⚠️ ARCHIVED: Repository became a part of monorepo frux/csp ⚠️
Content-Security-Policy header generator for Node.js.
npm install --save csp-headerconst { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');
getCSP({
directives: {
'script-src': [
SELF,
INLINE,
EVAL,
nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
'example.com'
],
'style-src': [
SELF,
'mystyle.net'
]
},
reportUri: 'https://cspreport.com/send'
});
// result: "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-gg3g43#$g32gqewgaAEGeag2@#GFQ#g==' example.com; style-src 'self' mystyle.net; report-uri https://cspreport.com/send;"{
directives: { [key: string]: string[] },
presets: policies[] | { [key: string]: policies },
reportUri: string,
extend: policies // DEPRECATED use presets instead
}It's a good idea to group your csp rules into presets. csp-header supports two ways of specifying presets. As an array of policies:
{
presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
}or as a map of presets:
{
presets: {
api: cspRulesForSomeServiceAPI,
statics: cspRulesForMyStaticCDN,
youtubeVideos: cspRulesForYouTube
}
}If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com. Just publish preset csp-preset-my-super-service containing following code:
modules.exports = {
'script-src': ['api.my-super-service.com'],
'img-src': ['images.my-super-service.com']
};And you'll get a lot of thanks ;)
For compability with JS we have to export getCSP as a named export.
const { getCSP } = require('csp-header');extend was marked as deprecated in previous versions. It doesn't work anymore. Use presets instead.
csp-header used to require preset if you specify it as a string. Now, you should require it by yourself.
Before:
{
//...
presets: ['csp-preset-myservice']
}Now:
{
//...
presets: [require('csp-preset-myservice')]
}It used to return undefined.