Neurologically Paralyzing Mouseovers

npm

Join us for the "JavaScript Supply Chain Security" tech talk, presented by VP of Security, Adam Baldwin. 6/20 at 10am PT.Sign up here »

@doyensec/csp-evaluator

1.0.3 • Public • Published

CSP Evaluator Core NPM Library

Introduction

Please note: this is a porting of the original CSP evaluator library.

This is not an official Google product.

CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.

CSP Evaluator comes with a built-in list of common CSP whitelist bypasses which reduce the security of a policy. This list only contains popular bypasses and is by no means complete.

The CSP Evaluator library + frontend is deployed here: https://csp-evaluator.withgoogle.com/

Example usage

    const csp = require("@doyensec/csp-evaluator")
 
    var rawCsp = "script-src data: https://www.google.com;";
    var parser = new csp.CspParser(rawCsp);
    var evaluator = new csp.CspEvaluator(parser.csp, csp.Version.CSP3);
    var findings = evaluator.evaluate();
    console.log(findings);

Credits

This package is used by Electronegativity. Electronegativity has been sponsored by Doyensec LLC.

alt text

Keywords

install

npm i @doyensec/csp-evaluator

Downloadsweekly downloads

44

version

1.0.3

license

Apache-2.0

homepage

github.com

repository

Gitgithub

last publish

collaborators

  • avatar
  • avatar
Report a vulnerability