Add security plugin hapi-aegis to plugins.json

[mrosenlund]

Adds hapi-aegis, a newly-released hapi security-headers plugin, to the Security category.

• npm: https://www.npmjs.com/package/hapi-aegis
• GitHub: https://github.com/mrosenlund/hapi-aegis

hapi-aegis provides sensible defaults for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Cross-Origin-* and more, with per-route overrides. Think Helmet (Express), but built natively for hapi. First public release: v1.0.0.

[Marsup]

Hi,

I'm having some trouble understanding why this plugin is reimplementing some features that hapi already has out of the box. Is it a misunderstanding on my part or you didn't see those options?

[mrosenlund]

Thanks for taking a look, and yeah, fair point. I should have addressed this up front. I did know about routes.security, but I didn't really weigh how much overlap there is. Looking at it again: HSTS, X-Frame-Options, X-Content-Type-Options, X-Download-Options, Referrer-Policy, and X-XSS-Protection are all already covered by Hapi's built-in security config, and X-Powered-By isn't sent by default. So roughly half the plugin is duplicating stuff Hapi already does well.

Honestly some of that came from personal preference. I've spent a lot of time on Express with Helmet, and one thing I liked there was having a single unified surface for every security header in one config block. I do think there's something to having it all in one place, especially for folks coming from Express, but I get why that lands weird in Hapi when you've already got security config built in. I'd rather it sit alongside what's there than feel like it's fighting it.

The other piece of motivation here is that I've been using Hapi a lot lately and wanted to give something back to the ecosystem, which is part of why I went straight to opening a PR against hapi.dev rather than just publishing this on npm. So I'd rather end up with something that actually fits than push the current shape through.

The piece I think is genuinely missing from Hapi, and the reason I started this in the first place, is the modern set of headers that aren't in routes.security

• Content-Security-Policy (with nonce generation, report-only mode, directive merging)
• Cross-Origin-Embedder-Policy / Opener-Policy / Resource-Policy
• Permissions-Policy
• Origin-Agent-Cluster
• a few smaller ones (DNS-Prefetch-Control, Permitted-Cross-Domain-Policies)

[mrosenlund]

One more thing worth flagging: I do have an open issue on the repo to add Reporting API (Report-To) support alongside CSP, which is another piece Hapi doesn't have today. I'll get to it when I have some time to work on it, but the roadmap is leaning further into this gap rather than winding down.