Skip to content

Commit

Permalink
feat: prepare initial release (#24)
Browse files Browse the repository at this point in the history
  • Loading branch information
Jesse Anderson authored Jan 13, 2022
1 parent bcf9002 commit bf2864b
Show file tree
Hide file tree
Showing 21 changed files with 819 additions and 98 deletions.
91 changes: 91 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Release

on:
push:
branches:
- main
- next
- next-major
- alpha
- beta
# N.x (maintenance release branches)
- '[0-9]+.x'

concurrency:
group: release-${{ github.ref }}

env:
NODE_VERSION: 16.x

jobs:
publish:
name: publish
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'yarn'

- name: Configure package manager
run: |
echo Configuring NPM_TOKEN globally for .npmrc
npm config set '//registry.npmjs.org/:_authToken' ${{ env.NPM_TOKEN }}
npm whoami
env:
NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

- name: Install dependencies
run: yarn install --frozen-lockfile

- name: Lint
run: yarn lint

- name: Test
run: yarn test --coverage --silent

- name: Build
run: yarn build

# TODO: [PLAT-1191] Re-enable once support for no comment
# - name: Report Coverage
# uses: reside-eng/code-coverage-action@v1
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Semantic Release
uses: cycjimmy/semantic-release-action@v2
id: semantic
with:
branches: |
[
'+([0-9])?(.{+([0-9]),x}).x',
'main',
'next',
'next-major',
{name: 'beta', prerelease: true},
{name: 'alpha', prerelease: true}
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

notification:
if: always()
name: notification
needs: [publish]
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2

- uses: technote-space/workflow-conclusion-action@v2.2.2

- uses: reside-eng/workflow-status-notification-action@v1.0.0
with:
current-status: ${{ env.WORKFLOW_CONCLUSION }}
slack-webhook: ${{ secrets.SLACK_WEBHOOK_PLATFORM_PROD }}
github-token: ${{ secrets.GITHUB_TOKEN }}
74 changes: 74 additions & 0 deletions CODE_OF_CONDUCT.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Contributor Covenant Code of Conduct

## Our Pledge

In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, gender identity and expression, level of experience,
nationality, personal appearance, race, religion, or sexual identity and
orientation.

## Our Standards

Examples of behavior that contributes to creating a positive environment
include:

- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

- The use of sexualized language or imagery and unwelcome sexual attention or
advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic
address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a
professional setting

## Our Responsibilities

Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.

## Scope

This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.

## Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at prescottprue@gmail.com. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.

Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.

## Attribution

This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at [http://contributor-covenant.org/version/1/4][version]

[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
5 changes: 5 additions & 0 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```javascript
// TODO codify policies for contributors
```

For more information, see: [Contributing Policy](./README.md#contributing-policy)
203 changes: 202 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,202 @@
# fortifyjs
<div align="center">
<h1>@side/fortifyjs</h1>
<div>A platform-agnostic lib for generating security headers for your web application.</div>
</br>
</div>

<div align="center">

[![NPM version][npm-image]][npm-url]
[![License][license-image]][license-url]

[![Build Status][build-status-image]][build-status-url]
[![semantic-release][semantic-release-icon]][semantic-release-url]
[![Code Style][code-style-image]][code-style-url]

</div>

## Getting Started

Modern web applications don't just need a helmet; they need a fortress. FortifyJS is just that, the walls to gate client and server-side requests in a world where attackers can manipulate the browser in many ways to break into your web application and steal information of trade secrets.

While [helmet.js](https://helmetjs.github.io/) is useful for [express](https://expressjs.com/) applications, in a world of alternatives to express popping up and different ways of writing JavaScript applications on the rise, there needs to be an alternative that abstracts the production of valid security headers out of our modern applications. FortifyJS exists in this niche. FortifyJS is solely responsible for providing a representation that is useful in setting headers in consumer applications. FortifyJS takes control of the headers; you take over and implement them in your application.

FortifyJS also differs in that it seeks to provide a comprehensive set of security headers to form a default posture for any application.

### Installation

Install through your package manager within an existing project:

```bash
yarn add @side/fortifyjs
```

### How-to

FortifyJS exports one function: `fortifyHeaders`. FortifyJS takes an object literal with properties that match each supported security header. This function returns an object mapping ths string header name (e.g. `X-Content-Type-Options`) to a value (e.g. `nosniff`).

The current default configuration can be expressed like this:

```javascript
import { fortifyHeaders, FortifySettings } from '@side/fortifyjs';

const headers = fortifyHeaders({
xContentTypeOptions: {
nosniff: true,
},
contentSecurityPolicy: {
defaultSrc: ["'self'"],
baseUri: ["'self'"],
fontSrc: ["'self'", 'https:', 'data:'],
frameAncestors: ["'self'"],
imgSrc: ["'self'", "'data:'"],
objectSrc: ["'none'"],
scriptSrc: ["'self'"],
scriptSrcAttr: ["'none'"],
styleSrc: ["'self'", "'https:'", "'unsafe-inline'"],
upgradeInsecureRequests: true,
},
crossOriginEmbedderPolicy: {
requireCorp: true,
},
crossOriginOpenerPolicy: {
sameOrigin: true,
},
crossOriginResourcePolicy: {
sameOrigin: true,
},
expectCt: {
maxAge: 0,
},
originAgentCluster: {
enable: true,
},
referrerPolicy: {
noReferrer: true,
},
strictTransportSecurity: {
maxAge: 15552000,
},
xContentTypeOptions: {
noSniff: true,
},
xDnsPrefetchControl: {
off: true,
},
xDownloadOptions: {
noopen: true,
},
xFrameOptions: {
sameOrigin: true,
},
xPermittedCrossDomainPolicies: {
none: true,
},
});

/** @type {FortifySettings} */
console.log(headers);
/*
* {
'Content-Security-Policy':
"default-src 'self'; base-uri 'self'; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests",
'Cross-Origin-Embedder-Policy': 'require-corp',
'Cross-Origin-Opener-Policy': 'same-origin',
'Cross-Origin-Resource-Policy': 'same-origin',
'Expect-Ct': 'max-age=0',
'Origin-Agent-Cluster': '?1',
'Referrer-Policy': 'no-referrer',
'Strict-Transport-Security': 'max-age=15552000',
'X-Content-Type-Options': 'nosniff',
'X-Dns-Prefetch-Control': 'off',
'X-Download-Options': 'noopen',
'X-Frame-Options': 'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies': 'none',
}
*/
```

You can choose to use these defaults by setting the fortify header to an empty object. This can be done globally:

```javascript
import { fortifyHeaders, FortifySettings } from '@side/fortifyjs';

const headers = fortifyHeaders({});

/** @type {FortifySettings} */
console.log(headers); // same as above
```

Or, you can choose to pull in individual header default postures:

```javascript
import { fortifyHeaders, FortifySettings } from '@side/fortifyjs';

const headers = fortifyHeaders({
contentSecurityPolicy: {},
});

/** @type {FortifySettings} */
console.log(headers); // same as above
/*
* {
'Content-Security-Policy':
"default-src 'self'; base-uri 'self'; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests",
}
*/
```

You can then use this object to integrate within the platform of your choice: `next`, `fastify`, etc.

## Header Inclusion Strategy

The strategy for this problem is building a lib that can be consumed by packages that integrate with these different providers: `next`, `fastify`, etc.

Since this library is specifically for delivering the relevant headers to secure modern web applications, it not contain information about `X-Powered-By`. This header is typically removed completely. FortifyJS only provides ones that ought to be _included_, not _excluded_. This should be handled at the consumer-level in whichever platform you're integrating the security headers into.

### Supported Headers

| Header Name | Default Value | Details |
| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- |
| Content-Security-Policy | default-src 'self'; base-uri 'self'; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests | [Link][content-security-policy-url] |
| Cross-Origin-Embedder-Policy | require-corp | [Link][cross-origin-embedder-policy-url] |
| Cross-Origin-Opener-Policy | same-origin | [Link][cross-origin-opener-policy-url] |
| Cross-Origin-Resource-Policy | same-origin | [Link][cross-origin-resource-policy-url] |
| Expect-Ct | max-age=0 | [Link][expect-ct-url] |
| Origin-Agent-Cluster | ?1 | [Link][origin-agent-cluster-url] |
| Referrer-Policy | no-referrer | [Link][referrer-policy-url] |
| Strict-Transport-Security | max-age=15552000 | [Link][strict-transport-security-url] |
| X-Content-Type-Options | nosniff | [Link][x-content-type-options-url] |
| X-Dns-Prefetch-Control | off | [Link][x-dns-prefetch-control-url] |
| X-Download-Options | noopen | [Link][x-download-options-url] |
| X-Frame-Options | SAMEORIGIN | [Link][x-frame-options-url] |
| X-Permitted-Cross-Domain-Policies | none | [Link][x-permitted-cross-domain-policies-url] |
| --------------------------- |

### Contributing Policy

The development team at Side is currently investigating the best expression of Codes of Conduct and Contributing Guidelines to fit our culture and values. FortifyJS is a Free and Open Source software solution that is licensed under MIT. If you desire to contribute to extend the functionality or address an issue, please maintain professional communication practices. That alone goes a long way toward effective collaboration and benefiting the community at large!

[content-security-policy-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
[cross-origin-embedder-policy-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
[cross-origin-opener-policy-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
[cross-origin-resource-policy-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
[expect-ct-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
[origin-agent-cluster-url]: https://web.dev/origin-agent-cluster/
[referrer-policy-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
[strict-transport-security-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
[x-content-type-options-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
[x-dns-prefetch-control-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
[x-download-options-url]: https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions#:~:text=The%20X%2DDownload%2DOptions%20is,context%20of%20the%20web%20site.
[x-frame-options-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
[x-permitted-cross-domain-policies-url]: https://www.scip.ch/en/?labs.20180308
[npm-image]: https://img.shields.io/npm/v/@side/fortifyjs.svg?style=flat-square
[npm-url]: https://npmjs.org/package/@side/fortifyjs
[build-status-image]: https://img.shields.io/github/workflow/status/reside-eng/fortifyjs/Release?style=flat-square
[build-status-url]: https://github.com/reside-eng/fortifyjs/actions
[license-image]: https://img.shields.io/npm/l/@side/fortifyjs.svg?style=flat-square
[license-url]: https://github.com/reside-eng/fortifyjs/blob/main/LICENSE
[code-style-image]: https://img.shields.io/badge/code%20style-airbnb-blue.svg?style=flat-square
[code-style-url]: https://github.com/airbnb/javascript
[semantic-release-icon]: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=flat-square
[semantic-release-url]: https://github.com/semantic-release/semantic-release
Loading

0 comments on commit bf2864b

Please sign in to comment.