Content security policy management tool
Simplify "Content-Security-Policy" header generation.
As for any npm module, you can install it as a dependency of your project through
npm i csp-tool
or globally using:
npm i -g csp-tool
This packackage exibit a cli tool to generate a json file which list every child files of a given directory.
To use it with the default cipher (sha256
), in your terminal if you install it globally:
csp-tool <your-assets-folder-here>
or if you install it as a dependencies of your project:
./node_modules/.bin/csp-tool <your-assets-folder-here>
Execution of the cli should ouput a json formated like this in your terminal:
{
"<file-path-relative-to-your-assets-folder>": "<cipher-used>-<hash-of-the-file-according-to-the-cipher-user>",
...
}
If you want to use a different cipher, provide it using the CSP_HASH_ALGORITHM
environnement variable :
CSP_HASH_ALGORITHM=sha512 csp-tool <your-assets-folder-here>
3 hash's algorithm are actually possible:
sha256
sha384
sha512
There's actually two method exported by this package. I would provide their detailled signature here in future version.
By the way, if require
/import
it in your project, hints on how to use should be provided in Microsoft Visual Studio Code ®
thanks to JSDoc
.
As far as I know it shoud also provide the same kind of hints in WebStorm.
Let me know if something is not working for you through the project issues
All the API will be documented directly in the API section in version 0.4.0
This will be handled in 1.0.0
version. By the way, don't be rude ;)
I based my work on the following document, repository and article, freely accessible on the internet:
- https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://developers.google.com/web/fundamentals/security/csp
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://developer.mozilla.org/fr/docs/Web/HTTP/CSP
- https://xo.tc/calculating-a-base64-encoded-sha256-sum-of-inline-scripts-for-your-content-security-policy.html
- https://www.w3.org/TR/CSP2/#script-src-hash-usage
- https://git.coolaj86.com/coolaj86/btoa.js