csp-header
TypeScript icon, indicating that this package has built-in type declarations

5.2.1 • Public • Published

csp-header

NPM version NPM downloads Dependency Status

Content-Security-Policy header generator for Node.js.

Install

npm install --save csp-header

Usage

const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');

getCSP({
    directives: {
        'script-src': [
            SELF,
            INLINE,
            EVAL,
            nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
            'example.com'
        ],
        'style-src': [
            SELF,
            'mystyle.net'
        ]
    },
    reportUri: 'https://cspreport.com/send'
});

// result: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-gg3g43#$g32gqewgaAEGeag2@#GFQ#g==' example.com; style-src 'self' mystyle.net; report-uri https://cspreport.com/send;"

Params

{
    directives: { [key: string]: string[] },
    presets: policies[] | { [key: string]: policies },
    reportUri: string,
    extend: policies // DEPRECATED use presets instead
}

CSP violation report

There are two ways to send CSP violation report. The first is a report-uri directive. Though it's supported by this library, it's deprecated and should be used only for old browsers. The modern way is a report-to directive. Note that csp-header only build a Content-Security-Policy header, so you have to manage Report-To header on your own. But if you use Express, there's an express-csp-header middleware that takes care about it.

const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');

getCSP({
    directives: {
        'script-src': [SELF],
        'report-to': 'my-report-group'
    },
    reportUri: 'https://cspreport.com/send'
});

// result: "script-src 'self'; report-uri https://cspreport.com/send; report-to: my-report-group;"

Presets

It's a good idea to group your csp rules into presets. csp-header supports two ways of specifying presets. As an array of policies:

{
    presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
}

or as a map of presets:

{
    presets: {
        api: cspRulesForSomeServiceAPI,
        statics: cspRulesForMyStaticCDN,
        youtubeVideos: cspRulesForYouTube
    }
}

Preset format

If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com. Just publish preset csp-preset-my-super-service containing following code:

modules.exports = {
    'script-src': ['api.my-super-service.com'],
    'img-src': ['images.my-super-service.com']
};

And you'll get a lot of thanks ;)

Community presets

Links

Package Sidebar

Install

npm i csp-header

Weekly Downloads

43,998

Version

5.2.1

License

WTFPL

Unpacked Size

45.8 kB

Total Files

23

Last publish

Collaborators

  • frux