xfarrow/blink
0
0
Fork 0
mirror of https://github.com/xfarrow/blink synced 2025-06-27 09:03:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Change endpoint from persons to people

Browse Source
This commit is contained in:
xfarrow
2025-03-23 21:00:08 +01:00
parent 4ae263662c
commit d005193f63
7158 changed files with 700476 additions and 735 deletions
Download Patch File Download Diff File Expand all files Collapse all files

974
backend/apis/nodejs/node_modules/helmet/CHANGELOG.md generated vendored Normal file
View File

@ -0,0 +1,974 @@
# Changelog
## 8.1.0 - 2025-03-17
### Changed
- `Content-Security-Policy` gives a better error when a directive value, like `self`, should be quoted. See [#482](https://github.com/helmetjs/helmet/issues/482)
## 8.0.0 - 2024-09-28
### Changed
- **Breaking:** `Strict-Transport-Security` now has a max-age of 365 days, up from 180
- **Breaking:** `Content-Security-Policy` middleware now throws an error if a directive should have quotes but does not, such as `self` instead of `'self'`. See [#454](https://github.com/helmetjs/helmet/issues/454)
- **Breaking:** `Content-Security-Policy`'s `getDefaultDirectives` now returns a deep copy. This only affects users who were mutating the result
- **Breaking:** `Strict-Transport-Security` now throws an error when "includeSubDomains" option is misspelled. This was previously a warning
### Removed
- **Breaking:** Drop support for Node 16 and 17. Node 18+ is now required
## 7.2.0 - 2024-09-28
### Changed
- `Content-Security-Policy` middleware now warns if a directive should have quotes but does not, such as `self` instead of `'self'`. This will be an error in future versions. See [#454](https://github.com/helmetjs/helmet/issues/454)
## 7.1.0 - 2023-11-07
### Added
- `helmet.crossOriginEmbedderPolicy` now supports the `unsafe-none` directive. See [#477](https://github.com/helmetjs/helmet/pull/447)
## 7.0.0 - 2023-05-06
### Changed
- **Breaking:** `Cross-Origin-Embedder-Policy` middleware is now disabled by default. See [#411](https://github.com/helmetjs/helmet/issues/411)
### Removed
- **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required
- **Breaking:** `Expect-CT` is no longer part of Helmet. If you still need it, you can use the [`expect-ct` package](https://www.npmjs.com/package/expect-ct). See [#378](https://github.com/helmetjs/helmet/issues/378)
## 6.2.0 - 2023-05-06
- Expose header names (e.g., `strictTransportSecurity` for the `Strict-Transport-Security` header, instead of `hsts`)
- Rework documentation
## 6.1.5 - 2023-04-11
### Fixed
- Fixed yet another issue with TypeScript exports. See [#420](https://github.com/helmetjs/helmet/pull/418)
## 6.1.4 - 2023-04-10
### Fixed
- Fix another issue with TypeScript default exports. See [#418](https://github.com/helmetjs/helmet/pull/418)
## 6.1.3 - 2023-04-10
### Fixed
- Fix issue with TypeScript default exports. See [#417](https://github.com/helmetjs/helmet/pull/417)
## 6.1.2 - 2023-04-09
### Fixed
- Retored `main` to package to help with some build tools
## 6.1.1 - 2023-04-08
### Fixed
- Fixed missing package metadata
## 6.1.0 - 2023-04-08
### Changed
- Improve support for various TypeScript setups, including "nodenext". See [#405](https://github.com/helmetjs/helmet/pull/405)
## 6.0.1 - 2022-11-29
### Fixed
- `crossOriginEmbedderPolicy` did not accept options at the top level. See [#390](https://github.com/helmetjs/helmet/issues/390)
## 6.0.0 - 2022-08-26
### Changed
- **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default
- **Breaking:** `helmet.expectCt` is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See [#310](https://github.com/helmetjs/helmet/issues/310)
- **Breaking:** Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See [#369](https://github.com/helmetjs/helmet/issues/369)
- `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed
### Removed
- **Breaking:** Dropped support for Node 12 and 13. Node 14+ is now required
## 5.1.1 - 2022-07-23
### Changed
- Fix TypeScript bug with some TypeScript configurations. See [#375](https://github.com/helmetjs/helmet/pull/375) and [#359](https://github.com/helmetjs/helmet/issues/359)
## 5.1.0 - 2022-05-17
### Added
- `Cross-Origin-Embedder-Policy`: support `credentialless` policy. See [#365](https://github.com/helmetjs/helmet/pull/365)
- Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only`
### Changed
- Cleaned up some documentation around `Origin-Agent-Cluster`
## 5.0.2 - 2022-01-22
### Changed
- Improve imports for CommonJS and ECMAScript modules. See [#345](https://github.com/helmetjs/helmet/pull/345)
- Fixed some documentation
## 5.0.1 - 2022-01-03
### Changed
- Fixed some documentation
### Removed
- Removed some unused internal code
## 5.0.0 - 2022-01-02
### Added
- ECMAScript module imports (i.e., `import helmet from "helmet"` and `import { frameguard } from "helmet"`). See [#320](https://github.com/helmetjs/helmet/issues/320)
### Changed
- **Breaking:** `helmet.contentSecurityPolicy`: `useDefaults` option now defaults to `true`
- **Breaking:** `helmet.contentSecurityPolicy`: `form-action` directive is now set to `'self'` by default
- **Breaking:** `helmet.crossOriginEmbedderPolicy` is enabled by default
- **Breaking:** `helmet.crossOriginOpenerPolicy` is enabled by default
- **Breaking:** `helmet.crossOriginResourcePolicy` is enabled by default
- **Breaking:** `helmet.originAgentCluster` is enabled by default
- `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322)
- Top-level `helmet()` function is slightly faster
### Removed
- **Breaking:** Drop support for Node 10 and 11. Node 12+ is now required
## 4.6.0 - 2021-05-01
### Added
- `helmet.contentSecurityPolicy`: the `useDefaults` option, defaulting to `false`, lets you selectively override defaults more easily
- Explicitly define TypeScript types in `package.json`. See [#303](https://github.com/helmetjs/helmet/pull/303)
## 4.5.0 - 2021-04-17
### Added
- `helmet.crossOriginEmbedderPolicy`: a new middleware for the `Cross-Origin-Embedder-Policy` header, disabled by default
- `helmet.crossOriginOpenerPolicy`: a new middleware for the `Cross-Origin-Opener-Policy` header, disabled by default
- `helmet.crossOriginResourcePolicy`: a new middleware for the `Cross-Origin-Resource-Policy` header, disabled by default
### Changed
- `true` enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
- Log a warning when passing options to `originAgentCluster` at the top level
### Fixed
- Incorrect documentation
## 4.4.1 - 2021-01-18
### Changed
- Shrink the published package by about 2.5 kB
## 4.4.0 - 2021-01-17
### Added
- `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` header, disabled by default
## 4.3.1 - 2020-12-27
### Fixed
- `helmet.contentSecurityPolicy`: broken TypeScript types. See [#283](https://github.com/helmetjs/helmet/issues/283)
## 4.3.0 - 2020-12-27
### Added
- `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it
### Changed
- `helmet.frameguard`: slightly improved error messages for non-strings
## 4.2.0 - 2020-11-01
### Added
- `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()`
### Changed
- `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options
- `helmet.expectCt`: `max-age` is now first. See [#264](https://github.com/helmetjs/helmet/pull/264)
## 4.1.1 - 2020-09-10
### Changed
- Fixed a few errors in the README
## 4.1.0 - 2020-08-15
### Added
- `helmet.contentSecurityPolicy`:
- Directive values can now include functions, as they could in Helmet 3. See [#243](https://github.com/helmetjs/helmet/issues/243)
### Changed
- Helmet should now play more nicely with TypeScript
### Removed
- The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://github.com/helmetjs/helmet/issues/235#issuecomment-674016883)
## 4.0.0 - 2020-08-02
See the [Helmet 4 upgrade guide](https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3.
### Added
- `helmet.contentSecurityPolicy`:
- If no `default-src` directive is supplied, an error is thrown
- Directive lists can be any iterable, not just arrays
### Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
- `helmet.contentSecurityPolicy`:
- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See [helmetjs/csp#73](https://github.com/helmetjs/csp/issues/73)
- This middleware is more lenient, allowing more directive names or values
- `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
### Removed
- Dropped support for old Node versions. Node 10+ is now required
- `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
- `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
- `helmet.noCache`. If you still need it, use the `nocache` package on npm.
- `helmet.contentSecurityPolicy`:
- Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://github.com/helmetjs/csp/issues/97)
- Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware)
- Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
- Removed the `loose` option
- Removed support for functions as directive values. You must supply an iterable of strings
- `helmet.frameguard`:
- Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
- `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://github.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://github.com/helmetjs/helmet/issues/224).
- `helmet.hsts`:
- Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://github.com/helmetjs/helmet/issues/231)
- Dropped support for `setIf`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware) See [#232](https://github.com/helmetjs/helmet/issues/232)
- `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X-XSS-Protection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X-XSS-Protection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
## 3.23.3 - 2020-06-26
### Changed
- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
- `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
## 3.23.2 - 2020-06-23
### Changed
- `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
## 3.23.1 - 2020-06-16
### Changed
- `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
## 3.23.0 - 2020-06-12
### Deprecated
- `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
## 3.22.1 - 2020-06-10
### Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
## 3.22.0 - 2020-03-24
### Changed
- Updated `helmet-csp` to v2.10.0
- Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
### Deprecated
- `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
## 3.21.3 - 2020-02-24
### Changed
- Updated `helmet-csp` to v2.9.5
- Updated `bowser` subdependency from 2.7.0 to 2.9.0
- Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
## 3.21.2 - 2019-10-21
### Changed
- Updated `helmet-csp` to v2.9.4
- Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
## 3.21.1 - 2019-09-20
### Fixed
- Updated `helmet-csp` to v2.9.2
- Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
- Fixed tablet PC detection by updating `bowser` subdependency to latest version
## 3.21.0 - 2019-09-04
### Added
- Updated `x-xss-protection` to v1.3.0
- Added `mode: null` to disable `mode=block`
### Changed
- Updated `helmet-csp` to v2.9.1
- Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
## 3.20.1 - 2019-08-28
### Changed
- Updated `helmet-csp` to v2.9.0
## 3.20.0 - 2019-07-24
### Changed
- Updated `helmet-csp` to v2.8.0
## 3.19.0 - 2019-07-17
### Changed
- Updated `dns-prefetch-control` to v0.2.0
- Updated `dont-sniff-mimetype` to v1.1.0
- Updated `helmet-crossdomain` to v0.4.0
- Updated `hide-powered-by` to v1.1.0
- Updated `x-xss-protection` to v1.2.0
## 3.18.0 - 2019-05-05
### Added
- `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
### Changed
- Updated `expect-ct` to v0.2.0
- Updated `feature-policy` to v0.3.0
- Updated `frameguard` to v3.1.0
- Updated `nocache` to v2.1.0
## 3.17.0 - 2019-05-03
### Added
- `referrerPolicy` now supports multiple values
### Changed
- Updated `referrerPolicy` to v1.2.0
## 3.16.0 - 2019-03-10
### Added
- Add email to `bugs` field in `package.json`
### Changed
- Updated `hsts` to v2.2.0
- Updated `ienoopen` to v1.1.0
- Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
- Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
- Updated Adam Baldwin's contact information
### Deprecated
- `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
* The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
## 3.15.1 - 2019-02-10
### Deprecated
- The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
## 3.15.0 - 2018-11-07
### Added
- `helmet.featurePolicy` now supports four new features
## 3.14.0 - 2018-10-09
### Added
- `helmet.featurePolicy` middleware
## 3.13.0 - 2018-07-22
### Added
- `helmet.permittedCrossDomainPolicies` middleware
## 3.12.2 - 2018-07-20
### Fixed
- Removed `lodash.reduce` dependency from `csp`
## 3.12.1 - 2018-05-16
### Fixed
- `expectCt` should use comma instead of semicolon as delimiter
## 3.12.0 - 2018-03-02
### Added
- `xssFilter` now supports `reportUri` option
## 3.11.0 - 2018-02-09
### Added
- Main Helmet middleware is now named to help with debugging
## 3.10.0 - 2018-01-23
### Added
- `csp` now supports `prefix-src` directive
### Fixed
- `csp` no longer loads JSON files internally, helping some module bundlers
- `false` should be able to disable a CSP directive
## 3.9.0 - 2017-10-13
### Added
- `csp` now supports `strict-dynamic` value
- `csp` now supports `require-sri-for` directive
### Changed
- Removed `connect` dependency
## 3.8.2 - 2017-09-27
### Changed
- Updated `connect` dependency to latest
## 3.8.1 - 2017-07-28
### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
## 3.8.0 - 2017-07-21
### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
## 3.7.0 - 2017-07-21
### Added
- `csp` now supports `report-to` directive
### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
## 3.6.1 - 2017-05-21
### Changed
- Bump `connect` version
## 3.6.0 - 2017-05-04
### Added
- `expectCt` middleware for setting the `Expect-CT` header
## 3.5.0 - 2017-03-06
### Added
- `csp` now supports the `worker-src` directive
## 3.4.1 - 2017-02-24
### Changed
- Bump `connect` version
## 3.4.0 - 2017-01-13
### Added
- `csp` now supports more `sandbox` directives
## 3.3.0 - 2016-12-31
### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
### Changed
- Bump `connect` version
## 3.2.0 - 2016-12-22
### Added
- `csp` now allows `manifest-src` directive
## 3.1.0 - 2016-11-03
### Added
- `csp` now allows `frame-src` directive
## 3.0.0 - 2016-10-28
### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
## 2.3.0 - 2016-09-30
### Added
- `hpkp` middleware now supports the `includeSubDomains` property with a capital D
### Fixed
- `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
## 2.2.0 - 2016-09-16
### Added
- `referrerPolicy` middleware
## 2.1.3 - 2016-09-07
### Changed
- Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
## 2.1.2 - 2016-07-27
### Deprecated
- `nocache`'s `noEtag` option is now deprecated
### Fixed
- `csp` now better handles Firefox on mobile
## 2.1.1 - 2016-06-10
### Changed
- Remove several dependencies from `helmet-csp`
### Fixed
- `frameguard` had a documentation error about its default value
- `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
## 2.1.0 - 2016-05-18
### Added
- `csp` lets you dynamically set `reportOnly`
## 2.0.0 - 2016-04-29
### Added
- Pass configuration to enable/disable default middlewares
### Changed
- `dnsPrefetchControl` middleware is now enabled by default
### Removed
- No more module aliases. There is now just one way to include each middleware
- `frameguard` can no longer be initialized with strings; you must use an object
### Fixed
- Make `hpkp` lowercase in documentation
- Update `hpkp` spec URL in readmes
- Update `frameguard` header name in readme
## 1.3.0 - 2016-03-01
### Added
- `hpkp` has a `setIf` option to conditionally set the header
## 1.2.0 - 2016-02-29
### Added
- `csp` now has a `browserSniff` option to disable all user-agent sniffing
### Changed
- `frameguard` can now be initialized with options
- Add `npmignore` file to speed up installs slightly
## 1.1.0 - 2016-01-12
### Added
- Code of conduct
- `dnsPrefetchControl` middleware
### Fixed
- `csp` readme had syntax errors
## 1.0.2 - 2016-01-08
### Fixed
- `csp` wouldn't recognize `IE Mobile` browsers
- `csp` had some errors in its readme
- Main readme had a syntax error
## 1.0.1 - 2015-12-19
### Fixed
- `csp` with no User Agent would cause errors
## 1.0.0 - 2015-12-18
### Added
- `csp` module supports dynamically-generated values
### Changed
- `csp` directives are now under the `directives` key
- `hpkp`'s `Report-Only` header is now opt-in, not opt-out
- Tweak readmes of every sub-repo
### Removed
- `crossdomain` middleware
- `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
- `maxage` option in the `hpkp` middleware
- `safari5` option from `csp` module
### Fixed
- Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
- Dynamic `csp` policies is no longer recursive
## 0.15.0 - 2015-11-26
### Changed
- `hpkp` allows a `report-uri` without the `Report-Only` header
## 0.14.0 - 2015-11-01
### Added
- `nocache` now sends the `Surrogate-Control` header
### Changed
- `nocache` no longer contains the `private` directive in the `Cache-Control` header
## 0.13.0 - 2015-10-23
### Added
- `xssFilter` now has a function name
- Added new CSP docs to readme
### Changed
- HSTS option renamed from `includeSubdomains` to `includeSubDomains`
## 0.11.0 - 2015-09-18
### Added
- `csp` now supports Microsoft Edge
- CSP Level 2 support
### Changed
- Updated `connect` to 3.4.0
- Updated `depd` to 1.1.0
### Fixed
- Added `license` key to `csp`'s `package.json`
- Empty `csp` directives now support every directive, not just `sandbox`
## 0.10.0 - 2015-07-08
### Added
- Add "Handling CSP violations" to `csp` readme
- Add license to `package.json`
### Changed
- `hpkp` had a link to the wrong place in its readme
- `hpkp` requires 2 or more pins
### Fixed
- `hpkp` might have miscalculated `maxAge` slightly wrong
## 0.9.0 - 2015-04-24
### Changed
- `nocache` adds `private` to its `Cache-Control` directive
- Added a description to `package.json`
## 0.8.0 - 2015-04-21
### Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
### Deprecated
- Deprecated `crossdomain` middleware
### Removed
- `crossdomain` is no longer a default middleware
## 0.7.1 - 2015-03-23
### Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
## 0.7.0 - 2015-03-05
### Added
- `hpkp` middleware
### Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
## 0.6.2 - 2015-03-01
### Changed
- Improved `xssFilter` performance
- Updated Lodash versions
## 0.6.1 - 2015-02-13
### Added
- "Other recommended modules" in README
### Changed
- Updated Lodash version
### Fixed
- `frameguard` middleware exported a function called `xframe`
## 0.6.0 - 2015-01-21
### Added
- You can disable `csp` for Android
### Fixed
- `csp` on Chrome Mobile on Android and iOS
## 0.5.4 - 2014-12-21
### Changed
- `nocache` should force revalidation
## 0.5.3 - 2014-12-08
### Changed
- `platform` version in CSP and X-XSS-Protection
### Fixed
- Updated bad wording in frameguard docs
## 0.5.2 - 2014-11-16
### Changed
- Updated Connect version
### Fixed
- Fixed minor `csp` bugfixes
## 0.5.1 - 2014-11-09
### Changed
- Updated URLs in `package.json` for new URL
### Fixed
- CSP would set all headers forever after receiving an unknown user agent
## 0.5.0 - 2014-10-28
### Added
- Most middlewares have some aliases now
### Changed
- `xframe` now called `frameguard` (though `xframe` still works)
- `frameguard` chooses sameorigin by default
- `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
- `nocache` removed from default middleware stack
- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
### Removed
- Deprecation warnings
### Fixed
- Readme link was broken
## 0.4.2 - 2014-10-16
### Added
- Support preload in HSTS header
## 0.4.1 - 2014-08-24
### Added
- Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
- 2 spaces instead of 4 throughout the code
## 0.4.0 - 2014-07-17
### Added
- `nocache` now sets the Expires and Pragma headers
- `nocache` now allows you to crush ETags
### Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
### Fixed
- Allow HSTS to have a max-age of 0
## 0.3.2 - 2014-06-30
### Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
### Changed
- Added semicolons in README
- Make some Errors more specific
### Removed
- Removed all comment headers; refer to the readme
### Fixed
- `helmet()` was having issues
- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.

22
backend/apis/nodejs/node_modules/helmet/LICENSE generated vendored Normal file
View File

@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2012-2025 Evan Hahn, Adam Baldwin
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

702
backend/apis/nodejs/node_modules/helmet/README.md generated vendored Normal file
View File

@ -0,0 +1,702 @@
# Helmet
Help secure Express apps by setting HTTP response headers.
```javascript
import helmet from "helmet";
const app = express();
app.use(helmet());
```
Helmet sets the following headers by default:
- [`Content-Security-Policy`](#content-security-policy): A powerful allow-list of what can happen on your page which mitigates many attacks
- [`Cross-Origin-Opener-Policy`](#cross-origin-opener-policy): Helps process-isolate your page
- [`Cross-Origin-Resource-Policy`](#cross-origin-resource-policy): Blocks others from loading your resources cross-origin
- [`Origin-Agent-Cluster`](#origin-agent-cluster): Changes process isolation to be origin-based
- [`Referrer-Policy`](#referrer-policy): Controls the [`Referer`][Referer] header
- [`Strict-Transport-Security`](#strict-transport-security): Tells browsers to prefer HTTPS
- [`X-Content-Type-Options`](#x-content-type-options): Avoids [MIME sniffing]
- [`X-DNS-Prefetch-Control`](#x-dns-prefetch-control): Controls DNS prefetching
- [`X-Download-Options`](#x-download-options): Forces downloads to be saved (Internet Explorer only)
- [`X-Frame-Options`](#x-frame-options): Legacy header that mitigates [clickjacking] attacks
- [`X-Permitted-Cross-Domain-Policies`](#x-permitted-cross-domain-policies): Controls cross-domain behavior for Adobe products, like Acrobat
- [`X-Powered-By`](#x-powered-by): Info about the web server. Removed because it could be used in simple attacks
- [`X-XSS-Protection`](#x-xss-protection): Legacy header that tries to mitigate [XSS attacks][XSS], but makes things worse, so Helmet disables it
Each header can be configured. For example, here's how you configure the `Content-Security-Policy` header:
```js
// Configure the Content-Security-Policy header.
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
},
},
}),
);
```
Headers can also be disabled. For example, here's how you disable the `Content-Security-Policy` and `X-Download-Options` headers:
```js
// Disable the Content-Security-Policy and X-Download-Options headers
app.use(
helmet({
contentSecurityPolicy: false,
xDownloadOptions: false,
}),
);
```
## Reference
<details id="content-security-policy">
<summary><code>Content-Security-Policy</code></summary>
Default:
```http
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
```
The `Content-Security-Policy` header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
This header is powerful but likely requires some configuration for your specific app.
To configure this header, pass an object with a nested `directives` object. Each key is a directive name in camel case (such as `defaultSrc`) or kebab case (such as `default-src`). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.
```javascript
// Sets all of the defaults, but overrides `script-src`
// and disables the default `style-src`.
app.use(
helmet({
contentSecurityPolicy: {
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
},
}),
);
```
```js
// Sets the `script-src` directive to
// "'self' 'nonce-e33cc...'"
// (or similar)
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
next();
});
app.use(
helmet({
contentSecurityPolicy: {
directives: {
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
},
}),
);
```
These directives are merged into a default policy, which you can disable by setting `useDefaults` to `false`.
```javascript
// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
helmet({
contentSecurityPolicy: {
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
},
}),
);
```
You can get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`. Here is the default policy (formatted for readability):
```
default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
```
The `default-src` directive can be explicitly disabled by setting its value to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc`, but this is not recommended.
You can set the [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) instead:
```javascript
// Sets the Content-Security-Policy-Report-Only header
app.use(
helmet({
contentSecurityPolicy: {
directives: {
/* ... */
},
reportOnly: true,
},
}),
);
```
Helmet performs very little validation on your CSP. You should rely on CSP checkers like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) instead.
To disable the `Content-Security-Policy` header:
```js
app.use(
helmet({
contentSecurityPolicy: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.contentSecurityPolicy())`.
</details>
<details id="cross-origin-embedder-policy">
<summary><code>Cross-Origin-Embedder-Policy</code></summary>
This header is not set by default.
The `Cross-Origin-Embedder-Policy` header helps control what resources can be loaded cross-origin. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more.
```js
// Helmet does not set Cross-Origin-Embedder-Policy
// by default.
app.use(helmet());
// Sets "Cross-Origin-Embedder-Policy: require-corp"
app.use(helmet({ crossOriginEmbedderPolicy: true }));
// Sets "Cross-Origin-Embedder-Policy: credentialless"
app.use(helmet({ crossOriginEmbedderPolicy: { policy: "credentialless" } }));
```
You can use this as standalone middleware with `app.use(helmet.crossOriginEmbedderPolicy())`.
</details>
<details id="cross-origin-opener-policy">
<summary><code>Cross-Origin-Opener-Policy</code></summary>
Default:
```http
Cross-Origin-Opener-Policy: same-origin
```
The `Cross-Origin-Opener-Policy` header helps process-isolate your page. For more, see [MDN's article on this header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy).
```js
// Sets "Cross-Origin-Opener-Policy: same-origin"
app.use(helmet());
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups"
app.use(
helmet({
crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" },
}),
);
```
To disable the `Cross-Origin-Opener-Policy` header:
```js
app.use(
helmet({
crossOriginOpenerPolicy: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.crossOriginOpenerPolicy())`.
</details>
<details id="cross-origin-resource-policy">
<summary><code>Cross-Origin-Resource-Policy</code></summary>
Default:
```http
Cross-Origin-Resource-Policy: same-origin
```
The `Cross-Origin-Resource-Policy` header blocks others from loading your resources cross-origin in some cases. For more, see ["Consider deploying Cross-Origin Resource Policy"](https://resourcepolicy.fyi/) and [MDN's article on this header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy).
```js
// Sets "Cross-Origin-Resource-Policy: same-origin"
app.use(helmet());
// Sets "Cross-Origin-Resource-Policy: same-site"
app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } }));
```
To disable the `Cross-Origin-Resource-Policy` header:
```js
app.use(
helmet({
crossOriginResourcePolicy: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.crossOriginResourcePolicy())`.
</details>
<details id="origin-agent-cluster">
<summary><code>Origin-Agent-Cluster</code></summary>
Default:
```http
Origin-Agent-Cluster: ?1
```
The `Origin-Agent-Cluster` header provides a mechanism to allow web applications to isolate their origins from other processes. Read more about it [in the spec](https://whatpr.org/html/6214/origin.html#origin-keyed-agent-clusters).
This header takes no options and is set by default.
```js
// Sets "Origin-Agent-Cluster: ?1"
app.use(helmet());
```
To disable the `Origin-Agent-Cluster` header:
```js
app.use(
helmet({
originAgentCluster: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.originAgentCluster())`.
</details>
<details id="referrer-policy">
<summary><code>Referrer-Policy</code></summary>
Default:
```http
Referrer-Policy: no-referrer
```
The `Referrer-Policy` header which controls what information is set in [the `Referer` request header][Referer]. See ["Referer header: privacy and security concerns"](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) and [the header's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) on MDN for more.
```js
// Sets "Referrer-Policy: no-referrer"
app.use(helmet());
```
`policy` is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy). It defaults to `no-referrer`.
```js
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet({
referrerPolicy: {
policy: "no-referrer",
},
}),
);
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet({
referrerPolicy: {
policy: ["origin", "unsafe-url"],
},
}),
);
```
To disable the `Referrer-Policy` header:
```js
app.use(
helmet({
referrerPolicy: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.referrerPolicy())`.
</details>
<details id="strict-transport-security">
<summary><code>Strict-Transport-Security</code></summary>
Default:
```http
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
The `Strict-Transport-Security` header tells browsers to prefer HTTPS instead of insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more.
```js
// Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains"
app.use(helmet());
```
`maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 365 days.
`includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`.
`preload` is a boolean. If true, it adds the `preload` directive, expressing intent to add your HSTS policy to browsers. See [the "Preloading Strict Transport Security" section on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for more. It defaults to `false`.
```js
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 123456,
},
}),
);
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 123456,
includeSubDomains: false,
},
}),
);
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet({
strictTransportSecurity: {
maxAge: 63072000,
preload: true,
},
}),
);
```
To disable the `Strict-Transport-Security` header:
```js
app.use(
helmet({
strictTransportSecurity: false,
}),
);
```
You may wish to disable this header for local development, as it can make your browser force redirects from `http://localhost` to `https://localhost`, which may not be desirable if you develop multiple apps using `localhost`. See [this issue](https://github.com/helmetjs/helmet/issues/451) for more discussion.
You can use this as standalone middleware with `app.use(helmet.strictTransportSecurity())`.
</details>
<details id="x-content-type-options">
<summary><code>X-Content-Type-Options</code></summary>
Default:
```http
X-Content-Type-Options: nosniff
```
The `X-Content-Type-Options` mitigates [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing) which can cause security issues. See [documentation for this header on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) for more.
This header takes no options and is set by default.
```js
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet());
```
To disable the `X-Content-Type-Options` header:
```js
app.use(
helmet({
xContentTypeOptions: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xContentTypeOptions())`.
</details>
<details id="x-dns-prefetch-control">
<summary><code>X-DNS-Prefetch-Control</code></summary>
Default:
```http
X-DNS-Prefetch-Control: off
```
The `X-DNS-Prefetch-Control` header helps control DNS prefetching, which can improve user privacy at the expense of performance. See [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) for more.
```js
// Sets "X-DNS-Prefetch-Control: off"
app.use(helmet());
```
`allow` is a boolean dictating whether to enable DNS prefetching. It defaults to `false`.
Examples:
```js
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet({
xDnsPrefetchControl: { allow: false },
}),
);
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet({
xDnsPrefetchControl: { allow: true },
}),
);
```
To disable the `X-DNS-Prefetch-Control` header and use the browser's default value:
```js
app.use(
helmet({
xDnsPrefetchControl: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xDnsPrefetchControl())`.
</details>
<details id="x-download-options">
<summary><code>X-Download-Options</code></summary>
Default:
```http
X-Download-Options: noopen
```
The `X-Download-Options` header is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [this old post on MSDN](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection).
This header takes no options and is set by default.
```js
// Sets "X-Download-Options: noopen"
app.use(helmet());
```
To disable the `X-Download-Options` header:
```js
app.use(
helmet({
xDownloadOptions: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xDownloadOptions())`.
</details>
<details id="x-frame-options">
<summary><code>X-Frame-Options</code></summary>
Default:
```http
X-Frame-Options: SAMEORIGIN
```
The legacy `X-Frame-Options` header to help you mitigate [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers or if no CSP is used. For more, see [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
```js
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(helmet());
```
`action` is a string that specifies which directive to use—either `DENY` or `SAMEORIGIN`. (A legacy directive, `ALLOW-FROM`, is not supported by Helmet. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)) It defaults to `SAMEORIGIN`.
Examples:
```js
// Sets "X-Frame-Options: DENY"
app.use(
helmet({
xFrameOptions: { action: "deny" },
}),
);
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet({
xFrameOptions: { action: "sameorigin" },
}),
);
```
To disable the `X-Frame-Options` header:
```js
app.use(
helmet({
xFrameOptions: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xFrameOptions())`.
</details>
<details id="x-permitted-cross-domain-policies">
<summary><code>X-Permitted-Cross-Domain-Policies</code></summary>
Default:
```http
X-Permitted-Cross-Domain-Policies: none
```
The `X-Permitted-Cross-Domain-Policies` header tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [the description on OWASP](https://owasp.org/www-project-secure-headers/) for more.
```js
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(helmet());
```
`permittedPolicies` is a string that must be `"none"`, `"master-only"`, `"by-content-type"`, or `"all"`. It defaults to `"none"`.
Examples:
```js
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet({
xPermittedCrossDomainPolicies: {
permittedPolicies: "none",
},
}),
);
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet({
xPermittedCrossDomainPolicies: {
permittedPolicies: "by-content-type",
},
}),
);
```
To disable the `X-Permitted-Cross-Domain-Policies` header:
```js
app.use(
helmet({
xPermittedCrossDomainPolicies: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xPermittedCrossDomainPolicies())`.
</details>
<details id="x-powered-by">
<summary><code>X-Powered-By</code></summary>
Default: the `X-Powered-By` header, if present, is removed.
Helmet removes the `X-Powered-By` header, which is set by default in Express and some other frameworks. Removing the header offers very limited security benefits (see [this discussion](https://github.com/expressjs/express/pull/2813#issuecomment-159270428)) and is mostly removed to save bandwidth, but may thwart simplistic attackers.
Note: [Express has a built-in way to disable the `X-Powered-By` header](https://stackoverflow.com/a/12484642/804100), which you may wish to use instead.
The removal of this header takes no options. The header is removed by default.
To disable this behavior:
```js
// Not required, but recommended for Express users:
app.disable("x-powered-by");
// Ask Helmet to ignore the X-Powered-By header.
app.use(
helmet({
xPoweredBy: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xPoweredBy())`.
</details>
<details id="x-xss-protection">
<summary><code>X-XSS-Protection</code></summary>
Default:
```http
X-XSS-Protection: 0
```
Helmet disables browsers' buggy cross-site scripting filter by setting the legacy `X-XSS-Protection` header to `0`. See [discussion about disabling the header here](https://github.com/helmetjs/helmet/issues/230) and [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
This header takes no options and is set by default.
To disable the `X-XSS-Protection` header:
```js
// This is not recommended.
app.use(
helmet({
xXssProtection: false,
}),
);
```
You can use this as standalone middleware with `app.use(helmet.xXssProtection())`.
</details>
[Referer]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
[MIME sniffing]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing
[Clickjacking]: https://en.wikipedia.org/wiki/Clickjacking
[XSS]: https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting

7
backend/apis/nodejs/node_modules/helmet/SECURITY.md generated vendored Normal file
View File

@ -0,0 +1,7 @@
# Security issue reporting & disclosure process
If you feel you have found a security issue or concern with Helmet, please reach out to the maintainers.
Contact Evan Hahn at <me@evanhahn.com> or Adam Baldwin at <adam@npmjs.com>. Evan Hahn [can also be reached in other ways](https://evanhahn.com/contact).
We will try to communicate in a timely manner and address your concerns.

588
backend/apis/nodejs/node_modules/helmet/index.cjs generated vendored Normal file
View File

@ -0,0 +1,588 @@
"use strict"
Object.defineProperties(exports, {__esModule: {value: true}, [Symbol.toStringTag]: {value: "Module"}})
const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc")
const SHOULD_BE_QUOTED = new Set(["none", "self", "strict-dynamic", "report-sample", "inline-speculation-rules", "unsafe-inline", "unsafe-eval", "unsafe-hashes", "wasm-unsafe-eval"])
const getDefaultDirectives = () => ({
"default-src": ["'self'"],
"base-uri": ["'self'"],
"font-src": ["'self'", "https:", "data:"],
"form-action": ["'self'"],
"frame-ancestors": ["'self'"],
"img-src": ["'self'", "data:"],
"object-src": ["'none'"],
"script-src": ["'self'"],
"script-src-attr": ["'none'"],
"style-src": ["'self'", "https:", "'unsafe-inline'"],
"upgrade-insecure-requests": []
})
const dashify = str => str.replace(/[A-Z]/g, capitalLetter => "-" + capitalLetter.toLowerCase())
const assertDirectiveValueIsValid = (directiveName, directiveValue) => {
if (/;|,/.test(directiveValue)) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
}
}
const assertDirectiveValueEntryIsValid = (directiveName, directiveValueEntry) => {
if (SHOULD_BE_QUOTED.has(directiveValueEntry) || directiveValueEntry.startsWith("nonce-") || directiveValueEntry.startsWith("sha256-") || directiveValueEntry.startsWith("sha384-") || directiveValueEntry.startsWith("sha512-")) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}. ${JSON.stringify(directiveValueEntry)} should be quoted`)
}
}
function normalizeDirectives(options) {
const defaultDirectives = getDefaultDirectives()
const {useDefaults = true, directives: rawDirectives = defaultDirectives} = options
const result = new Map()
const directiveNamesSeen = new Set()
const directivesExplicitlyDisabled = new Set()
for (const rawDirectiveName in rawDirectives) {
if (!Object.hasOwn(rawDirectives, rawDirectiveName)) {
continue
}
if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) {
throw new Error(`Content-Security-Policy received an invalid directive name ${JSON.stringify(rawDirectiveName)}`)
}
const directiveName = dashify(rawDirectiveName)
if (directiveNamesSeen.has(directiveName)) {
throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`)
}
directiveNamesSeen.add(directiveName)
const rawDirectiveValue = rawDirectives[rawDirectiveName]
let directiveValue
if (rawDirectiveValue === null) {
if (directiveName === "default-src") {
throw new Error("Content-Security-Policy needs a default-src but it was set to `null`. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.")
}
directivesExplicitlyDisabled.add(directiveName)
continue
} else if (typeof rawDirectiveValue === "string") {
directiveValue = [rawDirectiveValue]
} else if (!rawDirectiveValue) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
} else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) {
if (directiveName === "default-src") {
directivesExplicitlyDisabled.add("default-src")
continue
} else {
throw new Error(`Content-Security-Policy: tried to disable ${JSON.stringify(directiveName)} as if it were default-src; simply omit the key`)
}
} else {
directiveValue = rawDirectiveValue
}
for (const element of directiveValue) {
if (typeof element !== "string") continue
assertDirectiveValueIsValid(directiveName, element)
assertDirectiveValueEntryIsValid(directiveName, element)
}
result.set(directiveName, directiveValue)
}
if (useDefaults) {
Object.entries(defaultDirectives).forEach(([defaultDirectiveName, defaultDirectiveValue]) => {
if (!result.has(defaultDirectiveName) && !directivesExplicitlyDisabled.has(defaultDirectiveName)) {
result.set(defaultDirectiveName, defaultDirectiveValue)
}
})
}
if (!result.size) {
throw new Error("Content-Security-Policy has no directives. Either set some or disable the header")
}
if (!result.has("default-src") && !directivesExplicitlyDisabled.has("default-src")) {
throw new Error("Content-Security-Policy needs a default-src but none was provided. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.")
}
return result
}
function getHeaderValue(req, res, normalizedDirectives) {
const result = []
for (const [directiveName, rawDirectiveValue] of normalizedDirectives) {
let directiveValue = ""
for (const element of rawDirectiveValue) {
if (typeof element === "function") {
const newElement = element(req, res)
assertDirectiveValueEntryIsValid(directiveName, newElement)
directiveValue += " " + newElement
} else {
directiveValue += " " + element
}
}
if (directiveValue) {
assertDirectiveValueIsValid(directiveName, directiveValue)
result.push(`${directiveName}${directiveValue}`)
} else {
result.push(directiveName)
}
}
return result.join(";")
}
const contentSecurityPolicy = function contentSecurityPolicy(options = {}) {
const headerName = options.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"
const normalizedDirectives = normalizeDirectives(options)
return function contentSecurityPolicyMiddleware(req, res, next) {
const result = getHeaderValue(req, res, normalizedDirectives)
if (result instanceof Error) {
next(result)
} else {
res.setHeader(headerName, result)
next()
}
}
}
contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives
contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc
const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless", "unsafe-none"])
function getHeaderValueFromOptions$6({policy = "require-corp"}) {
if (ALLOWED_POLICIES$2.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginEmbedderPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$6(options)
return function crossOriginEmbedderPolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Embedder-Policy", headerValue)
next()
}
}
const ALLOWED_POLICIES$1 = new Set(["same-origin", "same-origin-allow-popups", "unsafe-none"])
function getHeaderValueFromOptions$5({policy = "same-origin"}) {
if (ALLOWED_POLICIES$1.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Opener-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginOpenerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$5(options)
return function crossOriginOpenerPolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Opener-Policy", headerValue)
next()
}
}
const ALLOWED_POLICIES = new Set(["same-origin", "same-site", "cross-origin"])
function getHeaderValueFromOptions$4({policy = "same-origin"}) {
if (ALLOWED_POLICIES.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Resource-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginResourcePolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$4(options)
return function crossOriginResourcePolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Resource-Policy", headerValue)
next()
}
}
function originAgentCluster() {
return function originAgentClusterMiddleware(_req, res, next) {
res.setHeader("Origin-Agent-Cluster", "?1")
next()
}
}
const ALLOWED_TOKENS = new Set(["no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", "unsafe-url", ""])
function getHeaderValueFromOptions$3({policy = ["no-referrer"]}) {
const tokens = typeof policy === "string" ? [policy] : policy
if (tokens.length === 0) {
throw new Error("Referrer-Policy received no policy tokens")
}
const tokensSeen = new Set()
tokens.forEach(token => {
if (!ALLOWED_TOKENS.has(token)) {
throw new Error(`Referrer-Policy received an unexpected policy token ${JSON.stringify(token)}`)
} else if (tokensSeen.has(token)) {
throw new Error(`Referrer-Policy received a duplicate policy token ${JSON.stringify(token)}`)
}
tokensSeen.add(token)
})
return tokens.join(",")
}
function referrerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$3(options)
return function referrerPolicyMiddleware(_req, res, next) {
res.setHeader("Referrer-Policy", headerValue)
next()
}
}
const DEFAULT_MAX_AGE = 365 * 24 * 60 * 60
function parseMaxAge(value = DEFAULT_MAX_AGE) {
if (value >= 0 && Number.isFinite(value)) {
return Math.floor(value)
} else {
throw new Error(`Strict-Transport-Security: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`)
}
}
function getHeaderValueFromOptions$2(options) {
if ("maxage" in options) {
throw new Error("Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?")
}
if ("includeSubdomains" in options) {
throw new Error('Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)')
}
const directives = [`max-age=${parseMaxAge(options.maxAge)}`]
if (options.includeSubDomains === undefined || options.includeSubDomains) {
directives.push("includeSubDomains")
}
if (options.preload) {
directives.push("preload")
}
return directives.join("; ")
}
function strictTransportSecurity(options = {}) {
const headerValue = getHeaderValueFromOptions$2(options)
return function strictTransportSecurityMiddleware(_req, res, next) {
res.setHeader("Strict-Transport-Security", headerValue)
next()
}
}
function xContentTypeOptions() {
return function xContentTypeOptionsMiddleware(_req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff")
next()
}
}
function xDnsPrefetchControl(options = {}) {
const headerValue = options.allow ? "on" : "off"
return function xDnsPrefetchControlMiddleware(_req, res, next) {
res.setHeader("X-DNS-Prefetch-Control", headerValue)
next()
}
}
function xDownloadOptions() {
return function xDownloadOptionsMiddleware(_req, res, next) {
res.setHeader("X-Download-Options", "noopen")
next()
}
}
function getHeaderValueFromOptions$1({action = "sameorigin"}) {
const normalizedAction = typeof action === "string" ? action.toUpperCase() : action
switch (normalizedAction) {
case "SAME-ORIGIN":
return "SAMEORIGIN"
case "DENY":
case "SAMEORIGIN":
return normalizedAction
default:
throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`)
}
}
function xFrameOptions(options = {}) {
const headerValue = getHeaderValueFromOptions$1(options)
return function xFrameOptionsMiddleware(_req, res, next) {
res.setHeader("X-Frame-Options", headerValue)
next()
}
}
const ALLOWED_PERMITTED_POLICIES = new Set(["none", "master-only", "by-content-type", "all"])
function getHeaderValueFromOptions({permittedPolicies = "none"}) {
if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) {
return permittedPolicies
} else {
throw new Error(`X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(permittedPolicies)}`)
}
}
function xPermittedCrossDomainPolicies(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function xPermittedCrossDomainPoliciesMiddleware(_req, res, next) {
res.setHeader("X-Permitted-Cross-Domain-Policies", headerValue)
next()
}
}
function xPoweredBy() {
return function xPoweredByMiddleware(_req, res, next) {
res.removeHeader("X-Powered-By")
next()
}
}
function xXssProtection() {
return function xXssProtectionMiddleware(_req, res, next) {
res.setHeader("X-XSS-Protection", "0")
next()
}
}
function getMiddlewareFunctionsFromOptions(options) {
const result = []
switch (options.contentSecurityPolicy) {
case undefined:
case true:
result.push(contentSecurityPolicy())
break
case false:
break
default:
result.push(contentSecurityPolicy(options.contentSecurityPolicy))
break
}
switch (options.crossOriginEmbedderPolicy) {
case undefined:
case false:
break
case true:
result.push(crossOriginEmbedderPolicy())
break
default:
result.push(crossOriginEmbedderPolicy(options.crossOriginEmbedderPolicy))
break
}
switch (options.crossOriginOpenerPolicy) {
case undefined:
case true:
result.push(crossOriginOpenerPolicy())
break
case false:
break
default:
result.push(crossOriginOpenerPolicy(options.crossOriginOpenerPolicy))
break
}
switch (options.crossOriginResourcePolicy) {
case undefined:
case true:
result.push(crossOriginResourcePolicy())
break
case false:
break
default:
result.push(crossOriginResourcePolicy(options.crossOriginResourcePolicy))
break
}
switch (options.originAgentCluster) {
case undefined:
case true:
result.push(originAgentCluster())
break
case false:
break
default:
console.warn("Origin-Agent-Cluster does not take options. Remove the property to silence this warning.")
result.push(originAgentCluster())
break
}
switch (options.referrerPolicy) {
case undefined:
case true:
result.push(referrerPolicy())
break
case false:
break
default:
result.push(referrerPolicy(options.referrerPolicy))
break
}
if ("strictTransportSecurity" in options && "hsts" in options) {
throw new Error("Strict-Transport-Security option was specified twice. Remove `hsts` to silence this warning.")
}
const strictTransportSecurityOption = options.strictTransportSecurity ?? options.hsts
switch (strictTransportSecurityOption) {
case undefined:
case true:
result.push(strictTransportSecurity())
break
case false:
break
default:
result.push(strictTransportSecurity(strictTransportSecurityOption))
break
}
if ("xContentTypeOptions" in options && "noSniff" in options) {
throw new Error("X-Content-Type-Options option was specified twice. Remove `noSniff` to silence this warning.")
}
const xContentTypeOptionsOption = options.xContentTypeOptions ?? options.noSniff
switch (xContentTypeOptionsOption) {
case undefined:
case true:
result.push(xContentTypeOptions())
break
case false:
break
default:
console.warn("X-Content-Type-Options does not take options. Remove the property to silence this warning.")
result.push(xContentTypeOptions())
break
}
if ("xDnsPrefetchControl" in options && "dnsPrefetchControl" in options) {
throw new Error("X-DNS-Prefetch-Control option was specified twice. Remove `dnsPrefetchControl` to silence this warning.")
}
const xDnsPrefetchControlOption = options.xDnsPrefetchControl ?? options.dnsPrefetchControl
switch (xDnsPrefetchControlOption) {
case undefined:
case true:
result.push(xDnsPrefetchControl())
break
case false:
break
default:
result.push(xDnsPrefetchControl(xDnsPrefetchControlOption))
break
}
if ("xDownloadOptions" in options && "ieNoOpen" in options) {
throw new Error("X-Download-Options option was specified twice. Remove `ieNoOpen` to silence this warning.")
}
const xDownloadOptionsOption = options.xDownloadOptions ?? options.ieNoOpen
switch (xDownloadOptionsOption) {
case undefined:
case true:
result.push(xDownloadOptions())
break
case false:
break
default:
console.warn("X-Download-Options does not take options. Remove the property to silence this warning.")
result.push(xDownloadOptions())
break
}
if ("xFrameOptions" in options && "frameguard" in options) {
throw new Error("X-Frame-Options option was specified twice. Remove `frameguard` to silence this warning.")
}
const xFrameOptionsOption = options.xFrameOptions ?? options.frameguard
switch (xFrameOptionsOption) {
case undefined:
case true:
result.push(xFrameOptions())
break
case false:
break
default:
result.push(xFrameOptions(xFrameOptionsOption))
break
}
if ("xPermittedCrossDomainPolicies" in options && "permittedCrossDomainPolicies" in options) {
throw new Error("X-Permitted-Cross-Domain-Policies option was specified twice. Remove `permittedCrossDomainPolicies` to silence this warning.")
}
const xPermittedCrossDomainPoliciesOption = options.xPermittedCrossDomainPolicies ?? options.permittedCrossDomainPolicies
switch (xPermittedCrossDomainPoliciesOption) {
case undefined:
case true:
result.push(xPermittedCrossDomainPolicies())
break
case false:
break
default:
result.push(xPermittedCrossDomainPolicies(xPermittedCrossDomainPoliciesOption))
break
}
if ("xPoweredBy" in options && "hidePoweredBy" in options) {
throw new Error("X-Powered-By option was specified twice. Remove `hidePoweredBy` to silence this warning.")
}
const xPoweredByOption = options.xPoweredBy ?? options.hidePoweredBy
switch (xPoweredByOption) {
case undefined:
case true:
result.push(xPoweredBy())
break
case false:
break
default:
console.warn("X-Powered-By does not take options. Remove the property to silence this warning.")
result.push(xPoweredBy())
break
}
if ("xXssProtection" in options && "xssFilter" in options) {
throw new Error("X-XSS-Protection option was specified twice. Remove `xssFilter` to silence this warning.")
}
const xXssProtectionOption = options.xXssProtection ?? options.xssFilter
switch (xXssProtectionOption) {
case undefined:
case true:
result.push(xXssProtection())
break
case false:
break
default:
console.warn("X-XSS-Protection does not take options. Remove the property to silence this warning.")
result.push(xXssProtection())
break
}
return result
}
const helmet = Object.assign(
function helmet(options = {}) {
// People should be able to pass an options object with no prototype,
// so we want this optional chaining.
// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
if (options.constructor?.name === "IncomingMessage") {
throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.")
}
const middlewareFunctions = getMiddlewareFunctionsFromOptions(options)
return function helmetMiddleware(req, res, next) {
let middlewareIndex = 0
;(function internalNext(err) {
if (err) {
next(err)
return
}
const middlewareFunction = middlewareFunctions[middlewareIndex]
if (middlewareFunction) {
middlewareIndex++
middlewareFunction(req, res, internalNext)
} else {
next()
}
})()
}
},
{
contentSecurityPolicy,
crossOriginEmbedderPolicy,
crossOriginOpenerPolicy,
crossOriginResourcePolicy,
originAgentCluster,
referrerPolicy,
strictTransportSecurity,
xContentTypeOptions,
xDnsPrefetchControl,
xDownloadOptions,
xFrameOptions,
xPermittedCrossDomainPolicies,
xPoweredBy,
xXssProtection,
// Legacy aliases
dnsPrefetchControl: xDnsPrefetchControl,
xssFilter: xXssProtection,
permittedCrossDomainPolicies: xPermittedCrossDomainPolicies,
ieNoOpen: xDownloadOptions,
noSniff: xContentTypeOptions,
frameguard: xFrameOptions,
hidePoweredBy: xPoweredBy,
hsts: strictTransportSecurity
}
)
exports.contentSecurityPolicy = contentSecurityPolicy
exports.crossOriginEmbedderPolicy = crossOriginEmbedderPolicy
exports.crossOriginOpenerPolicy = crossOriginOpenerPolicy
exports.crossOriginResourcePolicy = crossOriginResourcePolicy
exports.default = helmet
exports.dnsPrefetchControl = xDnsPrefetchControl
exports.frameguard = xFrameOptions
exports.hidePoweredBy = xPoweredBy
exports.hsts = strictTransportSecurity
exports.ieNoOpen = xDownloadOptions
exports.noSniff = xContentTypeOptions
exports.originAgentCluster = originAgentCluster
exports.permittedCrossDomainPolicies = xPermittedCrossDomainPolicies
exports.referrerPolicy = referrerPolicy
exports.strictTransportSecurity = strictTransportSecurity
exports.xContentTypeOptions = xContentTypeOptions
exports.xDnsPrefetchControl = xDnsPrefetchControl
exports.xDownloadOptions = xDownloadOptions
exports.xFrameOptions = xFrameOptions
exports.xPermittedCrossDomainPolicies = xPermittedCrossDomainPolicies
exports.xPoweredBy = xPoweredBy
exports.xXssProtection = xXssProtection
exports.xssFilter = xXssProtection
module.exports = exports.default
module.exports.default = module.exports

186
backend/apis/nodejs/node_modules/helmet/index.d.cts generated vendored Normal file
View File

@ -0,0 +1,186 @@
import {IncomingMessage, ServerResponse} from "node:http"
type ContentSecurityPolicyDirectiveValueFunction = (req: IncomingMessage, res: ServerResponse) => string
type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction
interface ContentSecurityPolicyOptions {
useDefaults?: boolean
directives?: Record<string, null | Iterable<ContentSecurityPolicyDirectiveValue> | typeof dangerouslyDisableDefaultSrc>
reportOnly?: boolean
}
interface ContentSecurityPolicy {
(options?: Readonly<ContentSecurityPolicyOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void
getDefaultDirectives: typeof getDefaultDirectives
dangerouslyDisableDefaultSrc: typeof dangerouslyDisableDefaultSrc
}
declare const dangerouslyDisableDefaultSrc: unique symbol
declare const getDefaultDirectives: () => Record<string, Iterable<ContentSecurityPolicyDirectiveValue>>
declare const contentSecurityPolicy: ContentSecurityPolicy
interface CrossOriginEmbedderPolicyOptions {
policy?: "require-corp" | "credentialless" | "unsafe-none"
}
declare function crossOriginEmbedderPolicy(options?: Readonly<CrossOriginEmbedderPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface CrossOriginOpenerPolicyOptions {
policy?: "same-origin" | "same-origin-allow-popups" | "unsafe-none"
}
declare function crossOriginOpenerPolicy(options?: Readonly<CrossOriginOpenerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface CrossOriginResourcePolicyOptions {
policy?: "same-origin" | "same-site" | "cross-origin"
}
declare function crossOriginResourcePolicy(options?: Readonly<CrossOriginResourcePolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function originAgentCluster(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
type ReferrerPolicyToken = "no-referrer" | "no-referrer-when-downgrade" | "same-origin" | "origin" | "strict-origin" | "origin-when-cross-origin" | "strict-origin-when-cross-origin" | "unsafe-url" | ""
interface ReferrerPolicyOptions {
policy?: ReferrerPolicyToken | ReferrerPolicyToken[]
}
declare function referrerPolicy(options?: Readonly<ReferrerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface StrictTransportSecurityOptions {
maxAge?: number
includeSubDomains?: boolean
preload?: boolean
}
declare function strictTransportSecurity(options?: Readonly<StrictTransportSecurityOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xContentTypeOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XDnsPrefetchControlOptions {
allow?: boolean
}
declare function xDnsPrefetchControl(options?: Readonly<XDnsPrefetchControlOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xDownloadOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XFrameOptionsOptions {
action?: "deny" | "sameorigin"
}
declare function xFrameOptions(options?: Readonly<XFrameOptionsOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XPermittedCrossDomainPoliciesOptions {
permittedPolicies?: "none" | "master-only" | "by-content-type" | "all"
}
declare function xPermittedCrossDomainPolicies(options?: Readonly<XPermittedCrossDomainPoliciesOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xPoweredBy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xXssProtection(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
type HelmetOptions = {
contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean
crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean
crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean
crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean
originAgentCluster?: boolean
referrerPolicy?: ReferrerPolicyOptions | boolean
} & (
| {
strictTransportSecurity?: StrictTransportSecurityOptions | boolean
hsts?: never
}
| {
hsts?: StrictTransportSecurityOptions | boolean
strictTransportSecurity?: never
}
) &
(
| {
xContentTypeOptions?: boolean
noSniff?: never
}
| {
noSniff?: boolean
xContentTypeOptions?: never
}
) &
(
| {
xDnsPrefetchControl?: XDnsPrefetchControlOptions | boolean
dnsPrefetchControl?: never
}
| {
dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean
xDnsPrefetchControl?: never
}
) &
(
| {
xDownloadOptions?: boolean
ieNoOpen?: never
}
| {
ieNoOpen?: boolean
xDownloadOptions?: never
}
) &
(
| {
xFrameOptions?: XFrameOptionsOptions | boolean
frameguard?: never
}
| {
frameguard?: XFrameOptionsOptions | boolean
xFrameOptions?: never
}
) &
(
| {
xPermittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean
permittedCrossDomainPolicies?: never
}
| {
permittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean
xPermittedCrossDomainPolicies?: never
}
) &
(
| {
xPoweredBy?: boolean
hidePoweredBy?: never
}
| {
hidePoweredBy?: boolean
xPoweredBy?: never
}
) &
(
| {
xXssProtection?: boolean
xssFilter?: never
}
| {
xssFilter?: boolean
xXssProtection?: never
}
)
interface Helmet {
(options?: Readonly<HelmetOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: unknown) => void) => void
contentSecurityPolicy: typeof contentSecurityPolicy
crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy
crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy
crossOriginResourcePolicy: typeof crossOriginResourcePolicy
originAgentCluster: typeof originAgentCluster
referrerPolicy: typeof referrerPolicy
strictTransportSecurity: typeof strictTransportSecurity
xContentTypeOptions: typeof xContentTypeOptions
xDnsPrefetchControl: typeof xDnsPrefetchControl
xDownloadOptions: typeof xDownloadOptions
xFrameOptions: typeof xFrameOptions
xPermittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies
xPoweredBy: typeof xPoweredBy
xXssProtection: typeof xXssProtection
dnsPrefetchControl: typeof xDnsPrefetchControl
frameguard: typeof xFrameOptions
hidePoweredBy: typeof xPoweredBy
hsts: typeof strictTransportSecurity
ieNoOpen: typeof xDownloadOptions
noSniff: typeof xContentTypeOptions
permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies
xssFilter: typeof xXssProtection
}
declare const helmet: Helmet
export {type HelmetOptions, contentSecurityPolicy, crossOriginEmbedderPolicy, crossOriginOpenerPolicy, crossOriginResourcePolicy, helmet as default, xDnsPrefetchControl as dnsPrefetchControl, xFrameOptions as frameguard, xPoweredBy as hidePoweredBy, strictTransportSecurity as hsts, xDownloadOptions as ieNoOpen, xContentTypeOptions as noSniff, originAgentCluster, xPermittedCrossDomainPolicies as permittedCrossDomainPolicies, referrerPolicy, strictTransportSecurity, xContentTypeOptions, xDnsPrefetchControl, xDownloadOptions, xFrameOptions, xPermittedCrossDomainPolicies, xPoweredBy, xXssProtection, xXssProtection as xssFilter}

186
backend/apis/nodejs/node_modules/helmet/index.d.mts generated vendored Normal file
View File

@ -0,0 +1,186 @@
import {IncomingMessage, ServerResponse} from "node:http"
type ContentSecurityPolicyDirectiveValueFunction = (req: IncomingMessage, res: ServerResponse) => string
type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction
interface ContentSecurityPolicyOptions {
useDefaults?: boolean
directives?: Record<string, null | Iterable<ContentSecurityPolicyDirectiveValue> | typeof dangerouslyDisableDefaultSrc>
reportOnly?: boolean
}
interface ContentSecurityPolicy {
(options?: Readonly<ContentSecurityPolicyOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void
getDefaultDirectives: typeof getDefaultDirectives
dangerouslyDisableDefaultSrc: typeof dangerouslyDisableDefaultSrc
}
declare const dangerouslyDisableDefaultSrc: unique symbol
declare const getDefaultDirectives: () => Record<string, Iterable<ContentSecurityPolicyDirectiveValue>>
declare const contentSecurityPolicy: ContentSecurityPolicy
interface CrossOriginEmbedderPolicyOptions {
policy?: "require-corp" | "credentialless" | "unsafe-none"
}
declare function crossOriginEmbedderPolicy(options?: Readonly<CrossOriginEmbedderPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface CrossOriginOpenerPolicyOptions {
policy?: "same-origin" | "same-origin-allow-popups" | "unsafe-none"
}
declare function crossOriginOpenerPolicy(options?: Readonly<CrossOriginOpenerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface CrossOriginResourcePolicyOptions {
policy?: "same-origin" | "same-site" | "cross-origin"
}
declare function crossOriginResourcePolicy(options?: Readonly<CrossOriginResourcePolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function originAgentCluster(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
type ReferrerPolicyToken = "no-referrer" | "no-referrer-when-downgrade" | "same-origin" | "origin" | "strict-origin" | "origin-when-cross-origin" | "strict-origin-when-cross-origin" | "unsafe-url" | ""
interface ReferrerPolicyOptions {
policy?: ReferrerPolicyToken | ReferrerPolicyToken[]
}
declare function referrerPolicy(options?: Readonly<ReferrerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface StrictTransportSecurityOptions {
maxAge?: number
includeSubDomains?: boolean
preload?: boolean
}
declare function strictTransportSecurity(options?: Readonly<StrictTransportSecurityOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xContentTypeOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XDnsPrefetchControlOptions {
allow?: boolean
}
declare function xDnsPrefetchControl(options?: Readonly<XDnsPrefetchControlOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xDownloadOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XFrameOptionsOptions {
action?: "deny" | "sameorigin"
}
declare function xFrameOptions(options?: Readonly<XFrameOptionsOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
interface XPermittedCrossDomainPoliciesOptions {
permittedPolicies?: "none" | "master-only" | "by-content-type" | "all"
}
declare function xPermittedCrossDomainPolicies(options?: Readonly<XPermittedCrossDomainPoliciesOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xPoweredBy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
declare function xXssProtection(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
type HelmetOptions = {
contentSecurityPolicy?: ContentSecurityPolicyOptions | boolean
crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean
crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean
crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean
originAgentCluster?: boolean
referrerPolicy?: ReferrerPolicyOptions | boolean
} & (
| {
strictTransportSecurity?: StrictTransportSecurityOptions | boolean
hsts?: never
}
| {
hsts?: StrictTransportSecurityOptions | boolean
strictTransportSecurity?: never
}
) &
(
| {
xContentTypeOptions?: boolean
noSniff?: never
}
| {
noSniff?: boolean
xContentTypeOptions?: never
}
) &
(
| {
xDnsPrefetchControl?: XDnsPrefetchControlOptions | boolean
dnsPrefetchControl?: never
}
| {
dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean
xDnsPrefetchControl?: never
}
) &
(
| {
xDownloadOptions?: boolean
ieNoOpen?: never
}
| {
ieNoOpen?: boolean
xDownloadOptions?: never
}
) &
(
| {
xFrameOptions?: XFrameOptionsOptions | boolean
frameguard?: never
}
| {
frameguard?: XFrameOptionsOptions | boolean
xFrameOptions?: never
}
) &
(
| {
xPermittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean
permittedCrossDomainPolicies?: never
}
| {
permittedCrossDomainPolicies?: XPermittedCrossDomainPoliciesOptions | boolean
xPermittedCrossDomainPolicies?: never
}
) &
(
| {
xPoweredBy?: boolean
hidePoweredBy?: never
}
| {
hidePoweredBy?: boolean
xPoweredBy?: never
}
) &
(
| {
xXssProtection?: boolean
xssFilter?: never
}
| {
xssFilter?: boolean
xXssProtection?: never
}
)
interface Helmet {
(options?: Readonly<HelmetOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: unknown) => void) => void
contentSecurityPolicy: typeof contentSecurityPolicy
crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy
crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy
crossOriginResourcePolicy: typeof crossOriginResourcePolicy
originAgentCluster: typeof originAgentCluster
referrerPolicy: typeof referrerPolicy
strictTransportSecurity: typeof strictTransportSecurity
xContentTypeOptions: typeof xContentTypeOptions
xDnsPrefetchControl: typeof xDnsPrefetchControl
xDownloadOptions: typeof xDownloadOptions
xFrameOptions: typeof xFrameOptions
xPermittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies
xPoweredBy: typeof xPoweredBy
xXssProtection: typeof xXssProtection
dnsPrefetchControl: typeof xDnsPrefetchControl
frameguard: typeof xFrameOptions
hidePoweredBy: typeof xPoweredBy
hsts: typeof strictTransportSecurity
ieNoOpen: typeof xDownloadOptions
noSniff: typeof xContentTypeOptions
permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies
xssFilter: typeof xXssProtection
}
declare const helmet: Helmet
export {type HelmetOptions, contentSecurityPolicy, crossOriginEmbedderPolicy, crossOriginOpenerPolicy, crossOriginResourcePolicy, helmet as default, xDnsPrefetchControl as dnsPrefetchControl, xFrameOptions as frameguard, xPoweredBy as hidePoweredBy, strictTransportSecurity as hsts, xDownloadOptions as ieNoOpen, xContentTypeOptions as noSniff, originAgentCluster, xPermittedCrossDomainPolicies as permittedCrossDomainPolicies, referrerPolicy, strictTransportSecurity, xContentTypeOptions, xDnsPrefetchControl, xDownloadOptions, xFrameOptions, xPermittedCrossDomainPolicies, xPoweredBy, xXssProtection, xXssProtection as xssFilter}

559
backend/apis/nodejs/node_modules/helmet/index.mjs generated vendored Normal file
View File

@ -0,0 +1,559 @@
const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc")
const SHOULD_BE_QUOTED = new Set(["none", "self", "strict-dynamic", "report-sample", "inline-speculation-rules", "unsafe-inline", "unsafe-eval", "unsafe-hashes", "wasm-unsafe-eval"])
const getDefaultDirectives = () => ({
"default-src": ["'self'"],
"base-uri": ["'self'"],
"font-src": ["'self'", "https:", "data:"],
"form-action": ["'self'"],
"frame-ancestors": ["'self'"],
"img-src": ["'self'", "data:"],
"object-src": ["'none'"],
"script-src": ["'self'"],
"script-src-attr": ["'none'"],
"style-src": ["'self'", "https:", "'unsafe-inline'"],
"upgrade-insecure-requests": []
})
const dashify = str => str.replace(/[A-Z]/g, capitalLetter => "-" + capitalLetter.toLowerCase())
const assertDirectiveValueIsValid = (directiveName, directiveValue) => {
if (/;|,/.test(directiveValue)) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
}
}
const assertDirectiveValueEntryIsValid = (directiveName, directiveValueEntry) => {
if (SHOULD_BE_QUOTED.has(directiveValueEntry) || directiveValueEntry.startsWith("nonce-") || directiveValueEntry.startsWith("sha256-") || directiveValueEntry.startsWith("sha384-") || directiveValueEntry.startsWith("sha512-")) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}. ${JSON.stringify(directiveValueEntry)} should be quoted`)
}
}
function normalizeDirectives(options) {
const defaultDirectives = getDefaultDirectives()
const {useDefaults = true, directives: rawDirectives = defaultDirectives} = options
const result = new Map()
const directiveNamesSeen = new Set()
const directivesExplicitlyDisabled = new Set()
for (const rawDirectiveName in rawDirectives) {
if (!Object.hasOwn(rawDirectives, rawDirectiveName)) {
continue
}
if (rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName)) {
throw new Error(`Content-Security-Policy received an invalid directive name ${JSON.stringify(rawDirectiveName)}`)
}
const directiveName = dashify(rawDirectiveName)
if (directiveNamesSeen.has(directiveName)) {
throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`)
}
directiveNamesSeen.add(directiveName)
const rawDirectiveValue = rawDirectives[rawDirectiveName]
let directiveValue
if (rawDirectiveValue === null) {
if (directiveName === "default-src") {
throw new Error("Content-Security-Policy needs a default-src but it was set to `null`. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.")
}
directivesExplicitlyDisabled.add(directiveName)
continue
} else if (typeof rawDirectiveValue === "string") {
directiveValue = [rawDirectiveValue]
} else if (!rawDirectiveValue) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`)
} else if (rawDirectiveValue === dangerouslyDisableDefaultSrc) {
if (directiveName === "default-src") {
directivesExplicitlyDisabled.add("default-src")
continue
} else {
throw new Error(`Content-Security-Policy: tried to disable ${JSON.stringify(directiveName)} as if it were default-src; simply omit the key`)
}
} else {
directiveValue = rawDirectiveValue
}
for (const element of directiveValue) {
if (typeof element !== "string") continue
assertDirectiveValueIsValid(directiveName, element)
assertDirectiveValueEntryIsValid(directiveName, element)
}
result.set(directiveName, directiveValue)
}
if (useDefaults) {
Object.entries(defaultDirectives).forEach(([defaultDirectiveName, defaultDirectiveValue]) => {
if (!result.has(defaultDirectiveName) && !directivesExplicitlyDisabled.has(defaultDirectiveName)) {
result.set(defaultDirectiveName, defaultDirectiveValue)
}
})
}
if (!result.size) {
throw new Error("Content-Security-Policy has no directives. Either set some or disable the header")
}
if (!result.has("default-src") && !directivesExplicitlyDisabled.has("default-src")) {
throw new Error("Content-Security-Policy needs a default-src but none was provided. If you really want to disable it, set it to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`.")
}
return result
}
function getHeaderValue(req, res, normalizedDirectives) {
const result = []
for (const [directiveName, rawDirectiveValue] of normalizedDirectives) {
let directiveValue = ""
for (const element of rawDirectiveValue) {
if (typeof element === "function") {
const newElement = element(req, res)
assertDirectiveValueEntryIsValid(directiveName, newElement)
directiveValue += " " + newElement
} else {
directiveValue += " " + element
}
}
if (directiveValue) {
assertDirectiveValueIsValid(directiveName, directiveValue)
result.push(`${directiveName}${directiveValue}`)
} else {
result.push(directiveName)
}
}
return result.join(";")
}
const contentSecurityPolicy = function contentSecurityPolicy(options = {}) {
const headerName = options.reportOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"
const normalizedDirectives = normalizeDirectives(options)
return function contentSecurityPolicyMiddleware(req, res, next) {
const result = getHeaderValue(req, res, normalizedDirectives)
if (result instanceof Error) {
next(result)
} else {
res.setHeader(headerName, result)
next()
}
}
}
contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives
contentSecurityPolicy.dangerouslyDisableDefaultSrc = dangerouslyDisableDefaultSrc
const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless", "unsafe-none"])
function getHeaderValueFromOptions$6({policy = "require-corp"}) {
if (ALLOWED_POLICIES$2.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginEmbedderPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$6(options)
return function crossOriginEmbedderPolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Embedder-Policy", headerValue)
next()
}
}
const ALLOWED_POLICIES$1 = new Set(["same-origin", "same-origin-allow-popups", "unsafe-none"])
function getHeaderValueFromOptions$5({policy = "same-origin"}) {
if (ALLOWED_POLICIES$1.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Opener-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginOpenerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$5(options)
return function crossOriginOpenerPolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Opener-Policy", headerValue)
next()
}
}
const ALLOWED_POLICIES = new Set(["same-origin", "same-site", "cross-origin"])
function getHeaderValueFromOptions$4({policy = "same-origin"}) {
if (ALLOWED_POLICIES.has(policy)) {
return policy
} else {
throw new Error(`Cross-Origin-Resource-Policy does not support the ${JSON.stringify(policy)} policy`)
}
}
function crossOriginResourcePolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$4(options)
return function crossOriginResourcePolicyMiddleware(_req, res, next) {
res.setHeader("Cross-Origin-Resource-Policy", headerValue)
next()
}
}
function originAgentCluster() {
return function originAgentClusterMiddleware(_req, res, next) {
res.setHeader("Origin-Agent-Cluster", "?1")
next()
}
}
const ALLOWED_TOKENS = new Set(["no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", "unsafe-url", ""])
function getHeaderValueFromOptions$3({policy = ["no-referrer"]}) {
const tokens = typeof policy === "string" ? [policy] : policy
if (tokens.length === 0) {
throw new Error("Referrer-Policy received no policy tokens")
}
const tokensSeen = new Set()
tokens.forEach(token => {
if (!ALLOWED_TOKENS.has(token)) {
throw new Error(`Referrer-Policy received an unexpected policy token ${JSON.stringify(token)}`)
} else if (tokensSeen.has(token)) {
throw new Error(`Referrer-Policy received a duplicate policy token ${JSON.stringify(token)}`)
}
tokensSeen.add(token)
})
return tokens.join(",")
}
function referrerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions$3(options)
return function referrerPolicyMiddleware(_req, res, next) {
res.setHeader("Referrer-Policy", headerValue)
next()
}
}
const DEFAULT_MAX_AGE = 365 * 24 * 60 * 60
function parseMaxAge(value = DEFAULT_MAX_AGE) {
if (value >= 0 && Number.isFinite(value)) {
return Math.floor(value)
} else {
throw new Error(`Strict-Transport-Security: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`)
}
}
function getHeaderValueFromOptions$2(options) {
if ("maxage" in options) {
throw new Error("Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?")
}
if ("includeSubdomains" in options) {
throw new Error('Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)')
}
const directives = [`max-age=${parseMaxAge(options.maxAge)}`]
if (options.includeSubDomains === undefined || options.includeSubDomains) {
directives.push("includeSubDomains")
}
if (options.preload) {
directives.push("preload")
}
return directives.join("; ")
}
function strictTransportSecurity(options = {}) {
const headerValue = getHeaderValueFromOptions$2(options)
return function strictTransportSecurityMiddleware(_req, res, next) {
res.setHeader("Strict-Transport-Security", headerValue)
next()
}
}
function xContentTypeOptions() {
return function xContentTypeOptionsMiddleware(_req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff")
next()
}
}
function xDnsPrefetchControl(options = {}) {
const headerValue = options.allow ? "on" : "off"
return function xDnsPrefetchControlMiddleware(_req, res, next) {
res.setHeader("X-DNS-Prefetch-Control", headerValue)
next()
}
}
function xDownloadOptions() {
return function xDownloadOptionsMiddleware(_req, res, next) {
res.setHeader("X-Download-Options", "noopen")
next()
}
}
function getHeaderValueFromOptions$1({action = "sameorigin"}) {
const normalizedAction = typeof action === "string" ? action.toUpperCase() : action
switch (normalizedAction) {
case "SAME-ORIGIN":
return "SAMEORIGIN"
case "DENY":
case "SAMEORIGIN":
return normalizedAction
default:
throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`)
}
}
function xFrameOptions(options = {}) {
const headerValue = getHeaderValueFromOptions$1(options)
return function xFrameOptionsMiddleware(_req, res, next) {
res.setHeader("X-Frame-Options", headerValue)
next()
}
}
const ALLOWED_PERMITTED_POLICIES = new Set(["none", "master-only", "by-content-type", "all"])
function getHeaderValueFromOptions({permittedPolicies = "none"}) {
if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) {
return permittedPolicies
} else {
throw new Error(`X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(permittedPolicies)}`)
}
}
function xPermittedCrossDomainPolicies(options = {}) {
const headerValue = getHeaderValueFromOptions(options)
return function xPermittedCrossDomainPoliciesMiddleware(_req, res, next) {
res.setHeader("X-Permitted-Cross-Domain-Policies", headerValue)
next()
}
}
function xPoweredBy() {
return function xPoweredByMiddleware(_req, res, next) {
res.removeHeader("X-Powered-By")
next()
}
}
function xXssProtection() {
return function xXssProtectionMiddleware(_req, res, next) {
res.setHeader("X-XSS-Protection", "0")
next()
}
}
function getMiddlewareFunctionsFromOptions(options) {
const result = []
switch (options.contentSecurityPolicy) {
case undefined:
case true:
result.push(contentSecurityPolicy())
break
case false:
break
default:
result.push(contentSecurityPolicy(options.contentSecurityPolicy))
break
}
switch (options.crossOriginEmbedderPolicy) {
case undefined:
case false:
break
case true:
result.push(crossOriginEmbedderPolicy())
break
default:
result.push(crossOriginEmbedderPolicy(options.crossOriginEmbedderPolicy))
break
}
switch (options.crossOriginOpenerPolicy) {
case undefined:
case true:
result.push(crossOriginOpenerPolicy())
break
case false:
break
default:
result.push(crossOriginOpenerPolicy(options.crossOriginOpenerPolicy))
break
}
switch (options.crossOriginResourcePolicy) {
case undefined:
case true:
result.push(crossOriginResourcePolicy())
break
case false:
break
default:
result.push(crossOriginResourcePolicy(options.crossOriginResourcePolicy))
break
}
switch (options.originAgentCluster) {
case undefined:
case true:
result.push(originAgentCluster())
break
case false:
break
default:
console.warn("Origin-Agent-Cluster does not take options. Remove the property to silence this warning.")
result.push(originAgentCluster())
break
}
switch (options.referrerPolicy) {
case undefined:
case true:
result.push(referrerPolicy())
break
case false:
break
default:
result.push(referrerPolicy(options.referrerPolicy))
break
}
if ("strictTransportSecurity" in options && "hsts" in options) {
throw new Error("Strict-Transport-Security option was specified twice. Remove `hsts` to silence this warning.")
}
const strictTransportSecurityOption = options.strictTransportSecurity ?? options.hsts
switch (strictTransportSecurityOption) {
case undefined:
case true:
result.push(strictTransportSecurity())
break
case false:
break
default:
result.push(strictTransportSecurity(strictTransportSecurityOption))
break
}
if ("xContentTypeOptions" in options && "noSniff" in options) {
throw new Error("X-Content-Type-Options option was specified twice. Remove `noSniff` to silence this warning.")
}
const xContentTypeOptionsOption = options.xContentTypeOptions ?? options.noSniff
switch (xContentTypeOptionsOption) {
case undefined:
case true:
result.push(xContentTypeOptions())
break
case false:
break
default:
console.warn("X-Content-Type-Options does not take options. Remove the property to silence this warning.")
result.push(xContentTypeOptions())
break
}
if ("xDnsPrefetchControl" in options && "dnsPrefetchControl" in options) {
throw new Error("X-DNS-Prefetch-Control option was specified twice. Remove `dnsPrefetchControl` to silence this warning.")
}
const xDnsPrefetchControlOption = options.xDnsPrefetchControl ?? options.dnsPrefetchControl
switch (xDnsPrefetchControlOption) {
case undefined:
case true:
result.push(xDnsPrefetchControl())
break
case false:
break
default:
result.push(xDnsPrefetchControl(xDnsPrefetchControlOption))
break
}
if ("xDownloadOptions" in options && "ieNoOpen" in options) {
throw new Error("X-Download-Options option was specified twice. Remove `ieNoOpen` to silence this warning.")
}
const xDownloadOptionsOption = options.xDownloadOptions ?? options.ieNoOpen
switch (xDownloadOptionsOption) {
case undefined:
case true:
result.push(xDownloadOptions())
break
case false:
break
default:
console.warn("X-Download-Options does not take options. Remove the property to silence this warning.")
result.push(xDownloadOptions())
break
}
if ("xFrameOptions" in options && "frameguard" in options) {
throw new Error("X-Frame-Options option was specified twice. Remove `frameguard` to silence this warning.")
}
const xFrameOptionsOption = options.xFrameOptions ?? options.frameguard
switch (xFrameOptionsOption) {
case undefined:
case true:
result.push(xFrameOptions())
break
case false:
break
default:
result.push(xFrameOptions(xFrameOptionsOption))
break
}
if ("xPermittedCrossDomainPolicies" in options && "permittedCrossDomainPolicies" in options) {
throw new Error("X-Permitted-Cross-Domain-Policies option was specified twice. Remove `permittedCrossDomainPolicies` to silence this warning.")
}
const xPermittedCrossDomainPoliciesOption = options.xPermittedCrossDomainPolicies ?? options.permittedCrossDomainPolicies
switch (xPermittedCrossDomainPoliciesOption) {
case undefined:
case true:
result.push(xPermittedCrossDomainPolicies())
break
case false:
break
default:
result.push(xPermittedCrossDomainPolicies(xPermittedCrossDomainPoliciesOption))
break
}
if ("xPoweredBy" in options && "hidePoweredBy" in options) {
throw new Error("X-Powered-By option was specified twice. Remove `hidePoweredBy` to silence this warning.")
}
const xPoweredByOption = options.xPoweredBy ?? options.hidePoweredBy
switch (xPoweredByOption) {
case undefined:
case true:
result.push(xPoweredBy())
break
case false:
break
default:
console.warn("X-Powered-By does not take options. Remove the property to silence this warning.")
result.push(xPoweredBy())
break
}
if ("xXssProtection" in options && "xssFilter" in options) {
throw new Error("X-XSS-Protection option was specified twice. Remove `xssFilter` to silence this warning.")
}
const xXssProtectionOption = options.xXssProtection ?? options.xssFilter
switch (xXssProtectionOption) {
case undefined:
case true:
result.push(xXssProtection())
break
case false:
break
default:
console.warn("X-XSS-Protection does not take options. Remove the property to silence this warning.")
result.push(xXssProtection())
break
}
return result
}
const helmet = Object.assign(
function helmet(options = {}) {
// People should be able to pass an options object with no prototype,
// so we want this optional chaining.
// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
if (options.constructor?.name === "IncomingMessage") {
throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.")
}
const middlewareFunctions = getMiddlewareFunctionsFromOptions(options)
return function helmetMiddleware(req, res, next) {
let middlewareIndex = 0
;(function internalNext(err) {
if (err) {
next(err)
return
}
const middlewareFunction = middlewareFunctions[middlewareIndex]
if (middlewareFunction) {
middlewareIndex++
middlewareFunction(req, res, internalNext)
} else {
next()
}
})()
}
},
{
contentSecurityPolicy,
crossOriginEmbedderPolicy,
crossOriginOpenerPolicy,
crossOriginResourcePolicy,
originAgentCluster,
referrerPolicy,
strictTransportSecurity,
xContentTypeOptions,
xDnsPrefetchControl,
xDownloadOptions,
xFrameOptions,
xPermittedCrossDomainPolicies,
xPoweredBy,
xXssProtection,
// Legacy aliases
dnsPrefetchControl: xDnsPrefetchControl,
xssFilter: xXssProtection,
permittedCrossDomainPolicies: xPermittedCrossDomainPolicies,
ieNoOpen: xDownloadOptions,
noSniff: xContentTypeOptions,
frameguard: xFrameOptions,
hidePoweredBy: xPoweredBy,
hsts: strictTransportSecurity
}
)
export {contentSecurityPolicy, crossOriginEmbedderPolicy, crossOriginOpenerPolicy, crossOriginResourcePolicy, helmet as default, xDnsPrefetchControl as dnsPrefetchControl, xFrameOptions as frameguard, xPoweredBy as hidePoweredBy, strictTransportSecurity as hsts, xDownloadOptions as ieNoOpen, xContentTypeOptions as noSniff, originAgentCluster, xPermittedCrossDomainPolicies as permittedCrossDomainPolicies, referrerPolicy, strictTransportSecurity, xContentTypeOptions, xDnsPrefetchControl, xDownloadOptions, xFrameOptions, xPermittedCrossDomainPolicies, xPoweredBy, xXssProtection, xXssProtection as xssFilter}

48
backend/apis/nodejs/node_modules/helmet/package.json generated vendored Normal file
View File

@ -0,0 +1,48 @@
{
"name": "helmet",
"description": "help secure Express/Connect apps with various HTTP headers",
"version": "8.1.0",
"author": "Adam Baldwin <adam@npmjs.com> (https://evilpacket.net)",
"contributors": [
"Evan Hahn <me@evanhahn.com> (https://evanhahn.com)"
],
"homepage": "https://helmetjs.github.io/",
"bugs": {
"url": "https://github.com/helmetjs/helmet/issues",
"email": "me@evanhahn.com"
},
"repository": {
"type": "git",
"url": "git://github.com/helmetjs/helmet.git"
},
"license": "MIT",
"keywords": [
"express",
"security",
"headers",
"backend",
"content-security-policy",
"cross-origin-embedder-policy",
"cross-origin-opener-policy",
"cross-origin-resource-policy",
"origin-agent-cluster",
"referrer-policy",
"strict-transport-security",
"x-content-type-options",
"x-dns-prefetch-control",
"x-download-options",
"x-frame-options",
"x-permitted-cross-domain-policies",
"x-powered-by",
"x-xss-protection"
],
"engines": {
"node": ">=18.0.0"
},
"exports": {
"import": "./index.mjs",
"require": "./index.cjs"
},
"main": "./index.cjs",
"types": "./index.d.cts"
}