csp-header
    TypeScript icon, indicating that this package has built-in type declarations

    5.0.0 • Public • Published

    csp-header

    NPM version NPM downloads Dependency Status

    Content-Security-Policy header generator for Node.js.

    Install

    npm install --save csp-header

    Usage

    const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');
    
    getCSP({
        directives: {
            'script-src': [
                SELF,
                INLINE,
                EVAL,
                nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
                'example.com'
            ],
            'style-src': [
                SELF,
                'mystyle.net'
            ]
        },
        reportUri: 'https://cspreport.com/send'
    });
    
    // result: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-gg3g43#$g32gqewgaAEGeag2@#GFQ#g==' example.com; style-src 'self' mystyle.net; report-uri https://cspreport.com/send;"

    Params

    {
        directives: { [key: string]: string[] },
        presets: policies[] | { [key: string]: policies },
        reportUri: string,
        extend: policies // DEPRECATED use presets instead
    }

    CSP violation report

    There are two ways to send CSP violation report. The first is a report-uri directive. Though it's supported by this library, it's deprecated and should be used only for old browsers. The modern way is a report-to directive. Note that csp-header only build a Content-Security-Policy header, so you have to manage Report-To header on your own. But if you use Express, there's an express-csp-header middleware that takes care about it.

    const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');
    
    getCSP({
        directives: {
            'script-src': [SELF],
            'report-to': 'my-report-group'
        },
        reportUri: 'https://cspreport.com/send'
    });
    
    // result: "script-src 'self'; report-uri https://cspreport.com/send; report-to: my-report-group;"

    Presets

    It's a good idea to group your csp rules into presets. csp-header supports two ways of specifying presets. As an array of policies:

    {
        presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
    }

    or as a map of presets:

    {
        presets: {
            api: cspRulesForSomeServiceAPI,
            statics: cspRulesForMyStaticCDN,
            youtubeVideos: cspRulesForYouTube
        }
    }

    Preset format

    If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com. Just publish preset csp-preset-my-super-service containing following code:

    modules.exports = {
        'script-src': ['api.my-super-service.com'],
        'img-src': ['images.my-super-service.com']
    };

    And you'll get a lot of thanks ;)

    Community presets

    Links

    Install

    npm i csp-header

    DownloadsWeekly Downloads

    8,489

    Version

    5.0.0

    License

    WTFPL

    Unpacked Size

    43.5 kB

    Total Files

    23

    Last publish

    Collaborators

    • frux