JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 135435
  • Score
    100M100P100Q163292F
  • License WTFPL

Content-Security-Policy header generator

Package Exports

  • csp-header

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (csp-header) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

csp-header

Content-Security-Policy header generator for Node.JS

Usage

const csp = require('csp-header');
csp({
    policies: {
        'script-src': [
            csp.SELF,
            csp.INLINE,
            csp.EVAL,
            csp.nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
            'example.com'
        ],
        'style-src': [
            csp.SELF,
            'mystyle.net'
        ]
    }
    'report-uri': 'https://cspreport.com/send'
});

// result: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-gg3g43#$g32gqewgaAEGeag2@#GFQ#g==' example.com; style-src 'self' mystyle.net; report-uri https://cspreport.com/send;"

Params

{
    policies: { [key: string]: string[] },
    presets: policies[] | { [key: string]: policies }
    'report-uri': string,
    extend: policies // DEPRECATED use presets instead
}

Presets

It's a good idea to group your csp rules into presets. csp-header supports two ways of specifying presets. As an array of policies:

{
    presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
}

or as a map of presets:

{
    presets: {
        api: cspRulesForSomeServiceAPI,
        statics: cspRulesForMyStaticCDN,
        youtubeVideos: cspRulesForYouTube
    }
}

Preset format

If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com. Just publish preset csp-preset-my-super-service containing following code:

modules.exports = {
    'script-src': ['api.my-super-service.com'],
    'img-src': ['images.my-super-service.com']
};

And you'll get a lot of thanks ;)

BREAKING CHANGES in csp-header@2

policies was renamed to directives

Minimal supported version of Node.JS is 8

Dropped support of extend

extend was marked as deprecated in previous versions. It doesn't work anymore. Use presets instead.

Dropped support of specifying presets as a string

csp-header used to require preset if you specify it as a string. Now, you should require it by yourself. Before:

{
    //...
    presets: ['csp-preset-myservice']
}

Now:

{
    //...
    presets: [require('csp-preset-myservice')]
}

Calling with no arguments returns an empty string

It used to return undefined.