laconia icon indicating copy to clipboard operation
laconia copied to clipboard

Published 20 hours ago verified publisher icon nearst

Make response security headers built-in

Open ceilfors opened this issue 5 years ago • 0 comments

Is your feature request related to a problem? Please describe. It's common to configure security headers in API endpoints. See: https://github.com/helmetjs/helmet. We needed to configure this manually in most of our projects after we got a penetration testing report.

The one that always come back to us is: 'Strict-Transport-Security': 'max-age=.....; includeSubdomains;'

Describe the solution you'd like Something like this:

const adapterApi = require("@laconia/adapter-api");

const apigateway = adapterApi.apigateway({
  responseSecurityHeaders: true // Should `true` be default? Is this a breaking change?
})

exports.handler = laconia(apigateway(app)).register(instances);

In our first iteration, we can support only all the sensible defaults, and support customisation in the next iteration like:

const apigateway = adapterApi.apigateway({
  responseSecurityHeaders: {
    // options
  }
})

See middy middleware for better inspiration too: https://github.com/middyjs/middy/blob/master/docs/middlewares.md#httpsecurityheaders

ceilfors avatar Jun 29 '19 22:06 ceilfors