Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
@fluvial/csp
Advanced tools
Readme
Content-Security-Policy
(often shortened to "csp") is a header that can be set to help restrict the sources of content used on a website. It can help restrict where JavaScript, CSS, images, and other assets can originate, which is necessary to mitigate many attack vectors that focus on injecting something into your website without your knowledge. A more full overview of CSP can be found on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
This middleware is written based on the CSP portion of the helmet
package. It isn't a straight-across port, but it keeps to the defaults that helmet
provides. It also adds many helpful methods to the Response
object that can dynamically include SHA256+ hashes and nonces to the CSP header, which makes it easier for compilation tools and server-side rendering solutions to tap into it.
// e.g., in a main application file
import { csp } from '@fluvial/csp';
app.use(csp());
csp(options?: CspOptions)
Arguments:
CspOptions
, which is an object with the following properties:
directives
(optional) - an object whose keys are either camelCase
or kebab-case
csp directives and whose values are an array of strings that are different permitted sourcesreportOnly
(optional) - boolean
for if CSP infractions should be sent in a report to a URL specified in the Report-To
header (see example here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to)Returns a Fluvial function that adds the CSP header as configured when provided to a Router or Application.
Response
methods addedres.addNonceToCsp(directiveName: string, nonceValue: string): Response
Adds a nonce to the specified directive and updates the header. A "nonce" is an unguessable, unique value that can be used to identify a script as being okay to load. The value should be generated per request (never the same between requests) so that the nonce cannot be copied and used in the stead of the real script by malicious code running on your website.
Arguments:
directiveName
- string
name of the directive you wish to update (e.g., 'defaultSrc'
or 'default-src'
)nonceValue
- string
value that is the nonce you wish to useReturns the same Response
object that it was called on, which can be useful for chaining.
res.addSha256ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response
Adds a SHA256 hash to the specified directive.
Arguments:
directiveName
- string
hash
- string
containing the pre-generated SHA256 hashrawBytes
- Buffer
containing the file's contents for which it will generate the hashReturns the same Response
object that it was called on, which can be useful for chaining.
res.addSha384ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response
Adds a SHA384 hash to the specified directive.
Arguments:
directiveName
- string
hash
- string
containing the pre-generated SHA384 hashrawBytes
- Buffer
containing the file's contents for which it will generate the hashReturns the same Response
object that it was called on, which can be useful for chaining.
res.addSha512ToCsp(directiveName: string, hashOrBytes: string | Buffer): Response
Adds a SHA512 hash to the specified directive.
Arguments:
directiveName
- string
hash
- string
containing the pre-generated SHA512 hashrawBytes
- Buffer
containing the file's contents for which it will generate the hashReturns the same Response
object that it was called on, which can be useful for chaining.
See something you want this middleware to do? Find a bug? Feel free to open an issue or a PR with the fix or feature you want to add.
FAQs
A fluvial-compatible Content Security Policy middleware
The npm package @fluvial/csp receives a total of 1 weekly downloads. As such, @fluvial/csp popularity was classified as not popular.
We found that @fluvial/csp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.