/
header-blacklist.js
63 lines (57 loc) · 1.31 KB
/
header-blacklist.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
const logger = require('./logger')
/**
* Forbidden header names.
*/
const forbiddenNames = [
'accept-charset',
'accept-encoding',
'access-control-request-headers',
'access-control-request-method',
'connection',
'content-length',
'cookie',
'cookie2',
'date',
'dnt',
'expect',
'host',
'keep-alive',
'origin',
'referer',
'te',
'trailer',
'transfer-encoding',
'upgrade',
'via',
]
/**
* Forbidden header regexs.
*/
const forbiddenRegex = [/^proxy-.*$/, /^sec-.*$/]
/**
* Check if the header in parameter is a forbidden header.
*
* @param {string} header Header to check
* @returns True if header is forbidden, false otherwise.
*/
const isForbiddenHeader = (header) => {
const headerLower = header.toLowerCase()
const forbidden = forbiddenNames.indexOf(headerLower) >= 0
|| forbiddenRegex.findIndex((regex) => regex.test(headerLower)) >= 0
if (forbidden) {
logger.warn(`Header forbidden: ${header}`, 'header.forbidden')
}
return forbidden
}
module.exports = (headers) => {
if (headers == null || typeof headers !== 'object' || Array.isArray(headers)) {
return {}
}
const headersCloned = { ...headers }
Object.keys(headersCloned).forEach((header) => {
if (isForbiddenHeader(header)) {
delete headersCloned[header]
}
})
return headersCloned
}