{"id":16485318,"url":"https://github.com/morganconrad/kepi","last_synced_at":"2025-02-28T22:41:02.270Z","repository":{"id":57289058,"uuid":"156607003","full_name":"MorganConrad/kepi","owner":"MorganConrad","description":"Set and manage response http-headers","archived":false,"fork":false,"pushed_at":"2022-03-08T01:14:13.000Z","size":42,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-11T14:45:47.080Z","etag":null,"topics":["express-middleware","helmet","http","http-headers","javascript","middleware","response"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MorganConrad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-11-07T20:54:47.000Z","updated_at":"2022-03-08T01:14:16.000Z","dependencies_parsed_at":"2022-09-15T14:42:13.135Z","dependency_job_id":null,"html_url":"https://github.com/MorganConrad/kepi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorganConrad%2Fkepi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorganConrad%2Fkepi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorganConrad%2Fkepi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MorganConrad%2Fkepi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MorganConrad","download_url":"https://codeload.github.com/MorganConrad/kepi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241261834,"owners_count":19936046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["express-middleware","helmet","http","http-headers","javascript","middleware","response"],"created_at":"2024-10-11T13:25:25.738Z","updated_at":"2025-02-28T22:41:02.243Z","avatar_url":"https://github.com/MorganConrad.png","language":"JavaScript","readme":"\n# Kepi is a small, elegant, and dependency free library for setting HTTP response headers.\n\n\u003cdiv align=\"center\"\u003e\n\t\u003cbr\u003e\n\t\u003cdiv\u003e\n\t\t\u003cimg width=\"400\" height=\"400\" src=\"kepi.svg\" alt=\"kepi\"\u003e\n\t\u003c/div\u003e\n\t\u003cbr\u003e\n\t\u003cbr\u003e\n\t\u003cbr\u003e\n\u003c/div\u003e\n\n[![Build Status](https://api.travis-ci.com/MorganConrad/kepi.png)](https://app.travis-ci.com/github/MorganConrad/kepi)\n[![License](http://img.shields.io/badge/license-MIT-A31F34.svg)](https://github.com/MorganConrad/kepi)\n[![NPM Downloads](http://img.shields.io/npm/dm/kepi.svg)](https://www.npmjs.org/package/kepi)\n[![Known Vulnerabilities](https://snyk.io/test/github/morganconrad/kepi/badge.svg)](https://snyk.io/test/github/morganconrad/kepi)\n[![Coverage Status](https://coveralls.io/repos/github/MorganConrad/kepi/badge.svg)](https://coveralls.io/github/MorganConrad/kepi)\n\n\n## Usage\n\n### Example Configuration\n\nSimplest is to have as much as possible in a constant object (\"declarative\")\n\n    const Kepi = require('kepi');\n\n    let kepi = Kepi({\n      'X-Powered-By': 'super duper system',\n      'Content-Type': ['text/html', 'charset=utf-8']\n      'Feature-Policy': {\n        vibrate: \"'none'\",\n        geolocation: \"'self'\",\n      },\n    });\n\nLater, you can add more headers declaratively\n\n    kepi.add( {Content-Encoding: ['deflate', 'gzip']} );\n\nBut sometimes you just need to add stuff dynamically\n\n    let methodArray = [ insert methods you allow here ]\n    kepi.accessControl.allowMethods().add(...methodArray);\n    kepi.header('Expires').set(Date.now() + 60*60*1000);  // good for one hour\n\n### In roll your own code\n\n    kepi.applyTo(myResponse);\n\n### In Express\n\n    app.use(kepi.middleware());\n\n#### - If you just want to mimic (more or less) [helmet](https://www.npmjs.com/package/helmet)\n\n    app.use(kepi().safe().middleware());\n\n### In [Micro](https://github.com/zeit/micro)  (note: not tested in a real app!)\n\n    originalMicroHandler = (req, res) =\u003e { ... }\n    module.exports = kepi.micro(originalMicroHandler);\n\n\n## API\n\n### Kepi\n\n#### constructor(data, customOptions)\n data can be\n  - null\n  - an Object (see [example](#example-configuration) above).  In may cases this is all you really need.\n  - \"safe\": same as calling [safe()](#safe-1)\n\n customOptions are described under [Customization](#Customization) below\n\n#### add(data)\nAdd that data object to the headers.  (same logic as for constructor, including \"safe\")\n\n#### applyTo(response)\nWrite the headers into response.\n\n#### header(headerName, optionalData)\nRetrieve the Header with that name, creating if necessary, setting with optional data.  Name may be\n - the full name, e.g. \"Content-Security-Policy\"\n - a \"nickname\", e.g. \"contentSecurityPolicy\" (see [Customization](#customization))\n\n#### middleware()\nFor use in Express.  Should be modifiable for others\n\n#### safe()\nSets all headers in options.SAFE or options.safe, creating if needed.\n\n### Header - base class for the following subclasses\n\n#### Value\n - a single value (usually a String)\n - _e.g._ Transfer-Encoding\n\n#### DateValue\n - a single Date,\n - _e.g._ Expires\n - numbers get converted to a Date, null or 0 to current date.\n\n#### List\n - a list of values, usually comma delimited (but sometimes semicolon)\n - _e.g._ Content-Encoding (comma) or Strict-Transport-Security (semicolon)\n\n#### Policies\n - one or more semicolon delimited Policies\n - each Policy consists of a name and space delimited values.\n - _e.g._ Content-Security-Policy\n\n#### Header Methods\n\n#### add(data)\nAdds data to the header value\n  - `List.add(...items)`\n    - _e.g._ `add('a','b')` is equivalent to `add(['a','b'])`\n  - `Policies.add(policyNameorData, ...items)`\n    - if first argument is a String, adds items to that policyNae\n    - else parses policyNameorData as a data object\n  - **note** items will be flattened one level deep, so `add('a','b')` is equivalent to `add(['a','b'])`\n\n#### applyTo(response)\nWrite the header to the response.  You will seldom call this directly.\n\n#### clear()\nClear the value, to \"\", [], or {} as appropriate\n  - `Policies.clear(policyName)` takes an optional policy name, if provided, only that policy is cleared.\n\n#### remove()\nFlags this header to be removed from any response.  **Warning:** cannot be \"unflagged\".\n\n#### safe()\nSet the header to a \"safe\" value, as provided in the options.\n\n#### set(value)\nSets the value\n  - `List.set(...items)` like add(), items will be flattened\n\n\n## Customization\n\nYou can customize or add to behavior by passing a customOptions parameter to the Kepi function.\nThis will get `Object.assign`ed onto the default settings in defaults.js.\n\n#### Simple Options\n  - setupNicknames (default = true) controls if nicknames are setup\n  - resetAfterApply (default = false) will reset to initial data after calling applyTo()\n\n#### Complex Options\nSince `Object.assign` is shallow, and making a deep copy is a bit of a pain, instead, provide complex user options in the **lowercase**\nproperties given at the end of defaults.js.\n\n - headerClasses allows you to add or override the class for a Header\n - nicknames lets you add nickname shortcuts (but see `setupNicknames`)\n   - _e.g._ you can use `kepi.featurePolicy()` instead of `kepi.header(\"Feature-Policy\")`\n     - **Note**: Unlike in **helmet**, you must add parentheses at the end.\n - safe allows you to add or override the \"security safe\" values for headers\n\n\n## Notes, Todos, and Caveats\n\nThis work was inspired when I ran a [Security Header Audit](https://securityheaders.com/) on one of my websites and got back a lot of angry red.  This quickly lead me to [helmet](https://www.npmjs.com/package/helmet), a popular, well tested, and well documented Express middleware.  However, helmet really only sets \"secure\" headers, and is of little use setting general purpose response headers.  It has a many dependencies and sucks down a lot of code.\n\nTo my surprise, I didn't see any general purpose \"setup your response headers\" npm module.  This is my attempt to fill that need.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorganconrad%2Fkepi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmorganconrad%2Fkepi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorganconrad%2Fkepi/lists"}