npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

fetch-metadata

v1.0.0

Published

Node.js middleware for enforcing Fetch metadata request header checking

Downloads

152

Readme

Fetch Metadata Request Headers Middleware

This project is Node.js middleware for enforcing browser Fetch metadata request headers. This helps in preventing CSRF, XSSI and information leaking attacks. Use it to add to your defense in depth security strategy.

Installation

Install the middleware from NPM

npm install fetch-metadata

Usage

Once installed, import and use the middleware as you would for any other Express.js/Connect middleware:

import fetchMetadata from 'fetch-metadata'

app.use(fetchMetadata())

The middleware takes an optional config object with defaults shown below:

app.use(
  fetchMetadata({
    allowedFetchSites: ['same-origin', 'same-site', 'none'],
    disallowedNavigationRequests: ['object', 'embed'],
    errorStatusCode: 403,
    allowedPaths: [],
    onError: (request, response, next, options) => {
      // Responds with `errorStatusCode` by default
      response.statusCode = options.errorStatusCode
      response.end()
    },
  })
)

Config Options

allowedFetchSites

Array of all the Sec-Fetch-Site request header values to allow.

The current possible values are:

  • same-origin: request came from your own application
  • same-site: request came from a subdomain of your own application
  • none: request came from user's interaction with the user agent (e.g. clicking on a bookmark)
  • cross-site: request came from a completely different site

disallowedNavigationRequests

Array of all the Sec-Fetch-Dest request header values to block for navigation requests. With the defaults set to block object and embed top-level GET requests, your site can still be linked to from other sites and embedded in an iframe (if you don't block that with something else).

If you want to disable this setting, set an empty array.

errorStatusCode

The HTTP status code to return when a request is blocked.

allowedPaths

Optionally, specify an array of route paths that you want to allow regardless of any of the other checks. You can also specify this for a specific HTTP method to allow a POST to /api/public/route for instance.

Examples
const allowedPaths = [
  '/api/public/route', // plain string
  '/products(/:productId)', // string with dynamic parts
  {
    path: '/api/public/route',
    method: 'GET',
  }, // object with plain string path and method
  {
    path: '/products(/:productId)',
    method: 'POST',
  }, // object with string with dynamic parts and method
]

As you can see, you can mix and match strings with objects and the paths can have dynamic parts, similar to how Express.js routes work.

Allowed paths can have any pattern that url-pattern can match.

onError

A callback function that will be called with a request was blocked. The function is called with the request, response, next and options objects, where the first three objects are the standard middleware arguments and the options object is a copy of the current configuration of this middleware.

By default, this callback will simply respond with the errorStatusCode that you've set (or 403). This callback is a great place is you want to log any blocked requests or even by-pass the block completely by calling next() here while you're testing this middleware.

License

MIT License