From a0e2f33d90ec7366277ed4a98d5b0cb3a3c528aa Mon Sep 17 00:00:00 2001 From: Jared Evans Date: Wed, 24 Sep 2025 16:55:33 +0100 Subject: [PATCH 1/2] updates OWASP headers --- README.md | 1 + json/owasp.json | 8 ++++++-- src/owasp.js | 5 +++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 55fd985..7a20d2c 100644 --- a/README.md +++ b/README.md @@ -980,6 +980,7 @@ The full list of OWASP Secure Headers you can set are: - xContentTypeOptions - X-Content-Type-Options, - xFrameOptions - X-Frame-Options, - xPermittedCrossDomainPolicies - X-Permitted-Cross-Domain-Policies +- xDNSPrefetchControl - X-DNS-Prefetch-Control You should note that `Pragma` has been [deprecated by owasp](https://owasp.org/www-project-secure-headers/#pragma), this plugin will issue a warning when you are still using Pragma and might drop support. diff --git a/json/owasp.json b/json/owasp.json index 0b0e2ae..37c9a53 100644 --- a/json/owasp.json +++ b/json/owasp.json @@ -1,5 +1,5 @@ { - "last_update_utc": "2024-09-19 21:29:28", + "last_update_utc": "2025-08-17 15:23:47", "headers": [ { "name": "Cache-Control", @@ -11,7 +11,7 @@ }, { "name": "Content-Security-Policy", - "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" + "value": "default-src 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests" }, { "name": "Cross-Origin-Embedder-Policy", @@ -41,6 +41,10 @@ "name": "X-Content-Type-Options", "value": "nosniff" }, + { + "name": "X-DNS-Prefetch-Control", + "value": "off" + }, { "name": "X-Frame-Options", "value": "deny" diff --git a/src/owasp.js b/src/owasp.js index 5189e5c..e4d4840 100644 --- a/src/owasp.js +++ b/src/owasp.js @@ -67,6 +67,10 @@ class OWASP { description: "A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can't write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header. - [OWASP Link](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies)", }, + "X-DNS-Prefetch-Control": { + description: + "The HTTP X-DNS-Prefetch-Control response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control)", + }, }; this.headerMap = { @@ -83,6 +87,7 @@ class OWASP { xContentTypeOptions: "X-Content-Type-Options", xFrameOptions: "X-Frame-Options", xPermittedCrossDomainPolicies: "X-Permitted-Cross-Domain-Policies", + xDNSPrefetchControl: "X-DNS-Prefetch-Control", }; } From 6db93996df6c7534b4d67c037e8753389e05a9b9 Mon Sep 17 00:00:00 2001 From: Jared Evans Date: Wed, 24 Sep 2025 16:55:48 +0100 Subject: [PATCH 2/2] 0.0.116 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 320aa3d..202be7c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "license": "MIT", "dependencies": { "@apidevtools/json-schema-ref-parser": "^9.1.0", diff --git a/package.json b/package.json index 5b0d2b8..0b5d04c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "description": "Generate OpenAPI v3 documentation and Postman Collections from your Serverless Config", "main": "index.js", "keywords": [