Morgan Conrad

kepi

NPM package to set and manage response headers

Kepi is a small, elegant, and dependency free library for setting HTTP response headers.

Usage

Example Configuration

Simplest is to have as much as possible in a constant object ("declarative")

    const Kepi = require('kepi');

    let kepi = Kepi({
      'X-Powered-By': 'super duper system',
      'Content-Type': ['text/html', 'charset=utf-8']
      'Feature-Policy': {
        vibrate: "'none'",
        geolocation: "'self'",
      },
    });

Later, you can add more headers declaratively

    kepi.add( {Content-Encoding: ['deflate', 'gzip']} );

But sometimes you just need to add stuff dynamically

    let methodArray = [ insert methods you allow here ]
    kepi.accessControl.allowMethods().add(...methodArray);
    kepi.header('Expires').set(Date.now() + 60*60*1000);  // good for one hour

In roll your own code

kepi.applyTo(myResponse);

In Express

app.use(kepi.middleware());

If you just want to mimic (more or less) helmet

app.use(kepi().safe().middleware());

In Micro (note: not tested in a real app!)

    originalMicroHandler = (req, res) => { ... }
    module.exports = kepi.micro(originalMicroHandler);

API

Kepi

constructor(data, customOptions)

data can be

customOptions are described under Customization below

add(data)

Add that data object to the headers. (same logic as for constructor, including "safe")

applyTo(response)

Write the headers into response.

header(headerName, optionalData)

Retrieve the Header with that name, creating if necessary, setting with optional data. Name may be

middleware()

For use in Express. Should be modifiable for others

safe()

Sets all headers in options.SAFE or options.safe, creating if needed.

Header - base class for the following subclasses

Value

DateValue

List

Policies

Header Methods

add(data)

Adds data to the header value

applyTo(response)

Write the header to the response. You will seldom call this directly.

clear()

Clear the value, to "", [], or {} as appropriate

remove()

Flags this header to be removed from any response. Warning: cannot be "unflagged".

safe()

Set the header to a "safe" value, as provided in the options.

set(value)

Sets the value

Customization

You can customize or add to behavior by passing a customOptions parameter to the Kepi function. This will get Object.assigned onto the default settings in defaults.js.

Simple Options

Complex Options

Since Object.assign is shallow, and making a deep copy is a bit of a pain, instead, provide complex user options in the lowercase properties given at the end of defaults.js.

Notes, Todos, and Caveats

This work was inspired when I ran a Security Header Audit on one of my websites and got back a lot of angry red. This quickly lead me to helmet, a popular, well tested, and well documented Express middleware. However, helmet really only sets "secure" headers, and is of little use setting general purpose response headers. It has a many dependencies and sucks down a lot of code.

To my surprise, I didn't see any general purpose "setup your response headers" npm module. This is my attempt to fill that need.

Uses JavaScript nodejs NPM