feat: add in support for reportingEndpoints

closes #1249
middyjs · Oct 26, 2024 · fc85b3e · fc85b3e
1 parent d6e914b
commit fc85b3e
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 17 deletions.
diff --git a/packages/http-security-headers/__tests__/index.js b/packages/http-security-headers/__tests__/index.js
@@ -155,6 +155,10 @@ test('It should modify default security headers with config set', async (t) => {
       },
       reportTo: {
         default: 'https://example.report-uri.com/a/d/g'
+      },
+      reportingEndpoints: {
+        csp: 'https://example.report-uri.com/a/d/g',
+        perms: 'https://example.report-uri.com/a/d/g'
       }
     })
   )
@@ -171,7 +175,11 @@ test('It should modify default security headers with config set', async (t) => {
   equal(response.headers['Referrer-Policy'], undefined)
   equal(
     response.headers['Report-To'],
-    '{ "group": "default", "max_age": 31536000, "endpoints": [ { "url": "31536000" } ] }, { "group": "default", "max_age": 31536000, "endpoints": [ { "url": "https://example.report-uri.com/a/d/g" } ], "include_subdomains": true }'
+    '{ "group": "default", "max_age": 31536000, "endpoints": [ { "url": "https://example.report-uri.com/a/d/g" } ], "include_subdomains": true }'
+  )
+  equal(
+    response.headers['Reporting-Endpoints'],
+    'csp="https://example.report-uri.com/a/d/g", perms="https://example.report-uri.com/a/d/g"'
   )
   equal(
     response.headers['Permissions-Policy'],

diff --git a/packages/http-security-headers/index.js b/packages/http-security-headers/index.js
@@ -114,18 +114,15 @@ const defaults = {
   referrerPolicy: {
     policy: 'no-referrer'
   },
-  reportingEndpoints: {
-    csp: '',
-    permissions: ''
-  },
+  reportingEndpoints: {},
   reportTo: {
     maxAge: 365 * 24 * 60 * 60,
-    default: '',
-    includeSubdomains: true,
-    csp: '',
-    permissions: '',
-    staple: '',
-    xss: ''
+    // default: '',
+    includeSubdomains: true
+    // csp: '',
+    // permissions: '',
+    // staple: '',
+    // xss: ''
   },
   strictTransportSecurity: {
     maxAge: 180 * 24 * 60 * 60,
@@ -196,6 +193,7 @@ helmet.referrerPolicy = (headers, config) => {
 helmetHtmlOnly.reportTo = (headers, config) => {
   headers['Report-To'] = Object.keys(config)
     .map((group) => {
+      if (group === 'includeSubdomains' || group === 'maxAge') return ''
       const includeSubdomains =
         group === 'default'
           ? `, "include_subdomains": ${config.includeSubdomains}`
@@ -209,12 +207,13 @@ helmetHtmlOnly.reportTo = (headers, config) => {
 }
 
 helmet.reportingEndpoints = (headers, config) => {
-  headers['Reporting-Endpoints'] = Object.keys(config)
-    .map((group) => {
-      return config[group] && group + '-endpoint=' + config[group]
-    })
-    .filter((str) => str)
-    .join(', ')
+  headers['Reporting-Endpoints'] = ''
+  const keys = Object.keys(config)
+  for (let i = 0, l = keys.length; i < l; i++) {
+    if (i) headers['Reporting-Endpoints'] += ', '
+    const key = keys[i]
+    headers['Reporting-Endpoints'] += key + '="' + config[key] + '"'
+  }
 }
 
 // https://github.com/helmetjs/hsts

diff --git a/website/docs/upgrade/4-5.md b/website/docs/upgrade/4-5.md
@@ -100,6 +100,7 @@ No change
 ### [http-security-headers](/docs/middlewares/http-security-headers)
 
 - Add in support for `Content-Security-Policy-Report-Only` ([#1248](https://github.com/middyjs/middy/issues/1248))
+- Add in support for `Reporting-Endpoints` ([#1249](https://github.com/middyjs/middy/issues/1249))
 
 ### [http-urlencode-body-parser](/docs/middlewares/http-urlencode-body-parser)