Nominally Patriotic Meathead

    express-extendcsp

    3.0.0 • Public • Published

    express-extendcsp

    NPM version Build Status Coverage Status Dependency Status

    Express middleware for altering the Content-Security-Policy on the fly. Mostly useful in development when you want to make sure that your debugging and stylesheet injection techniques work, but without compromsing the CSP you're running in production.

    Examples I've seen so far:

    Usage

    Put express-extendcsp in your middleware stack before the middleware that sets your CSP, and pass it a config object with an add key, specifying which directives to add to the Content-Security-Policy header:

    require('express')()
      .use(
        require('express-extendcsp')({
          add: {
            connectSrc: 'ws://*',
            styleSrc: ['blob:', 'data:'],
          },
        })
      )
      .use((req, res, next) => {
        res.setHeader(
          'Content-Security-Policy',
          "default-src 'self'; object-src 'none'"
        );
      });

    Both camelCased and snake-cased directive names are supported, and you can supply the tokens to add as either a string or an array of strings.

    Releases

    Changelog

    Install

    npm i express-extendcsp

    DownloadsWeekly Downloads

    10

    Version

    3.0.0

    License

    BSD-3-Clause

    Unpacked Size

    21.2 kB

    Total Files

    11

    Last publish

    Collaborators

    • papandreou