JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 135435
  • Score
    100M100P100Q163271F
  • License WTFPL

Content-Security-Policy header generator

Package Exports

  • csp-header
  • csp-header/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (csp-header) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

csp-header

NPM version NPM downloads Dependency Status

Content-Security-Policy header generator for Node.js.

Install

npm install --save csp-header

Usage

const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');

getCSP({
    directives: {
        'script-src': [
            SELF,
            INLINE,
            EVAL,
            nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
            'example.com'
        ],
        'style-src': [
            SELF,
            'mystyle.net'
        ]
    },
    reportUri: 'https://cspreport.com/send'
});

// result: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-gg3g43#$g32gqewgaAEGeag2@#GFQ#g==' example.com; style-src 'self' mystyle.net; report-uri https://cspreport.com/send;"

Params

{
    directives: { [key: string]: string[] },
    presets: policies[] | { [key: string]: policies },
    reportUri: string,
    extend: policies // DEPRECATED use presets instead
}

CSP violation report

There are two ways to send CSP violation report. The first is a report-uri directive. Though it's supported by this library, it's deprecated and should be used only for old browsers. The modern way is a report-to directive. Note that csp-header only build a Content-Security-Policy header, so you have to manage Report-To header on your own. But if you use Express, there's an express-csp-header middleware that takes care about it.

const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');

getCSP({
    directives: {
        'script-src': [SELF],
        'report-to': 'my-report-group'
    },
    reportUri: 'https://cspreport.com/send'
});

// result: "script-src 'self'; report-uri https://cspreport.com/send; report-to: my-report-group;"

Presets

It's a good idea to group your csp rules into presets. csp-header supports two ways of specifying presets. As an array of policies:

{
    presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
}

or as a map of presets:

{
    presets: {
        api: cspRulesForSomeServiceAPI,
        statics: cspRulesForMyStaticCDN,
        youtubeVideos: cspRulesForYouTube
    }
}

Preset format

If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com. Just publish preset csp-preset-my-super-service containing following code:

modules.exports = {
    'script-src': ['api.my-super-service.com'],
    'img-src': ['images.my-super-service.com']
};

And you'll get a lot of thanks ;)

Community presets