content-security-policy-builder

What is content-security-policy-builder?

The content-security-policy-builder npm package is a utility for building Content Security Policy (CSP) headers in a structured and programmatic way. It helps developers create CSP headers by providing a simple API to define various directives and their values.

What are content-security-policy-builder's main functionalities?

Basic CSP Header Construction

This feature allows you to construct a basic CSP header by specifying directives and their sources. The example demonstrates how to create a policy that allows scripts and styles from 'self' and 'example.com'.

const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
  directives: {
    defaultSrc: ['self'],
    scriptSrc: ['self', 'example.com'],
    styleSrc: ['self', 'example.com']
  }
});
console.log(policy); // Outputs: "default-src 'self'; script-src 'self' example.com; style-src 'self' example.com"

Adding Nonce Values

This feature allows you to add nonce values to your CSP directives, which can be used to allow specific inline scripts or styles. The example shows how to add a nonce value to the scriptSrc and styleSrc directives.

const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
  directives: {
    scriptSrc: ['self', 'nonce-2726c7f26c'],
    styleSrc: ['self', 'nonce-2726c7f26c']
  }
});
console.log(policy); // Outputs: "script-src 'self' 'nonce-2726c7f26c'; style-src 'self' 'nonce-2726c7f26c'"

Report URI

This feature allows you to specify a URI where CSP violation reports should be sent. The example demonstrates how to set up a report URI directive.

const cspBuilder = require('content-security-policy-builder');
const policy = cspBuilder({
  directives: {
    defaultSrc: ['self'],
    reportUri: ['/csp-report-endpoint']
  }
});
console.log(policy); // Outputs: "default-src 'self'; report-uri /csp-report-endpoint"

Other packages similar to content-security-policy-builder

helmet-csp

helmet-csp is a middleware for Express.js that helps set Content Security Policy headers. It provides a more integrated approach for Express applications, allowing for easy configuration and dynamic policy generation. Compared to content-security-policy-builder, helmet-csp is more focused on being a middleware solution for Express.

csp-header

csp-header is a package that helps generate CSP headers in a flexible and customizable way. It offers a similar API to content-security-policy-builder but includes additional features like preset policies and easier integration with various frameworks. It is more feature-rich and provides more out-of-the-box configurations compared to content-security-policy-builder.

csp-headers

csp-headers is another package for generating CSP headers. It focuses on simplicity and ease of use, providing a straightforward API for defining CSP directives. While it offers similar functionality to content-security-policy-builder, it is designed to be more lightweight and easier to integrate into small projects.

README

Content Security Policy builder

Take an object and turn it into a Content Security Policy string.

It can handle a lot of things you can you throw at it; camelCased or dash-separated directives, arrays or strings, et cetera.

Usage:

const builder = require("content-security-policy-builder");

// default-src 'self' default.com; script-src scripts.com; whatever-src something; object-src
builder({
  directives: {
    defaultSrc: ["'self'", "default.com"],
    scriptSrc: "scripts.com",
    "whatever-src": "something",
    objectSrc: true,
  },
});

This module is considered "complete". I expect to continue maintenance if needed, but I don't plan to add features or make breaking changes.

Changelog

2.2.0 - 2024-04-25

Added

• Added ECMAScript Module support

Removed

• Breaking: Drop support for old Node versions. Node 18+ is now required