Merge pull request #234 from JaredCE/update-default-owasp

Update default owasp

Author: JaredCE

README.md

@@ -928,7 +928,7 @@ The generator will interpret your settings for CORS and automatically add the re
 
 You can make use of the [OWASP Secure Headers](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies) to generate response headers. These are a selection of response headers with default values that OWASP recommends returning with your response to help secure your application.
 
-The OWASP Secure Headers Project contains a set of recommended headers to return with recommended values, when generating the documentation, the generator will attempt to get the latest version of this document and apply the latest recommendations. If you do not allow outside connections, it will default to a version of recommendations from **2023-05-26 12:22:30 UTC**.
+The OWASP Secure Headers Project contains a set of recommended headers to return with recommended values, when generating the documentation, the generator will attempt to get the latest version of this document and apply the latest recommendations. If you do not allow outside connections, it will default to a version of recommendations from **2024-09-19 21:29:28 UTC**.
 
 Like CORS, if you have already set any of the OWASP Secure headers via `responseHeaders`, it will not overwrite them.
 
@@ -973,13 +973,14 @@ The full list of OWASP Secure Headers you can set are:
 - crossOriginOpenerPolicy - Cross-Origin-Opener-Policy,
 - crossOriginResourcePolicy - Cross-Origin-Resource-Policy,
 - permissionsPolicy - Permissions-Policy,
-- pragma - Pragma,
 - referrerPolicy - Referrer-Policy,
 - strictTransportSecurity - Strict-Transport-Security,
 - xContentTypeOptions - X-Content-Type-Options,
 - xFrameOptions - X-Frame-Options,
 - xPermittedCrossDomainPolicies - X-Permitted-Cross-Domain-Policies
 
+You should note that `Pragma` has been [deprecated by owasp](https://owasp.org/www-project-secure-headers/#pragma), this plugin will issue a warning when you are still using Pragma and might drop support.
+
 ###### Subset of OWASP Secure Headers with user defined values
 
 If you wish to override the OWASP Secure Headers, you can write your `methodResponse` like:

json/owasp.json

@@ -1,57 +1,53 @@
 {
-    "last_update_utc": "2023-05-26 12:22:30",
-    "headers": [
-      {
-        "name": "Cache-Control",
-        "value": "no-store, max-age=0"
-      },
-      {
-        "name": "Clear-Site-Data",
-        "value": "\"cache\",\"cookies\",\"storage\""
-      },
-      {
-        "name": "Content-Security-Policy",
-        "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
-      },
-      {
-        "name": "Cross-Origin-Embedder-Policy",
-        "value": "require-corp"
-      },
-      {
-        "name": "Cross-Origin-Opener-Policy",
-        "value": "same-origin"
-      },
-      {
-        "name": "Cross-Origin-Resource-Policy",
-        "value": "same-origin"
-      },
-      {
-        "name": "Permissions-Policy",
-        "value": "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
-      },
-      {
-        "name": "Pragma",
-        "value": "no-cache"
-      },
-      {
-        "name": "Referrer-Policy",
-        "value": "no-referrer"
-      },
-      {
-        "name": "Strict-Transport-Security",
-        "value": "max-age=31536000 ; includeSubDomains"
-      },
-      {
-        "name": "X-Content-Type-Options",
-        "value": "nosniff"
-      },
-      {
-        "name": "X-Frame-Options",
-        "value": "deny"
-      },
-      {
-        "name": "X-Permitted-Cross-Domain-Policies",
-        "value": "none"
-      }
-    ]
-  }
+  "last_update_utc": "2024-09-19 21:29:28",
+  "headers": [
+    {
+      "name": "Cache-Control",
+      "value": "no-store, max-age=0"
+    },
+    {
+      "name": "Clear-Site-Data",
+      "value": "\"cache\",\"cookies\",\"storage\""
+    },
+    {
+      "name": "Content-Security-Policy",
+      "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+    },
+    {
+      "name": "Cross-Origin-Embedder-Policy",
+      "value": "require-corp"
+    },
+    {
+      "name": "Cross-Origin-Opener-Policy",
+      "value": "same-origin"
+    },
+    {
+      "name": "Cross-Origin-Resource-Policy",
+      "value": "same-origin"
+    },
+    {
+      "name": "Permissions-Policy",
+      "value": "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"
+    },
+    {
+      "name": "Referrer-Policy",
+      "value": "no-referrer"
+    },
+    {
+      "name": "Strict-Transport-Security",
+      "value": "max-age=31536000; includeSubDomains"
+    },
+    {
+      "name": "X-Content-Type-Options",
+      "value": "nosniff"
+    },
+    {
+      "name": "X-Frame-Options",
+      "value": "deny"
+    },
+    {
+      "name": "X-Permitted-Cross-Domain-Policies",
+      "value": "none"
+    }
+  ]
+}

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-openapi-documenter",
-  "version": "0.0.108",
+  "version": "0.0.109",
   "description": "Generate OpenAPI v3 documentation and Postman Collections from your Serverless Config",
   "main": "index.js",
   "keywords": [

package.json

@@ -553,6 +553,12 @@ class DefinitionGenerator {
             throw err;
           });
         } else {
+          if (Object.keys(response.owasp).includes("pragma")) {
+            this.logger.warn(
+              "Pragma has been deprecated by owasp (https://owasp.org/www-project-secure-headers/#pragma) and support for defaults will be dropped by this plugin."
+            );
+          }
+
           owaspHeaders = await this.createResponseHeaders(
             oWASP.getHeaders(response.owasp)
           ).catch((err) => {
@@ -603,7 +609,7 @@ class DefinitionGenerator {
       ).catch((err) => {
         throw err;
       });
-    } else if (this.currentEvent.cors) {
+    } else if (this.currentEvent?.cors) {
       const newHeaders = {};
       for (const key of Object.keys(this.DEFAULT_CORS_HEADERS)) {
         if (

src/definitionGenerator.js

@@ -47,11 +47,6 @@ class OWASP {
         description:
           "The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in a document or within any [<iframe>](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) elements in the document. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy)",
       },
-      Pragma: {
-        description:
-          "The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) HTTP/1.1 header. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma)",
-        deprecated: true,
-      },
       "Referrer-Policy": {
         description:
           "The Referrer-Policy [HTTP header](https://developer.mozilla.org/en-US/docs/Glossary/HTTP_header) controls how much [referrer information](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) (sent with the [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header) should be included with requests. Aside from the HTTP header, you can [set this policy in HTML](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html). - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)",
@@ -153,13 +148,44 @@ class OWASP {
   getHeaders(headerList) {
     const obj = {};
     for (const headerName of Object.keys(headerList)) {
-      const defaultHeader =
-        this.DEFAULT_OWASP_HEADERS[this.headerMap[headerName]];
-      Object.assign(obj, { [this.headerMap[headerName]]: defaultHeader });
+      if (headerName === "pragma") {
+        const pragma = {
+          Pragma: {
+            description:
+              "The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) HTTP/1.1 header. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma)",
+            deprecated: true,
+          },
+        };
+
+        if (typeof headerList["pragma"] !== "boolean") {
+          Object.assign(pragma["Pragma"], {
+            schema: {
+              type: "string",
+              default: headerList["pragma"].value,
+              example: headerList["pragma"].value,
+            },
+          });
+        } else {
+          Object.assign(pragma["Pragma"], {
+            schema: {
+              default: "no-cache",
+              type: "string",
+              example: "no-cache",
+            },
+          });
+        }
+
+        Object.assign(obj, pragma);
+      } else {
+        const defaultHeader =
+          this.DEFAULT_OWASP_HEADERS[this.headerMap[headerName]];
+
+        Object.assign(obj, { [this.headerMap[headerName]]: defaultHeader });
 
-      if (typeof headerList[headerName] !== "boolean") {
-        obj[this.headerMap[headerName]].schema.default =
-          headerList[headerName].value;
+        if (typeof headerList[headerName] !== "boolean") {
+          obj[this.headerMap[headerName]].schema.default =
+            headerList[headerName].value;
+        }
       }
     }
 

src/owasp.js

@@ -1,57 +1,53 @@
 {
-    "last_update_utc": "2023-05-26 12:22:30",
-    "headers": [
-      {
-        "name": "Cache-Control",
-        "value": "no-store, max-age=0"
-      },
-      {
-        "name": "Clear-Site-Data",
-        "value": "\"cache\",\"cookies\",\"storage\""
-      },
-      {
-        "name": "Content-Security-Policy",
-        "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
-      },
-      {
-        "name": "Cross-Origin-Embedder-Policy",
-        "value": "credentialless"
-      },
-      {
-        "name": "Cross-Origin-Opener-Policy",
-        "value": "same-origin"
-      },
-      {
-        "name": "Cross-Origin-Resource-Policy",
-        "value": "same-origin"
-      },
-      {
-        "name": "Permissions-Policy",
-        "value": "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
-      },
-      {
-        "name": "Pragma",
-        "value": "no-cache"
-      },
-      {
-        "name": "Referrer-Policy",
-        "value": "no-referrer"
-      },
-      {
-        "name": "Strict-Transport-Security",
-        "value": "max-age=31536000 ; includeSubDomains"
-      },
-      {
-        "name": "X-Content-Type-Options",
-        "value": "nosniff"
-      },
-      {
-        "name": "X-Frame-Options",
-        "value": "deny"
-      },
-      {
-        "name": "X-Permitted-Cross-Domain-Policies",
-        "value": "none"
-      }
-    ]
-  }
+  "last_update_utc": "2024-09-19 21:29:28",
+  "headers": [
+    {
+      "name": "Cache-Control",
+      "value": "no-store, max-age=0"
+    },
+    {
+      "name": "Clear-Site-Data",
+      "value": "\"cache\",\"cookies\",\"storage\""
+    },
+    {
+      "name": "Content-Security-Policy",
+      "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+    },
+    {
+      "name": "Cross-Origin-Embedder-Policy",
+      "value": "require-corp"
+    },
+    {
+      "name": "Cross-Origin-Opener-Policy",
+      "value": "same-origin"
+    },
+    {
+      "name": "Cross-Origin-Resource-Policy",
+      "value": "same-origin"
+    },
+    {
+      "name": "Permissions-Policy",
+      "value": "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"
+    },
+    {
+      "name": "Referrer-Policy",
+      "value": "no-referrer"
+    },
+    {
+      "name": "Strict-Transport-Security",
+      "value": "max-age=31536000; includeSubDomains"
+    },
+    {
+      "name": "X-Content-Type-Options",
+      "value": "nosniff"
+    },
+    {
+      "name": "X-Frame-Options",
+      "value": "deny"
+    },
+    {
+      "name": "X-Permitted-Cross-Domain-Policies",
+      "value": "none"
+    }
+  ]
+}