Product
Introducing SSO
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
csp-by-api
Advanced tools
Readme
csp-by-api
makes CSP management easier by letting developers specify the services they use by name - these are then merged into the base policy to create the final CSP.
This package itself knows the required CSP policies for:
braintree
Braintree Paymentsclearbit
ClearbitdigiCertSiteSeal
DigiCert Site SealgoogleAnalytics
Google AnalyticsgoogleFonts
Google Fontsgravatar
GravatarmagicSignup
Magic Signupmixpanel
Mixpanelolark
OlarkperfectAudience
Perfect Audienceractive
Ractive.jsrollbar
Rollbarstormpath
Stormpathstripe
Stripetwitter
Twitter oembed APItwitterAnalytics
Twitter analyticstypekit
Typekitvimeo
VimeoOfficial policies are used wherever they're made available, and all are tested in a production app.
CSP By API doesn't implement CSP in node. Use an existing node CSP implementation like Helmet or express-csp for that. Instead, CSP By API significantly cuts down on:
For your app. For example:
var cspByAPI = require('csp-by-api')
// This is the policy for your own app only. You don't need to worry about third parties at all!
var basePolicy = {
defaultSrc: [CSP_SELF],
scriptSrc: [CSP_SELF],
styleSrc: [CSP_SELF, CSP_UNSAFE_INLINE],
fontSrc: [],
imgSrc: [CSP_SELF, 'data:'],
connectSrc: [CSP_SELF],
frameSrc: [],
reportUri: "/csp-violation",
reportOnly: true
}
Then add the apps you use. csp-by-api
will combine them for you:
var policy = cspByAPI(basePolicy, [
'twitter',
'mixpanel',
'googleFonts'
]);
Then, for example, using Express and Helmet:
var helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
directives: policy
}));
Add more policies! Send a pull request to add more policies. Include a reference to an official policy if it exists, or state that there is no official policy if none exists.
Go for it! Just take policies.js
(it's just JSON plus comments, hence .js
) and make sure you regularly update from this project!
You can also create your custom policies and provide them to the API: if exampleThing
is not provided by this library, you can still define it yourself and use it:
var exampleThing = {
scriptSrc: ['js.example.com', 'api.example.com'],
imgSrc: ['q.example.com'],
connectSrc: ['api.example.com'],
frameSrc: ['js.example.com']
}
cspByAPI(basePolicy, [
exampleThing,
'googleFonts'
])
You should still send a pull request though!
Some of these are just general notes about CSP, but you'll still find them useful
script-src
unsafe-inline
:You will likely need to move the content of inline scripts (<script>
tags without a src
) to a seperate <script src="">
tag on your server.
To include server variables in the browser without using inline JavaScript, make a non-executable <script>
tag, eg:
In your server-side template:
{{# serverVars }}
<script class="server-vars" type="application/x-configuration">
{{{ . }}}
</script>
{{/ serverVars }}
Then in a script tag on your server:
var serverVarsElement = document.getElementsByClassName('server-vars')[0]
if ( serverVarsElement ) {
window.serverVars = JSON.parse(serverVarsElement.textContent);
}
For Twitter, you'll also need this meta tag - see https://dev.twitter.com/web/embedded-tweets/faq:
<meta name="twitter:widgets:csp" content="on">
FAQs
Easily build a Content Security Policy (CSP) by specifying APIs by name
The npm package csp-by-api receives a total of 42 weekly downloads. As such, csp-by-api popularity was classified as not popular.
We found that csp-by-api demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.