csp-by-app
Advanced tools
Manage Certificate Security Policy (CSP) by specifying third party APIs by name
Readme
CSP By App significantly cuts down on CSP policy management by specifying common APIs by name.
It doesn't implement CSP in node. It just significantly cuts down on:
For your app. For example:
var cspByApp = require('csp-by-app')
var basePolicy = {
defaultSrc: [CSP_SELF],
scriptSrc: [CSP_SELF],
styleSrc: [CSP_SELF, CSP_UNSAFE_INLINE],
fontSrc: [],
imgSrc: [CSP_SELF, 'data:'],
connectSrc: [CSP_SELF],
frameSrc: [],
reportUri: "/csp-violation",
reportOnly: true
}
var policy = cspByApp(basePolicy, ['twitter', 'mixpanel', 'googleFonts', 'stripe', 'typekit', 'ractive'])
Then use that policy with an existing node CSP implementation like Helmet or express-csp.
For example, using Express and Helmet:
var helmet = require('helmet');
app.use(helmet.contentSecurityPolicy(policy));
This package itself knows the required CSP policies for:
twitter Twitter oembed APImixpanel MixpanelgoogleFonts Google Fontsstripe Striperactive Ractivetypekit TypekitOfficial policies are used wherever they're made available, and all are tested in a production app.
Add more policies! Send a pull request to add more policies. Include a reference to an official policy if it exists, or state that there is no official policy if none exists.
Some of these are just general notes about CSP, but you'll still find them useful
script-src unsafe-inline:You will likely need to move the content of inline scripts (<script> tags without a src) to a seperate <script src=""> tag on your server.
To include server variables in the browser without using inline JavaScript, make a non-executable <script> tag, eg:
In your server-side template:
{{# serverVars }}
<script class="server-vars" type="application/x-configuration">
{{{ . }}}
</script>
{{/ serverVars }}
Then in a script tag on your server:
var serverVarsElement = document.getElementsByClassName('server-vars')[0]
if ( serverVarsElement ) {
window.serverVars = JSON.parse(serverVarsElement.textContent);
}
For Twitter, you'll also need this meta tag - see https://dev.twitter.com/web/embedded-tweets/faq:
<meta name="twitter:widgets:csp" content="on">
simple-csp currently produces a merged, sorted, non-redundant policy.
It would be clever to merge eg 'example.com' and '*.example.com' intelligently.
However all CSP options for apps already use explicit domains.
FAQs
Manage Certificate Security Policy (CSP) by specifying third party APIs by name
The npm package csp-by-app receives a total of 4 weekly downloads. As such, csp-by-app popularity was classified as not popular.
We found that csp-by-app demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.