JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 8
  • Score
    100M100P100Q66583F
  • License MIT

Framework-agnostic security headers for modern web apps. One typed configuration for CSP, CORS, HSTS, COOP, CORP, Permissions Policy and more. Works the same in Next.js, Express, Fastify, Hono, serverless, workers and edge runtimes.

Package Exports

  • headyx
  • headyx/dist/index.cjs
  • headyx/dist/index.mjs

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (headyx) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

headyx

Framework-agnostic security headers built for the modern web.
One config. Any runtime. No rewrites.

Why

Security should not break every time your stack evolves. Teams move between Next.js, Express, Fastify, Hono, serverless functions, workers and edge runtimes. Every shift means rewriting the same CSP, CORS, HSTS, COOP, CORP and Permissions Policy logic in different formats. That is how inconsistencies and regressions creep in.

headyx fixes that by treating security policy as data, not middleware. You define your rules once. The library outputs pure { key, value } pairs that every HTTP environment can apply the same way. No framework lock-in. No lifecycle traps. No drift across services.

One source of truth. One mental model. Works everywhere.

What you get

  • Content Security Policy with strict defaults and flexible overrides
  • CORS with typed configs that actually match modern deployment patterns
  • HSTS with safe defaults for production environments
  • COOP, CORP and optional COEP for cross-origin isolation and security hardening
  • Permissions Policy to disable unneeded browser APIs
  • Referrer policy, MIME sniff prevention, frame protection and more
  • Everything delivered as explicit, typed header pairs, not framework magic

headyx covers the full surface of web hardening in one place, without forcing you into any particular framework or server lifecycle.

Installation

pnpm add headyx
# or
npm install headyx

Quick Start

Next.js

// next.config.ts
import { headers } from 'headyx';

export default {
  poweredByHeader: false,
  headers: headers(),
};

Express

import { cors, csp, hsts } from 'headyx';

app.use((req, res, next) => {
  cors({ origin: 'https://app.example.com' }).forEach(({ key, value }) => {
    res.setHeader(key, value);
  });

  const { header, value } = csp();
  res.setHeader(header, value);

  const hstsHeader = hsts({ enabled: true });
  if (hstsHeader) res.setHeader(hstsHeader.key, hstsHeader.value);

  next();
});

Documentation

License

MIT © @rccyx