npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

kepi

v1.0.2

Published

lightweight HTTP headers

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

morganconradmorganconrad

Keywords

HTTPheaderssecurityresponse

Readme

Kepi is a small, elegant, and dependency free library for setting HTTP response headers.

Build Status License NPM Downloads Known Vulnerabilities Coverage Status

Usage

Example Configuration

Simplest is to have as much as possible in a constant object ("declarative")

const Kepi = require('kepi');

let kepi = Kepi({
  'X-Powered-By': 'super duper system',
  'Content-Type': ['text/html', 'charset=utf-8']
  'Feature-Policy': {
    vibrate: "'none'",
    geolocation: "'self'",
  },
});

Later, you can add more headers declaratively

kepi.add( {Content-Encoding: ['deflate', 'gzip']} );

But sometimes you just need to add stuff dynamically

let methodArray = [ insert methods you allow here ]
kepi.accessControl.allowMethods().add(...methodArray);
kepi.header('Expires').set(Date.now() + 60*60*1000);  // good for one hour

In roll your own code

kepi.applyTo(myResponse);

In Express

app.use(kepi.middleware());

- If you just want to mimic (more or less) helmet

app.use(kepi().safe().middleware());

In Micro (note: not tested in a real app!)

originalMicroHandler = (req, res) => { ... }
module.exports = kepi.micro(originalMicroHandler);

API

Kepi

constructor(data, customOptions)

data can be

  • null
  • an Object (see example above). In may cases this is all you really need.
  • "safe": same as calling safe()

customOptions are described under Customization below

add(data)

Add that data object to the headers. (same logic as for constructor, including "safe")

applyTo(response)

Write the headers into response.

header(headerName, optionalData)

Retrieve the Header with that name, creating if necessary, setting with optional data. Name may be

  • the full name, e.g. "Content-Security-Policy"
  • a "nickname", e.g. "contentSecurityPolicy" (see Customization)

middleware()

For use in Express. Should be modifiable for others

safe()

Sets all headers in options.SAFE or options.safe, creating if needed.

Header - base class for the following subclasses

Value

  • a single value (usually a String)
  • e.g. Transfer-Encoding

DateValue

  • a single Date,
  • e.g. Expires
  • numbers get converted to a Date, null or 0 to current date.

List

  • a list of values, usually comma delimited (but sometimes semicolon)
  • e.g. Content-Encoding (comma) or Strict-Transport-Security (semicolon)

Policies

  • one or more semicolon delimited Policies
  • each Policy consists of a name and space delimited values.
  • e.g. Content-Security-Policy

Header Methods

add(data)

Adds data to the header value

  • List.add(...items)
    • e.g. add('a','b') is equivalent to add(['a','b'])
  • Policies.add(policyNameorData, ...items)
    • if first argument is a String, adds items to that policyNae
    • else parses policyNameorData as a data object
  • note items will be flattened one level deep, so add('a','b') is equivalent to add(['a','b'])

applyTo(response)

Write the header to the response. You will seldom call this directly.

clear()

Clear the value, to "", [], or {} as appropriate

  • Policies.clear(policyName) takes an optional policy name, if provided, only that policy is cleared.

remove()

Flags this header to be removed from any response. Warning: cannot be "unflagged".

safe()

Set the header to a "safe" value, as provided in the options.

set(value)

Sets the value

  • List.set(...items) like add(), items will be flattened

Customization

You can customize or add to behavior by passing a customOptions parameter to the Kepi function. This will get Object.assigned onto the default settings in defaults.js.

Simple Options

  • setupNicknames (default = true) controls if nicknames are setup
  • resetAfterApply (default = false) will reset to initial data after calling applyTo()

Complex Options

Since Object.assign is shallow, and making a deep copy is a bit of a pain, instead, provide complex user options in the lowercase properties given at the end of defaults.js.

  • headerClasses allows you to add or override the class for a Header
  • nicknames lets you add nickname shortcuts (but see setupNicknames)
    • e.g. you can use kepi.featurePolicy() instead of kepi.header("Feature-Policy")
      • Note: Unlike in helmet, you must add parentheses at the end.
  • safe allows you to add or override the "security safe" values for headers

Notes, Todos, and Caveats

This work was inspired when I ran a Security Header Audit on one of my websites and got back a lot of angry red. This quickly lead me to helmet, a popular, well tested, and well documented Express middleware. However, helmet really only sets "secure" headers, and is of little use setting general purpose response headers. It has a many dependencies and sucks down a lot of code.

To my surprise, I didn't see any general purpose "setup your response headers" npm module. This is my attempt to fill that need.