JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 23
  • Score
    100M100P100Q41648F
  • License MIT

Easy method to define standard express headers and assist with Content-Security-Policy including social media widgets

Package Exports

  • express-standard

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (express-standard) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

express-standard NPM version Build Status Dependency Status License

Easy method to define standard express headers and assist with Content-Security-Policy (CSP) including social media widgets

Install 🔨

npm install express-standard

Usage 🔧

headers = require('express-standard');

headers.set({
    "x-powered-by": "Awesomeness"
}));

headers.add({
    "Content-Security-Policy": "default-src 'self'"
});

headers.add_csp(area, value); // optional area, set to value
headers.add_csp_self(area);   // add 'self' to an area, default area is 'default'
headers.add_csp('https:');    // now "Basic-Content-Security": "default-src 'self' https:"
headers.add_csp('*','http:'); // add http: to all *-src 
headers.add_csp('style', 'http://yui.yahooapis.com'); // allow PureCSS stylesheet
headers.add_csp_report('script', 'https:');    // report script-src events
headers.add_csp('report-uri', '/csp_report');  // set report callback
headers.add_csp_allow_unsafe('script', notEval); // if notEval is set to true then unsafe_eval is not included, default area is script 
headers.add_domain('mydomain.com', protocols); // default protocols: http://, https:// & ws:// 
headers.add_domain('mydomain.com', 'https://', true); // https only and all subdomain included
headers.add_domain('style', 'yui.yahooapis.com'); // allow PureCss stylesheet over all protocols
headers.add_domain('script', ['cdnjs', '*.google.com']); // multiple domains can be supplied as an array
headers.add_domain('default,script,style', 'localhost'); // multiple areas comma delimited
headers.add_csp_social_widgets(); // default is ['facebook', 'twitter', 'google+']
headers.add_csp_youtube();  // allow youtube
headers.add_csp_firebase(); // allow firebase

app.use(headers.handle);

add_csp areas are as per http://www.w3.org/TR/CSP/ -src can be omitted, ex: instead of headers.add_csp('frame-src', 'http:') you could specify headers.add_csp('frame', 'http:')

add_csp_allow_unsafe() is best avoided as per content security policy; however, it is included to assist with transitioning to using CSP

For sample report-uri data and social media attribution see: content-security-policy

add_social_widgets() can accept a comma delimited string, ex: facebook,twitter

Powered By 🔧

app.use(headers.powered_by('Awesomeness'));
console.log(headers.get()) // { x-powered-by:"Awesomeness"}

Powered By Details from Application Package 🔧

// package.json: {name:'Awesomeness', version: '2.0.0', ...}
app.use(headers.app_powered_by(true)); // option to include version
console.log(headers.get())             // { x-powered-by:"Awesomeness/2.0.0"}

SSL Only Basic Content Security Policy 💡

ssl_only = "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'";

app.use(headers.set("Basic-Content-Security": ssl_only));

License: MIT 🔓