A CSP plugin for hapi.
This plugin depends on scooter to function.
To use it:
'use strict';
const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');
const internals = {};
const server = Hapi.server();
internals.init = async () => {
await server.register([Scooter, {
plugin: Blankie,
options: {} // specify options here
}]);
await server.start();
};
internals.init().catch((err) => {
throw err;
});
Options may also be set on a per-route basis:
'use strict';
const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');
const server = Hapi.server();
server.route({
method: 'GET',
path: '/something',
config: {
handler: (request, h) => {
return 'these settings are changed';
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
});
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.blankie equal to false on a route to disable CSP headers completely for that route.
baseUri: Values for base-uri directive. Defaults 'self'.childSrc: Values for child-src directive.connectSrc: Values for the connect-src directive. Defaults 'self'.defaultSrc: Values for the default-src directive. Defaults to 'none'.fontSrc: Values for the font-src directive.formAction: Values for the form-action directive.frameAncestors: Values for the frame-ancestors directive.frameSrc: Values for the frame-src directive.imgSrc: Values for the image-src directive. Defaults to 'self'.manifestSrc: Values for the manifest-src directive.mediaSrc: Values for the media-src directive.objectSrc: Values for the object-src directive.oldSafari: Force enabling buggy CSP for Safari 5.pluginTypes: Values for the plugin-types directive.reflectedXss: Value for the reflected-xss directive. Must be one of 'allow', 'block' or 'filter'.reportOnly: Append '-Report-Only' to the name of the CSP header to enable report only mode.reportUri: Value for the report-uri directive. This should be the path to a route that accepts CSP violation reports.requireSriFor: Value for require-sri-for directive.sandbox: Values for the sandbox directive. May be a boolean or one of 'allow-forms', 'allow-same-origin', 'allow-scripts' or 'allow-top-navigation'.scriptSrc: Values for the script-src directive. Defaults to 'self'.styleSrc: Values for the style-src directive. Defaults to 'self'.workerSrc: Values for the worker-src directive. Defaults to 'self'.generateNonces: Whether or not to automatically generate nonces. Defaults to true. May be a boolean or one of 'script' or 'style'. When enabled your templates rendered through vision will have script-nonce and/or style-nonce automatically added to their context, additionally request.plugins.blankie.nonces will contain one or both of the 'script' and 'style' properties containing these values for use outside of vision.FAQs
a content security policy plugin for hapi
The npm package blankie receives a total of 4,361 weekly downloads. As such, blankie popularity was classified as popular.
We found that blankie demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.
Security News
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.