a hapi CSP plugin
Branch: master
Clone or download
Latest commit 926fca3 Dec 20, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore cleanup Oct 5, 2017
README.md add support for worker-src, closes #27 Dec 20, 2018
package-lock.json 4.1.0 Dec 20, 2018
package.json 4.1.0 Dec 20, 2018



A CSP plugin for hapi.


This plugin depends on scooter to function.

To use it:

'use strict';

const Hapi = require('hapi');
const Blankie = require('blankie');
const Scooter = require('scooter');

const internals = {};

const server = Hapi.server();

internals.init = async () => {

    await server.register([Scooter, {
        plugin: Blankie,
        options: {} // specify options here

    await server.start();

internals.init().catch((err) => {

    throw err;

Options may also be set on a per-route basis:

'use strict';

const Hapi = require('hapi');
const Blankie = require('blankie');
const Scooter = require('scooter');

const server = Hapi.server();

    method: 'GET',
    path: '/something',
    config: {
        handler: (request, h) => {

            return 'these settings are changed';
        plugins: {
            blankie: {
                scriptSrc: 'self'

Note that this setting will NOT be merged with your server-wide settings.

You may also set config.plugins.blankie equal to false on a route to disable CSP headers completely for that route.


  • baseUri: Values for base-uri directive. Defaults 'self'.
  • childSrc: Values for child-src directive.
  • connectSrc: Values for the connect-src directive. Defaults 'self'.
  • defaultSrc: Values for the default-src directive. Defaults to 'none'.
  • fontSrc: Values for the font-src directive.
  • formAction: Values for the form-action directive.
  • frameAncestors: Values for the frame-ancestors directive.
  • frameSrc: Values for the frame-src directive.
  • imgSrc: Values for the image-src directive. Defaults to 'self'.
  • manifestSrc: Values for the manifest-src directive.
  • mediaSrc: Values for the media-src directive.
  • objectSrc: Values for the object-src directive.
  • oldSafari: Force enabling buggy CSP for Safari 5.
  • pluginTypes: Values for the plugin-types directive.
  • reflectedXss: Value for the reflected-xss directive. Must be one of 'allow', 'block' or 'filter'.
  • reportOnly: Append '-Report-Only' to the name of the CSP header to enable report only mode.
  • reportUri: Value for the report-uri directive. This should be the path to a route that accepts CSP violation reports.
  • requireSriFor: Value for require-sri-for directive.
  • sandbox: Values for the sandbox directive. May be a boolean or one of 'allow-forms', 'allow-same-origin', 'allow-scripts' or 'allow-top-navigation'.
  • scriptSrc: Values for the script-src directive. Defaults to 'self'.
  • styleSrc: Values for the style-src directive. Defaults to 'self'.
  • workerSrc: Values for the worker-src directive. Defaults to 'self'.
  • generateNonces: Whether or not to automatically generate nonces. Defaults to true. May be a boolean or one of 'script' or 'style'. When enabled your templates rendered through vision will have script-nonce and/or style-nonce automatically added to their context, additionally request.plugins.blankie.nonces will contain one or both of the 'script' and 'style' properties containing these values for use outside of vision.