express-extendcsp

3.0.0 • Public • Published

express-extendcsp

NPM version Build Status Coverage Status Dependency Status

Express middleware for altering the Content-Security-Policy on the fly. Mostly useful in development when you want to make sure that your debugging and stylesheet injection techniques work, but without compromsing the CSP you're running in production.

Examples I've seen so far:

Usage

Put express-extendcsp in your middleware stack before the middleware that sets your CSP, and pass it a config object with an add key, specifying which directives to add to the Content-Security-Policy header:

require('express')()
  .use(
    require('express-extendcsp')({
      add: {
        connectSrc: 'ws://*',
        styleSrc: ['blob:', 'data:'],
      },
    })
  )
  .use((req, res, next) => {
    res.setHeader(
      'Content-Security-Policy',
      "default-src 'self'; object-src 'none'"
    );
  });

Both camelCased and snake-cased directive names are supported, and you can supply the tokens to add as either a string or an array of strings.

Releases

Changelog

Package Sidebar

Install

npm i express-extendcsp

Weekly Downloads

342

Version

3.0.0

License

BSD-3-Clause

Unpacked Size

21.2 kB

Total Files

11

Last publish

Collaborators

  • papandreou