From 3d33a1713e0014c5633d52d627e619d000ff94ae Mon Sep 17 00:00:00 2001 From: V Date: Tue, 12 May 2026 11:25:06 +0200 Subject: [PATCH 1/2] feat(api): allow overriding http-security-headers in middyfy Adds securityHeadersOptions to middyfy() so consumers can configure @middy/http-security-headers per-handler. Includes an embeddable resource preset that relaxes CORP/COEP/COOP for handlers serving images or other resources embedded cross-origin. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../embeddableResourceSecurityHeaders.ts | 22 +++++++++++++++++++ packages/api/src/lib/middleware/index.ts | 1 + packages/api/src/lib/middleware/middyfy.ts | 5 ++++- 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 packages/api/src/lib/middleware/embeddableResourceSecurityHeaders.ts diff --git a/packages/api/src/lib/middleware/embeddableResourceSecurityHeaders.ts b/packages/api/src/lib/middleware/embeddableResourceSecurityHeaders.ts new file mode 100644 index 0000000..a08007a --- /dev/null +++ b/packages/api/src/lib/middleware/embeddableResourceSecurityHeaders.ts @@ -0,0 +1,22 @@ +import type { Options } from '@middy/http-security-headers'; + +/** + * Overrides for `@middy/http-security-headers` so responses can be embedded + * cross-origin (e.g. ``). + * + * Middy's defaults include `Cross-Origin-Resource-Policy: same-origin` and + * `Cross-Origin-Embedder-Policy: require-corp`, which cause browsers to block + * those embeds when the app runs on another origin. + * + * Pass this as `securityHeadersOptions` in `middyfy()` for handlers that serve + * resources embedded by other sites. + */ +export const embeddableResourceSecurityHeaders: SecurityHeadersOptions = { + crossOriginResourcePolicy: { policy: 'cross-origin' }, + crossOriginEmbedderPolicy: false, + crossOriginOpenerPolicy: false, +}; + +export type SecurityHeadersOptions = { + [K in keyof Options]?: Options[K] | false; +}; diff --git a/packages/api/src/lib/middleware/index.ts b/packages/api/src/lib/middleware/index.ts index 113c0b8..2a3dea1 100644 --- a/packages/api/src/lib/middleware/index.ts +++ b/packages/api/src/lib/middleware/index.ts @@ -1,2 +1,3 @@ export { default as httpErrorHandler } from './httpErrorHandlerMiddleware'; +export * from './embeddableResourceSecurityHeaders'; export * from './middyfy'; diff --git a/packages/api/src/lib/middleware/middyfy.ts b/packages/api/src/lib/middleware/middyfy.ts index 4a39f9e..dca06fb 100644 --- a/packages/api/src/lib/middleware/middyfy.ts +++ b/packages/api/src/lib/middleware/middyfy.ts @@ -3,6 +3,7 @@ import doNotWaitForEmptyEventLoop from '@middy/do-not-wait-for-empty-event-loop' import cors from '@middy/http-cors'; import middyJsonBodyParser from '@middy/http-json-body-parser'; import httpSecurityHeaders from '@middy/http-security-headers'; +import type { SecurityHeadersOptions } from './embeddableResourceSecurityHeaders'; import validator from '@middy/validator'; import Ajv, { type Options as AjvOptions, type ValidateFunction } from 'ajv'; import addFormats from 'ajv-formats'; @@ -27,6 +28,7 @@ type MiddyfyProps = { outputSchema?: Record; ajvOptions?: AjvOptions; corsOptions?: Record | false; + securityHeadersOptions?: SecurityHeadersOptions; }; const ajvDefaultOptions: AjvOptions = { @@ -141,6 +143,7 @@ export const middyfy = ({ outputSchema, ajvOptions, corsOptions, + securityHeadersOptions, }: MiddyfyProps) => { let inputSchema; if (bodySchema || querySchema) { @@ -183,7 +186,7 @@ export const middyfy = ({ ); } - middyfiedHandler = middyfiedHandler.use(httpSecurityHeaders()); + middyfiedHandler = middyfiedHandler.use(httpSecurityHeaders(securityHeadersOptions)); if (corsOptions !== false) { middyfiedHandler = middyfiedHandler.use( From 331788f75dfc688743f01b77c6b07c6ed04ed649 Mon Sep 17 00:00:00 2001 From: V Date: Tue, 12 May 2026 11:26:20 +0200 Subject: [PATCH 2/2] fixed formatting --- packages/api/src/lib/middleware/middyfy.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/api/src/lib/middleware/middyfy.ts b/packages/api/src/lib/middleware/middyfy.ts index dca06fb..21a69e0 100644 --- a/packages/api/src/lib/middleware/middyfy.ts +++ b/packages/api/src/lib/middleware/middyfy.ts @@ -186,7 +186,9 @@ export const middyfy = ({ ); } - middyfiedHandler = middyfiedHandler.use(httpSecurityHeaders(securityHeadersOptions)); + middyfiedHandler = middyfiedHandler.use( + httpSecurityHeaders(securityHeadersOptions), + ); if (corsOptions !== false) { middyfiedHandler = middyfiedHandler.use(