longer contains the `private` directive in the `Cache-Control` header
## 0.13.0 - 2015-10-23
### Added
- `xssFilter` now has a function name
- Added new CSP docs to readme
### Changed
- HSTS option renamed from `includeSubdomains` to `includeSubDomains`
## 0.11.0 - 2015-09-18
### Added
- `csp` now supports Microsoft Edge
- CSP Level 2 support
### Changed
- Updated `connect` to 3.4.0
- Updated `depd` to 1.1.0
### Fixed
- Added `license` key to `csp`'s `package.json`
- Empty `csp` directives now support every directive, not just `sandbox`
## 0.10.0 - 2015-07-08
### Added
- Add "Handling CSP violations" to `csp` readme
- Add license to `package.json`
### Changed
- `hpkp` had a link to the wrong place in its readme
- `hpkp` requires 2 or more pins
### Fixed
- `hpkp` might have miscalculated `maxAge` slightly wrong
## 0.9.0 - 2015-04-24
### Changed
- `nocache` adds `private` to its `Cache-Control` directive
- Added a description to `package.json`
## 0.8.0 - 2015-04-21
### Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
### Deprecated
- Deprecated `crossdomain` middleware
### Removed
- `crossdomain` is no longer a default middleware
## 0.7.1 - 2015-03-23
### Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
## 0.7.0 - 2015-03-05
### Added
- `hpkp` middleware
### Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
## 0.6.2 - 2015-03-01
### Changed
- Improved `xssFilter` performance
- Updated Lodash versions
## 0.6.1 - 2015-02-13
### Added
- "Other recommended modules" in README
### Changed
- Updated Lodash version
### Fixed
- `frameguard` middleware exported a function called `xframe`
## 0.6.0 - 2015-01-21
### Added
- You can disable `csp` for Android
### Fixed
- `csp` on Chrome Mobile on Android and iOS
## 0.5.4 - 2014-12-21
### Changed
- `nocache` should force revalidation
## 0.5.3 - 2014-12-08
### Changed
- `platform` version in CSP and X-XSS-Protection
### Fixed
- Updated bad wording in frameguard docs
## 0.5.2 - 2014-11-16
### Changed
- Updated Connect version
### Fixed
- Fixed minor `csp` bugfixes
## 0.5.1 - 2014-11-09
### Changed
- Updated URLs in `package.json` for new URL
### Fixed
- CSP would set all headers forever after receiving an unknown user agent
## 0.5.0 - 2014-10-28
### Added
- Most middlewares have some aliases now
### Changed
- `xframe` now called `frameguard` (though `xframe` still works)
- `frameguard` chooses sameorigin by default
- `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
- `nocache` removed from default middleware stack
- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
### Removed
- Deprecation warnings
### Fixed
- Readme link was broken
## 0.4.2 - 2014-10-16
### Added
- Support preload in HSTS header
## 0.4.1 - 2014-08-24
### Added
- Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
- 2 spaces instead of 4 throughout the code
## 0.4.0 - 2014-07-17
### Added
- `nocache` now sets the Expires and Pragma headers
- `nocache` now allows you to crush ETags
### Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
### Fixed
- Allow HSTS to have a max-age of 0
## 0.3.2 - 2014-06-30
### Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
### Changed
- Added semicolons in README
- Make some Errors more specific
### Removed
- Removed all comment headers; refer to the readme
### Fixed
- `helmet()` was having issues
- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.

22
node_modules/helmet/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2012-2021 Evan Hahn, Adam Baldwin
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

499
node_modules/helmet/README.md generated vendored Normal file
View File

@@ -0,0 +1,499 @@
# Helmet
[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
[![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
Helmet helps you secure your Express apps by setting various HTTP headers. _It's not a silver bullet_, but it can help!
## Quick start
First, run `npm install helmet --save` for your app. Then, in an Express app:
```js
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
// ...
```
## How it works
Helmet is [Connect](https://github.com/senchalabs/connect)-style middleware, which is compatible with frameworks like [Express](https://expressjs.com/). (If you need support for Koa, see [`koa-helmet`](https://github.com/venables/koa-helmet).)
The top-level `helmet` function is a wrapper around 11 smaller middlewares.
In other words, these two things are equivalent:
```js
// This...
app.use(helmet());
// ...is equivalent to this:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
```
To set custom options for one of the middleware, add options like this:
```js
// This sets custom options for the `referrerPolicy` middleware.
app.use(
helmet({
referrerPolicy: { policy: "no-referrer" },
})
);
```
You can also disable a middleware:
```js
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false,
})
);
```
## Reference
<details>
<summary><code>helmet(options)</code></summary>
Helmet is the top-level middleware for this module, including all 11 others.
All 11 middlewares are enabled by default.
```js
// Includes all 11 middlewares
app.use(helmet());
```
If you want to disable one, pass options to `helmet`. For example, to disable `frameguard`:
```js
// Includes 10 middlewares, skipping `helmet.frameguard`
app.use(
helmet({
frameguard: false,
})
);
```
Most of the middlewares have options, which are documented in more detail below. For example, to pass `{ action: "deny" }` to `frameguard`:
```js
// Includes all 11 middlewares, setting an option for `helmet.frameguard`
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
```
Each middleware's name is listed below.
</details>
<details>
<summary><code>helmet.contentSecurityPolicy(options)</code></summary>
`helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
This middleware performs very little validation. You should rely on CSP checkers like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) instead.
`options.directives` is an object. Each key is a directive name in camel case (such as `defaultSrc`) or kebab case (such as `default-src`). Each value is an iterable (usually an array) of strings or functions for that directive. If a function appears in the iterable, it will be called with the request and response. The `default-src` can be explicitly disabled by setting its value to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc`.
`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead.
If no directives are supplied, the following policy is set (whitespace added for readability):
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
You can fetch this default with `helmet.contentSecurityPolicy.getDefaultDirectives()`.
Examples:
```js
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
})
);
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none'"
app.use(
helmet.contentSecurityPolicy({
directives: {
"default-src": ["'self'"],
"script-src": ["'self'", "example.com"],
"object-src": ["'none'"],
},
})
);
// Sets all of the defaults, but overrides script-src
app.use(
helmet.contentSecurityPolicy({
directives: {
...helmet.contentSecurityPolicy.getDefaultDirectives(),
"script-src": ["'self'", "example.com"],
},
})
);
// Sets the "Content-Security-Policy-Report-Only" header instead
app.use(
helmet.contentSecurityPolicy({
directives: {
/* ... */
},
reportOnly: true,
})
);
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'"
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
next();
});
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
})
);
// Sets "Content-Security-Policy: script-src 'self'"
app.use(
helmet.contentSecurityPolicy({
directives: {
"default-src": helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
"script-src": ["'self'"],
},
})
);
```
You can install this module separately as `helmet-csp`.
</details>
<details>
<summary><code>helmet.expectCt(options)</code></summary>
`helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.
`options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.
`options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.
`options.reportUri` is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
Examples:
```js
// Sets "Expect-CT: max-age=86400"
app.use(
helmet.expectCt({
maxAge: 86400,
})
);
// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report",
})
);
```
You can install this module separately as `expect-ct`.
</details>
<details>
<summary><code>helmet.referrerPolicy(options)</code></summary>
`helmet.referrerPolicy` sets the `Referrer-Policy` header which controls what information is set in [the `Referer` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer). See ["Referer header: privacy and security concerns"](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) and [the header's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) on MDN for more.
`options.policy` is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy). It defaults to `no-referrer`.
Examples:
```js
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet.referrerPolicy({
policy: "no-referrer",
})
);
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet.referrerPolicy({
policy: ["origin", "unsafe-url"],
})
);
```
You can install this module separately as `referrer-policy`.
</details>
<details>
<summary><code>helmet.hsts(options)</code></summary>
`helmet.hsts` sets the `Strict-Transport-Security` header which tells browsers to prefer HTTPS over insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more.
`options.maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to `15552000`, which is 180 days.
`options.includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`.
`options.preload` is a boolean. If true, it adds the `preload` directive, expressing intent to add your HSTS policy to browsers. See [the "Preloading Strict Transport Security" section on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for more. It defaults to `false`.
Examples:
```js
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet.hsts({
maxAge: 123456,
})
);
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet.hsts({
maxAge: 123456,
includeSubDomains: false,
})
);
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet.hsts({
maxAge: 63072000,
preload: true,
})
);
```
You can install this module separately as `hsts`.
</details>
<details>
<summary><code>helmet.noSniff()</code></summary>
`helmet.noSniff` sets the `X-Content-Type-Options` header to `nosniff`. This mitigates [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing) which can cause security vulnerabilities. See [documentation for this header on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) for more.
This middleware takes no options.
Example:
```js
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet.noSniff());
```
You can install this module separately as `dont-sniff-mimetype`.
</details>
<details>
<summary><code>helmet.originAgentCluster()</code></summary>
`helmet.originAgentCluster` sets the `Origin-Agent-Cluster` header, which provides a mechanism to allow web applications to isolate their origins. Read more about it [in the spec](https://whatpr.org/html/6214/origin.html#origin-keyed-agent-clusters).
This middleware takes no options.
Examples:
```js
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet.originAgentCluster());
```
You can't install this module separately.
</details>
<details>
<summary><code>helmet.dnsPrefetchControl(options)</code></summary>
`helmet.dnsPrefetchControl` sets the `X-DNS-Prefetch-Control` header to help control DNS prefetching, which can improve user privacy at the expense of performance. See [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) for more.
`options.allow` is a boolean dictating whether to enable DNS prefetching. It defaults to `false`.
Examples:
```js
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet.dnsPrefetchControl({
allow: false,
})
);
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet.dnsPrefetchControl({
allow: true,
})
);
```
You can install this module separately as `dns-prefetch-control`.
</details>
<details>
<summary><code>helmet.ieNoOpen()</code></summary>
`helmet.ieNoOpen` sets the `X-Download-Options` header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [this old post on MSDN](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection).
This middleware takes no options.
Examples:
```js
// Sets "X-Download-Options: noopen"
app.use(helmet.ieNoOpen());
```
You can install this module separately as `ienoopen`.
</details>
<details>
<summary><code>helmet.frameguard(options)</code></summary>
`helmet.frameguard` sets the `X-Frame-Options` header to help you mitigate [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers. For more, see [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
`options.action` is a string that specifies which directive to use—either `DENY` or `SAMEORIGIN`. (A legacy directive, `ALLOW-FROM`, is not supported by this middleware. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)) It defaults to `SAMEORIGIN`.
Examples:
```js
// Sets "X-Frame-Options: DENY"
app.use(
helmet.frameguard({
action: "deny",
})
);
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin",
})
);
```
You can install this module separately as `frameguard`.
</details>
<details>
<summary><code>helmet.permittedCrossDomainPolicies(options)</code></summary>
`helmet.permittedCrossDomainPolicies` sets the `X-Permitted-Cross-Domain-Policies` header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [the description on OWASP](https://owasp.org/www-project-secure-headers/) for more.
`options.permittedPolicies` is a string that must be `"none"`, `"master-only"`, `"by-content-type"`, or `"all"`. It defaults to `"none"`.
Examples:
```js
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "none",
})
);
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "by-content-type",
})
);
```
You can install this module separately as `helmet-crossdomain`.
</details>
<details>
<summary><code>helmet.hidePoweredBy()</code></summary>
`helmet.hidePoweredBy` removes the `X-Powered-By` header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see [this discussion](https://github.com/expressjs/express/pull/2813#issuecomment-159270428)) and is mostly removed to save bandwidth.
This middleware takes no options.
If you're using Express, this middleware will work, but you should use `app.disable("x-powered-by")` instead.
Examples:
```js
// Removes the X-Powered-By header if it was set.
app.use(helmet.hidePoweredBy());
```
You can install this module separately as `hide-powered-by`.
</details>
<details>
<summary><code>helmet.xssFilter()</code></summary>
`helmet.xssFilter` disables browsers' buggy cross-site scripting filter by setting the `X-XSS-Protection` header to `0`. See [discussion about disabling the header here](https://github.com/helmetjs/helmet/issues/230) and [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
This middleware takes no options.
Examples:
```js
// Sets "X-XSS-Protection: 0"
app.use(helmet.xssFilter());
```
You can install this module separately as `x-xss-protection`.
</details>

7
node_modules/helmet/SECURITY.md generated vendored Normal file
View File

@@ -0,0 +1,7 @@
# Security issue reporting & disclosure process
If you feel you have found a security issue or concern with Helmet, please reach out to the maintainers.
Email Evan Hahn at <me@evanhahn.com> or Adam Baldwin at <adam@npmjs.com>.
We will try to communicate in a timely manner and address your concerns.

49
node_modules/helmet/dist/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,49 @@
/// <reference types="node" />
import { IncomingMessage, ServerResponse } from "http"
import contentSecurityPolicy, { ContentSecurityPolicyOptions } from "./middlewares/content-security-policy"
import expectCt, { ExpectCtOptions } from "./middlewares/expect-ct"
import originAgentCluster from "./middlewares/origin-agent-cluster"
import referrerPolicy, { ReferrerPolicyOptions } from "./middlewares/referrer-policy"
import strictTransportSecurity, { StrictTransportSecurityOptions } from "./middlewares/strict-transport-security"
import xContentTypeOptions from "./middlewares/x-content-type-options"
import xDnsPrefetchControl, { XDnsPrefetchControlOptions } from "./middlewares/x-dns-prefetch-control"
import xDownloadOptions from "./middlewares/x-download-options"
import xFrameOptions, { XFrameOptionsOptions } from "./middlewares/x-frame-options"
import xPermittedCrossDomainPolicies, { XPermittedCrossDomainPoliciesOptions } from "./middlewares/x-permitted-cross-domain-policies"
import xPoweredBy from "./middlewares/x-powered-by"
import xXssProtection from "./middlewares/x-xss-protection"
interface HelmetOptions {
contentSecurityPolicy?: MiddlewareOption<ContentSecurityPolicyOptions>
dnsPrefetchControl?: MiddlewareOption<XDnsPrefetchControlOptions>
expectCt?: MiddlewareOption<ExpectCtOptions>
frameguard?: MiddlewareOption<XFrameOptionsOptions>
hidePoweredBy?: MiddlewareOption<never>
hsts?: MiddlewareOption<StrictTransportSecurityOptions>
ieNoOpen?: MiddlewareOption<never>
noSniff?: MiddlewareOption<never>
originAgentCluster?: boolean
permittedCrossDomainPolicies?: MiddlewareOption<XPermittedCrossDomainPoliciesOptions>
referrerPolicy?: MiddlewareOption<ReferrerPolicyOptions>
xssFilter?: MiddlewareOption<never>
}
declare type MiddlewareOption<T> = false | T
interface Helmet {
(options?: Readonly<HelmetOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: unknown) => void) => void
contentSecurityPolicy: typeof contentSecurityPolicy
dnsPrefetchControl: typeof xDnsPrefetchControl
expectCt: typeof expectCt
frameguard: typeof xFrameOptions
hidePoweredBy: typeof xPoweredBy
hsts: typeof strictTransportSecurity
ieNoOpen: typeof xDownloadOptions
noSniff: typeof xContentTypeOptions
permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies
referrerPolicy: typeof referrerPolicy
xssFilter: typeof xXssProtection
originAgentCluster: typeof originAgentCluster
featurePolicy: () => never
hpkp: () => never
noCache: () => never
}
declare const helmet: Helmet
export = helmet

118
node_modules/helmet/dist/index.js generated vendored Normal file
View File

@@ -0,0 +1,118 @@
"use strict"
var __importDefault =
(this && this.__importDefault) ||
function (mod) {
return mod && mod.__esModule ? mod : { default: mod }
}
const content_security_policy_1 = __importDefault(require("./middlewares/content-security-policy"))
const expect_ct_1 = __importDefault(require("./middlewares/expect-ct"))
const origin_agent_cluster_1 = __importDefault(require("./middlewares/origin-agent-cluster"))
const referrer_policy_1 = __importDefault(require("./middlewares/referrer-policy"))
const strict_transport_security_1 = __importDefault(require("./middlewares/strict-transport-security"))
const x_content_type_options_1 = __importDefault(require("./middlewares/x-content-type-options"))
const x_dns_prefetch_control_1 = __importDefault(require("./middlewares/x-dns-prefetch-control"))
const x_download_options_1 = __importDefault(require("./middlewares/x-download-options"))
const x_frame_options_1 = __importDefault(require("./middlewares/x-frame-options"))
const x_permitted_cross_domain_policies_1 = __importDefault(require("./middlewares/x-permitted-cross-domain-policies"))
const x_powered_by_1 = __importDefault(require("./middlewares/x-powered-by"))
const x_xss_protection_1 = __importDefault(require("./middlewares/x-xss-protection"))
const helmet = Object.assign(
function helmet(options = {}) {
var _a
if (((_a = options.constructor) === null || _a === void 0 ? void 0 : _a.name) === "IncomingMessage") {
throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.")
}
if (Object.entries(options).some(([key, option]) => option === true && key !== "originAgentCluster")) {
throw new Error("Helmet no longer supports `true` as a middleware option, except for Origin-Agent-Cluster. Remove the property from your options to fix this error.")
}
const middlewareFunctions = []
if (options.contentSecurityPolicy !== false) {
middlewareFunctions.push(content_security_policy_1.default(options.contentSecurityPolicy))
}
if (options.dnsPrefetchControl !== false) {
middlewareFunctions.push(x_dns_prefetch_control_1.default(options.dnsPrefetchControl))
}
if (options.expectCt !== false) {
middlewareFunctions.push(expect_ct_1.default(options.expectCt))
}
if (options.frameguard !== false) {
middlewareFunctions.push(x_frame_options_1.default(options.frameguard))
}
if (options.hidePoweredBy !== false) {
if (options.hidePoweredBy !== undefined) {
console.warn("hidePoweredBy does not take options. Remove the property to silence this warning.")
}
middlewareFunctions.push(x_powered_by_1.default())
}
if (options.hsts !== false) {
middlewareFunctions.push(strict_transport_security_1.default(options.hsts))
}
if (options.ieNoOpen !== false) {
if (options.ieNoOpen !== undefined) {
console.warn("ieNoOpen does not take options. Remove the property to silence this warning.")
}
middlewareFunctions.push(x_download_options_1.default())
}
if (options.noSniff !== false) {
if (options.noSniff !== undefined) {
console.warn("noSniff does not take options. Remove the property to silence this warning.")
}
middlewareFunctions.push(x_content_type_options_1.default())
}
if (options.originAgentCluster !== undefined && options.originAgentCluster !== false) {
middlewareFunctions.push(origin_agent_cluster_1.default())
}
if (options.permittedCrossDomainPolicies !== false) {
middlewareFunctions.push(x_permitted_cross_domain_policies_1.default(options.permittedCrossDomainPolicies))
}
if (options.referrerPolicy !== false) {
middlewareFunctions.push(referrer_policy_1.default(options.referrerPolicy))
}
if (options.xssFilter !== false) {
if (options.xssFilter !== undefined) {
console.warn("xssFilter does not take options. Remove the property to silence this warning.")
}
middlewareFunctions.push(x_xss_protection_1.default())
}
return function helmetMiddleware(req, res, next) {
const iterator = middlewareFunctions[Symbol.iterator]()
;(function internalNext(err) {
if (err) {
next(err)
return
}
const iteration = iterator.next()
if (iteration.done) {
next()
} else {
const middlewareFunction = iteration.value
middlewareFunction(req, res, internalNext)
}
})()
}
},
{
contentSecurityPolicy: content_security_policy_1.default,
dnsPrefetchControl: x_dns_prefetch_control_1.default,
expectCt: expect_ct_1.default,
frameguard: x_frame_options_1.default,
hidePoweredBy: x_powered_by_1.default,
hsts: strict_transport_security_1.default,
ieNoOpen: x_download_options_1.default,
noSniff: x_content_type_options_1.default,
originAgentCluster: origin_agent_cluster_1.default,
permittedCrossDomainPolicies: x_permitted_cross_domain_policies_1.default,
referrerPolicy: referrer_policy_1.default,
xssFilter: x_xss_protection_1.default,
featurePolicy() {
throw new Error("helmet.featurePolicy was removed because the Feature-Policy header is deprecated. If you still need this header, you can use the `feature-policy` module.")
},
hpkp() {
throw new Error("helmet.hpkp was removed because the header has been deprecated. If you still need this header, you can use the `hpkp` module. For more, see <https://github.com/helmetjs/helmet/issues/180>.")
},
noCache() {
throw new Error("helmet.noCache was removed. You can use the `nocache` module instead. For more, see <https://github.com/helmetjs/helmet/issues/215>.")
}
}
)
module.exports = helmet

22
node_modules/helmet/dist/middlewares/content-security-policy/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,22 @@
/// <reference types="node" />
import { IncomingMessage, ServerResponse } from "http"
interface ContentSecurityPolicyDirectiveValueFunction {
(req: IncomingMessage, res: ServerResponse): string
}
declare type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction
export interface ContentSecurityPolicyOptions {
directives?: Record<string, Iterable<ContentSecurityPolicyDirectiveValue> | typeof dangerouslyDisableDefaultSrc>
reportOnly?: boolean
}
interface ContentSecurityPolicy {
(options?: Readonly<ContentSecurityPolicyOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void
getDefaultDirectives: typeof getDefaultDirectives
dangerouslyDisableDefaultSrc: typeof dangerouslyDisableDefaultSrc
}
declare const dangerouslyDisableDefaultSrc: unique symbol
declare const getDefaultDirectives: () => {
[x: string]: Iterable<ContentSecurityPolicyDirectiveValue>
}
declare const contentSecurityPolicy: ContentSecurityPolicy
export default contentSecurityPolicy
export { getDefaultDirectives, dangerouslyDisableDefaultSrc }

114
node_modules/helmet/dist/middlewares/content-security-policy/index.js generated vendored Normal file
View File

@@ -0,0 +1,114 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
exports.dangerouslyDisableDefaultSrc = exports.getDefaultDirectives = void 0
const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc")
exports.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc
const DEFAULT_DIRECTIVES = {
"default-src": ["'self'"],
"base-uri": ["'self'"],
"block-all-mixed-content": [],
"font-src": ["'self'", "https:", "data:"],
"frame-ancestors": ["'self'"],
"img-src": ["'self'", "data:"],
"object-src": ["'none'"],
"script-src": ["'self'"],
"script-src-attr": ["'none'"],
"style-src": ["'self'", "https:", "'unsafe-inline'"],
"upgrade-insecure-requests": []
}
const getDefaultDirectives = () => Object.assign({}, DEFAULT_DIRECTIVES)
exports.getDefaultDirectives = getDefaultDirectives
const dashify = str => str.replace(/[A-Z]/g, capitalLetter => "-" + capitalLetter.toLowerCase())
const isDirectiveValueInvalid = directiveValue => /;|,/.test(directiveValue)
const has = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key)
function normalizeDirectives(options) {
const { directives: rawDirectives = getDefaultDirectives() } = options
const result = []
const directiveNamesSeen = new Set()
for (const rawDirectiveName in rawDirectives) {
if (!has(rawDirectives, rawDirectiveName)) {
continue
}
if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) {
throw new Error(`Content-Security-Policy received an invalid directive name ${JSON.stringify(rawDirectiveName)}`)
}
const directiveName = dashify(rawDirectiveName)
if (directiveNamesSeen.has(directiveName)) {
throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`)
}
directiveNamesSeen.add(directiveName)
const rawDirectiveValue = rawDirectives[rawDirectiveName]
let directiveValue
if (typeof rawDirectiveValue === "string") {
directiveValue = [rawDirectiveValue]
} else if (!rawDirectiveValue) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
} else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) {
if (directiveName === "default-src") {
continue
} else {
throw new Error(`Content-Security-Policy: tried to disable ${JSON.stringify(directiveName)} as if it were default-src; simply omit the key`)
}
} else {
directiveValue = rawDirectiveValue
}
for (const element of directiveValue) {
if (typeof element === "string" && isDirectiveValueInvalid(element)) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
}
}
result.push({ directiveName, directiveValue })
}
if (!result.length) {
throw new Error("Content-Security-Policy has no directives. Either set some or disable the header")
}
if (!directiveNamesSeen.has("default-src")) {
throw new Error("Content-Security-Policy needs a default-src but none was provided")
}
return result
}
function getHeaderValue(req, res, normalizedDirectives) {
const result = []
for (const { directiveName, directiveValue: rawDirectiveValue } of normalizedDirectives) {
let directiveValue = ""
for (const element of rawDirectiveValue) {
directiveValue += " " + (element instanceof Function ? element(req, res) : element)
}
if (!directiveValue) {
result.push(directiveName)
} else if (isDirectiveValueInvalid(directiveValue)) {
return new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
} else {
result.push(`${directiveName}${directiveValue}`)
}
}
return result.join(";")
}
const contentSecurityPolicy = function contentSecurityPolicy(options = {}) {
if ("loose" in options) {
console.warn("Content-Security-Policy middleware no longer needs the `loose` parameter. You should remove it.")
}
if ("setAllHeaders" in options) {
console.warn("Content-Security-Policy middleware no longer supports the `setAllHeaders` parameter. See <https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4>.")
}
;["disableAndroid", "browserSniff"].forEach(deprecatedOption => {
if (deprecatedOption in options) {
console.warn(`Content-Security-Policy middleware no longer does browser sniffing, so you can remove the \`${deprecatedOption}\` option. See <https://github.com/helmetjs/csp/issues/97> for discussion.`)
}
})
const headerName = options.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"
const normalizedDirectives = normalizeDirectives(options)
return function contentSecurityPolicyMiddleware(req, res, next) {
const result = getHeaderValue(req, res, normalizedDirectives)
if (result instanceof Error) {
next(result)
} else {
res.setHeader(headerName, result)
next()
}
}
}
contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives
contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc
module.exports = contentSecurityPolicy
exports.default = contentSecurityPolicy

8
node_modules/helmet/dist/middlewares/expect-ct/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
import { IncomingMessage, ServerResponse } from "http"
export interface ExpectCtOptions {
maxAge?: number
enforce?: boolean
reportUri?: string
}
declare function expectCt(options?: Readonly<ExpectCtOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default expectCt

28
node_modules/helmet/dist/middlewares/expect-ct/index.js generated vendored Normal file
View File

@@ -0,0 +1,28 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function parseMaxAge(value = 0) {
if (value >= 0 && Number.isFinite(value)) {
return Math.floor(value)
} else {
throw new Error(`Expect-CT: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`)
}
}
function getHeaderValueFromOptions(options) {
const directives = [`max-age=${parseMaxAge(options.maxAge)}`]
if (options.enforce) {
directives.push("enforce")
}
if (options.reportUri) {
directives.push(`report-uri="${options.reportUri}"`)
}
return directives.join(", ")
}
function expectCt(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function expectCtMiddleware(_req, res, next) {
res.setHeader("Expect-CT", headerValue)
next()
}
}
module.exports = expectCt
exports.default = expectCt

3
node_modules/helmet/dist/middlewares/origin-agent-cluster/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http"
declare function originAgentCluster(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default originAgentCluster

10
node_modules/helmet/dist/middlewares/origin-agent-cluster/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function originAgentCluster() {
return function originAgentClusterMiddleware(_req, res, next) {
res.setHeader("Origin-Agent-Cluster", "?1")
next()
}
}
module.exports = originAgentCluster
exports.default = originAgentCluster

6
node_modules/helmet/dist/middlewares/referrer-policy/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http"
export interface ReferrerPolicyOptions {
policy?: string | string[]
}
declare function referrerPolicy(options?: Readonly<ReferrerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default referrerPolicy

28
node_modules/helmet/dist/middlewares/referrer-policy/index.js generated vendored Normal file
View File

@@ -0,0 +1,28 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
const ALLOWED_TOKENS = new Set(["no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", "unsafe-url", ""])
function getHeaderValueFromOptions({ policy = ["no-referrer"] }) {
const tokens = typeof policy === "string" ? [policy] : policy
if (tokens.length === 0) {
throw new Error("Referrer-Policy received no policy tokens")
}
const tokensSeen = new Set()
tokens.forEach(token => {
if (!ALLOWED_TOKENS.has(token)) {
throw new Error(`Referrer-Policy received an unexpected policy token ${JSON.stringify(token)}`)
} else if (tokensSeen.has(token)) {
throw new Error(`Referrer-Policy received a duplicate policy token ${JSON.stringify(token)}`)
}
tokensSeen.add(token)
})
return tokens.join(",")
}
function referrerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function referrerPolicyMiddleware(_req, res, next) {
res.setHeader("Referrer-Policy", headerValue)
next()
}
}
module.exports = referrerPolicy
exports.default = referrerPolicy

8
node_modules/helmet/dist/middlewares/strict-transport-security/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
import { IncomingMessage, ServerResponse } from "http"
export interface StrictTransportSecurityOptions {
maxAge?: number
includeSubDomains?: boolean
preload?: boolean
}
declare function strictTransportSecurity(options?: Readonly<StrictTransportSecurityOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default strictTransportSecurity

38
node_modules/helmet/dist/middlewares/strict-transport-security/index.js generated vendored Normal file
View File

@@ -0,0 +1,38 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60
function parseMaxAge(value = DEFAULT_MAX_AGE) {
if (value >= 0 && Number.isFinite(value)) {
return Math.floor(value)
} else {
throw new Error(`Strict-Transport-Security: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`)
}
}
function getHeaderValueFromOptions(options) {
if ("maxage" in options) {
throw new Error("Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?")
}
if ("includeSubdomains" in options) {
console.warn('Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)')
}
if ("setIf" in options) {
console.warn("Strict-Transport-Security middleware no longer supports the `setIf` parameter. See the documentation and <https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware> if you need help replicating this behavior.")
}
const directives = [`max-age=${parseMaxAge(options.maxAge)}`]
if (options.includeSubDomains === undefined || options.includeSubDomains) {
directives.push("includeSubDomains")
}
if (options.preload) {
directives.push("preload")
}
return directives.join("; ")
}
function strictTransportSecurity(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function strictTransportSecurityMiddleware(_req, res, next) {
res.setHeader("Strict-Transport-Security", headerValue)
next()
}
}
module.exports = strictTransportSecurity
exports.default = strictTransportSecurity

3
node_modules/helmet/dist/middlewares/x-content-type-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http"
declare function xContentTypeOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xContentTypeOptions

10
node_modules/helmet/dist/middlewares/x-content-type-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function xContentTypeOptions() {
return function xContentTypeOptionsMiddleware(_req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff")
next()
}
}
module.exports = xContentTypeOptions
exports.default = xContentTypeOptions

6
node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http"
export interface XDnsPrefetchControlOptions {
allow?: boolean
}
declare function xDnsPrefetchControl(options?: Readonly<XDnsPrefetchControlOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xDnsPrefetchControl

11
node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.js generated vendored Normal file
View File

@@ -0,0 +1,11 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function xDnsPrefetchControl(options = {}) {
const headerValue = options.allow ? "on" : "off"
return function xDnsPrefetchControlMiddleware(_req, res, next) {
res.setHeader("X-DNS-Prefetch-Control", headerValue)
next()
}
}
module.exports = xDnsPrefetchControl
exports.default = xDnsPrefetchControl

3
node_modules/helmet/dist/middlewares/x-download-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http"
declare function xDownloadOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xDownloadOptions

10
node_modules/helmet/dist/middlewares/x-download-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function xDownloadOptions() {
return function xDownloadOptionsMiddleware(_req, res, next) {
res.setHeader("X-Download-Options", "noopen")
next()
}
}
module.exports = xDownloadOptions
exports.default = xDownloadOptions

6
node_modules/helmet/dist/middlewares/x-frame-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http"
export interface XFrameOptionsOptions {
action?: string
}
declare function xFrameOptions(options?: Readonly<XFrameOptionsOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xFrameOptions

25
node_modules/helmet/dist/middlewares/x-frame-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,25 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function getHeaderValueFromOptions({ action = "SAMEORIGIN" }) {
const normalizedAction = typeof action === "string" ? action.toUpperCase() : action
switch (normalizedAction) {
case "SAME-ORIGIN":
return "SAMEORIGIN"
case "DENY":
case "SAMEORIGIN":
return normalizedAction
case "ALLOW-FROM":
throw new Error("X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.")
default:
throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`)
}
}
function xFrameOptions(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function xFrameOptionsMiddleware(_req, res, next) {
res.setHeader("X-Frame-Options", headerValue)
next()
}
}
module.exports = xFrameOptions
exports.default = xFrameOptions

6
node_modules/helmet/dist/middlewares/x-permitted-cross-domain-policies/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http"
export interface XPermittedCrossDomainPoliciesOptions {
permittedPolicies?: string
}
declare function xPermittedCrossDomainPolicies(options?: Readonly<XPermittedCrossDomainPoliciesOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xPermittedCrossDomainPolicies

19
node_modules/helmet/dist/middlewares/x-permitted-cross-domain-policies/index.js generated vendored Normal file
View File

@@ -0,0 +1,19 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
const ALLOWED_PERMITTED_POLICIES = new Set(["none", "master-only", "by-content-type", "all"])
function getHeaderValueFromOptions({ permittedPolicies = "none" }) {
if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) {
return permittedPolicies
} else {
throw new Error(`X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(permittedPolicies)}`)
}
}
function xPermittedCrossDomainPolicies(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function xPermittedCrossDomainPoliciesMiddleware(_req, res, next) {
res.setHeader("X-Permitted-Cross-Domain-Policies", headerValue)
next()
}
}
module.exports = xPermittedCrossDomainPolicies
exports.default = xPermittedCrossDomainPolicies

3
node_modules/helmet/dist/middlewares/x-powered-by/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http"
declare function xPoweredBy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xPoweredBy

10
node_modules/helmet/dist/middlewares/x-powered-by/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function xPoweredBy() {
return function xPoweredByMiddleware(_req, res, next) {
res.removeHeader("X-Powered-By")
next()
}
}
module.exports = xPoweredBy
exports.default = xPoweredBy

3
node_modules/helmet/dist/middlewares/x-xss-protection/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http"
declare function xXssProtection(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
export default xXssProtection

10
node_modules/helmet/dist/middlewares/x-xss-protection/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict"
Object.defineProperty(exports, "__esModule", { value: true })
function xXssProtection() {
return function xXssProtectionMiddleware(_req, res, next) {
res.setHeader("X-XSS-Protection", "0")
next()
}
}
module.exports = xXssProtection
exports.default = xXssProtection

92
node_modules/helmet/package.json generated vendored Normal file
View File

@@ -0,0 +1,92 @@
{
"_from": "helmet",
"_id": "helmet@4.4.1",
"_inBundle": false,
"_integrity": "sha512-G8tp0wUMI7i8wkMk2xLcEvESg5PiCitFMYgGRc/PwULB0RVhTP5GFdxOwvJwp9XVha8CuS8mnhmE8I/8dx/pbw==",
"_location": "/helmet",
"_phantomChildren": {},
"_requested": {
"type": "tag",
"registry": true,
"raw": "helmet",
"name": "helmet",
"escapedName": "helmet",
"rawSpec": "",
"saveSpec": null,
"fetchSpec": "latest"
},
"_requiredBy": [
"#USER",
"/"
],
"_resolved": "https://registry.npmjs.org/helmet/-/helmet-4.4.1.tgz",
"_shasum": "a17e1444d81d7a83ddc6e6f9bc6e2055b994efe7",
"_spec": "helmet",
"_where": "C:\\Users\\gonza\\discofy\\src\\nodeApi",
"author": {
"name": "Adam Baldwin",
"email": "adam@npmjs.com",
"url": "https://evilpacket.net"
},
"bugs": {
"url": "https://github.com/helmetjs/helmet/issues",
"email": "me@evanhahn.com"
},
"bundleDependencies": false,
"contributors": [
{
"name": "Evan Hahn",
"email": "me@evanhahn.com",
"url": "https://evanhahn.com"
},
{
"name": "Ameen Abdeen",
"email": "ameen.abdeen.se@gmail.com"
}
],
"deprecated": false,
"description": "help secure Express/Connect apps with various HTTP headers",
"devDependencies": {
"@types/connect": "^3.4.34",
"@types/jest": "^26.0.19",
"@types/supertest": "^2.0.10",
"@typescript-eslint/eslint-plugin": "^4.11.0",
"@typescript-eslint/parser": "^4.11.0",
"connect": "^3.7.0",
"eslint": "^7.16.0",
"jest": "^26.6.3",
"prettier": "^2.2.1",
"supertest": "^6.0.1",
"ts-jest": "^26.4.4",
"typescript": "^4.1.3"
},
"engines": {
"node": ">=10.0.0"
},
"homepage": "https://helmetjs.github.io/",
"keywords": [
"express",
"security",
"headers"
],
"license": "MIT",
"main": "dist/index",
"name": "helmet",
"repository": {
"type": "git",
"url": "git://github.com/helmetjs/helmet.git"
},
"scripts": {
"build": "npm run clean && tsc && npm run format",
"build-middleware-package": "npm run build && node ./bin/build-middleware-package.js",
"clean": "node ./bin/clean.js",
"format": "prettier --write \"**/*{md,js,json,ts}\"",
"lint": "npm run lint:eslint && npm run lint:prettier",
"lint:eslint": "eslint \"**/*.ts\"",
"lint:prettier": "prettier --check \"**/*{md,js,json,ts}\"",
"prepublishOnly": "npm run build",
"pretest": "npm run lint",
"test": "jest"
},
"version": "4.4.1"
}