What is content-security-policy-builder?
The content-security-policy-builder npm package is a utility for building Content Security Policy (CSP) headers in a structured and programmatic way. It helps developers create CSP headers by providing a simple API to define various directives and their values.
What are content-security-policy-builder's main functionalities?
Basic CSP Header Construction
This feature allows you to construct a basic CSP header by specifying directives and their sources. The example demonstrates how to create a policy that allows scripts and styles from 'self' and 'example.com'.
const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
directives: {
defaultSrc: ['self'],
scriptSrc: ['self', 'example.com'],
styleSrc: ['self', 'example.com']
}
});
console.log(policy); // Outputs: "default-src 'self'; script-src 'self' example.com; style-src 'self' example.com"
Adding Nonce Values
This feature allows you to add nonce values to your CSP directives, which can be used to allow specific inline scripts or styles. The example shows how to add a nonce value to the scriptSrc and styleSrc directives.
const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
directives: {
scriptSrc: ['self', 'nonce-2726c7f26c'],
styleSrc: ['self', 'nonce-2726c7f26c']
}
});
console.log(policy); // Outputs: "script-src 'self' 'nonce-2726c7f26c'; style-src 'self' 'nonce-2726c7f26c'"
Report URI
This feature allows you to specify a URI where CSP violation reports should be sent. The example demonstrates how to set up a report URI directive.
const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
directives: {
defaultSrc: ['self'],
reportUri: ['/csp-report-endpoint']
}
});
console.log(policy); // Outputs: "default-src 'self'; report-uri /csp-report-endpoint"
Other packages similar to content-security-policy-builder
helmet-csp
helmet-csp is a middleware for Express.js that helps set Content Security Policy headers. It provides a more integrated approach for Express applications, allowing for easy configuration and dynamic policy generation. Compared to content-security-policy-builder, helmet-csp is more focused on being a middleware solution for Express.
csp-header
csp-header is a package that helps generate CSP headers in a flexible and customizable way. It offers a similar API to content-security-policy-builder but includes additional features like preset policies and easier integration with various frameworks. It is more feature-rich and provides more out-of-the-box configurations compared to content-security-policy-builder.
csp-headers
csp-headers is another package for generating CSP headers. It focuses on simplicity and ease of use, providing a straightforward API for defining CSP directives. While it offers similar functionality to content-security-policy-builder, it is designed to be more lightweight and easier to integrate into small projects.
Content Security Policy builder
Take an object and turn it into a Content Security Policy string.
It can handle a lot of things you can you throw at it; camelCased
or dash-separated
directives, arrays or strings, et cetera.
Usage:
const builder = require("content-security-policy-builder");
builder({
directives: {
defaultSrc: ["'self'", "default.com"],
scriptSrc: "scripts.com",
"whatever-src": "something",
objectSrc: true,
},
});
This module is considered "complete". I expect to continue maintenance if needed, but I don't plan to add features or make breaking changes.