diff --git a/README.md b/README.md index 55fd985..7a20d2c 100644 --- a/README.md +++ b/README.md @@ -980,6 +980,7 @@ The full list of OWASP Secure Headers you can set are: - xContentTypeOptions - X-Content-Type-Options, - xFrameOptions - X-Frame-Options, - xPermittedCrossDomainPolicies - X-Permitted-Cross-Domain-Policies +- xDNSPrefetchControl - X-DNS-Prefetch-Control You should note that `Pragma` has been [deprecated by owasp](https://owasp.org/www-project-secure-headers/#pragma), this plugin will issue a warning when you are still using Pragma and might drop support. diff --git a/json/owasp.json b/json/owasp.json index 0b0e2ae..37c9a53 100644 --- a/json/owasp.json +++ b/json/owasp.json @@ -1,5 +1,5 @@ { - "last_update_utc": "2024-09-19 21:29:28", + "last_update_utc": "2025-08-17 15:23:47", "headers": [ { "name": "Cache-Control", @@ -11,7 +11,7 @@ }, { "name": "Content-Security-Policy", - "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" + "value": "default-src 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests" }, { "name": "Cross-Origin-Embedder-Policy", @@ -41,6 +41,10 @@ "name": "X-Content-Type-Options", "value": "nosniff" }, + { + "name": "X-DNS-Prefetch-Control", + "value": "off" + }, { "name": "X-Frame-Options", "value": "deny" diff --git a/package-lock.json b/package-lock.json index 320aa3d..202be7c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "license": "MIT", "dependencies": { "@apidevtools/json-schema-ref-parser": "^9.1.0", diff --git a/package.json b/package.json index 5b0d2b8..0b5d04c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "serverless-openapi-documenter", - "version": "0.0.115", + "version": "0.0.116", "description": "Generate OpenAPI v3 documentation and Postman Collections from your Serverless Config", "main": "index.js", "keywords": [ diff --git a/src/owasp.js b/src/owasp.js index 5189e5c..e4d4840 100644 --- a/src/owasp.js +++ b/src/owasp.js @@ -67,6 +67,10 @@ class OWASP { description: "A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can't write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header. - [OWASP Link](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies)", }, + "X-DNS-Prefetch-Control": { + description: + "The HTTP X-DNS-Prefetch-Control response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control)", + }, }; this.headerMap = { @@ -83,6 +87,7 @@ class OWASP { xContentTypeOptions: "X-Content-Type-Options", xFrameOptions: "X-Frame-Options", xPermittedCrossDomainPolicies: "X-Permitted-Cross-Domain-Policies", + xDNSPrefetchControl: "X-DNS-Prefetch-Control", }; }