Package Exports
- helmet-csp
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (helmet-csp) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Content Security Policy middleware
Content Security Policy helps prevent unwanted content being injected into your webpages; this can mitigate XSS vulnerabilities, unintended frames, malicious frames, and more. If you want to learn how CSP works, check out the fantastic HTML5 Rocks guide, the Content Security Policy Reference, and the Content Security Policy specification.
Usage:
var csp = require('helmet-csp');
app.use(csp({
defaultSrc: ["'self'", 'default.com'],
scriptSrc: ['scripts.com'],
styleSrc: ['style.com'],
imgSrc: ['img.com'],
connectSrc: ['connect.com'],
fontSrc: ['font.com'],
objectSrc: ['object.com'],
mediaSrc: ['media.com'],
frameSrc: ['frame.com'],
sandbox: ['allow-forms', 'allow-scripts'],
reportUri: '/report-violation',
reportOnly: false, // set to true if you only want to report errors
setAllHeaders: false, // set to true if you want to set all headers
safari5: false // set to true if you want to force buggy CSP in Safari 5
}));You can specify keys in a camel-cased fashion (imgSrc) or dashed (img-src); they are equivalent.
There are a lot of inconsistencies in how browsers implement CSP. Helmet sniffs the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is matched, it will set all the headers with the 1.0 spec.
Note: If you're using the reportUri feature and you're using csurf, you might have errors. Check this out for a workaround.