csp-header - npm Package Compare versions

Comparing version 1.0.1 to 1.1.0

index.js

		@@ -74,3 +74,5 @@ 'use strict';
		if (params.presets) {
		params.presets.forEach(preset => {
		// Object.keys also works with array keys
		Object.keys(params.presets).forEach(key => {
		const preset = params.presets[key];
		let presetPolicies;
		@@ -77,0 +79,0 @@

package.json

		{
		"name": "csp-header",
		"version": "1.0.1",
		"version": "1.1.0",
		"description": "Content-Security-Policy header generator",
		@@ -5,0 +5,0 @@ "main": "index.js",

103

README.md

		@@ -8,16 +8,16 @@ # csp-header
		csp({
		policies: {
		'script-src': [
		csp.SELF,
		csp.INLINE,
		csp.EVAL,
		csp.nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
		'example.com'
		],
		'style-src': [
		csp.SELF,
		'mystyle.net'
		]
		}
		'report-uri': 'https://cspreport.com/send'
		policies: {
		'script-src': [
		csp.SELF,
		csp.INLINE,
		csp.EVAL,
		csp.nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
		'example.com'
		],
		'style-src': [
		csp.SELF,
		'mystyle.net'
		]
		}
		'report-uri': 'https://cspreport.com/send'
		});
		@@ -28,27 +28,64 @@

		## Extending
		If you want to extend your config by some rules:
		## Params
		```js
		const myCSPPolicies = require('./my-csp-rules');

		csp({
		policies: myCSPPolicies,
		extend: {
		'connect-src': ['test.com']
		}
		});
		{
		policies: { [key: string]: string[] },
		presets: policies[] \| { [key: string]: policies }
		'report-uri': string,
		extend: policies // DEPRECATED use presets instead
		}
		```

		## Presets
		You can use csp presets prefixed by 'csp-preset'. If you have a web-service it would be great if you write preset with rules for your service users.
		It's a good idea to group your csp rules into presets. `csp-header` supports two way of using presets.
		It can be specified as an array of policies:
		```js
		{
		presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
		}
		```

		E.g. your service is called ``my-super-service.com``. You publish preset ``csp-preset-my-super-service`` containing following code:
		or as a keyed object:
		```js
		{
		presets: {
		api: cspRulesForSomeServiceAPI,
		statics: cspRulesForMyStaticCDN,
		youtubeVideos: cspRulesForYouTube
		}
		}
		```

		The second way allows you to overwrite presets by conditions:
		```js
		const cspRules = require('./config/csp');

		if (NODE_ENV === 'development') {
		cspRules.presets.statics = ['self'];
		}
		```

		Also you can use presets from npm prefixed by `csp-preset` as strings:
		```js
		{
		presets: {
		superPuperService: 'super-puper-service' // takes node_modules/csp-preset-super-puper-service
		}
		}
		```

		## Preset format
		If you have a web-service feel free to publish preset of rules for using your service. For example your service is ``my-super-service.com``. Just publish preset ``csp-preset-my-super-service`` containing following code:
		```js
		modules.exports = {
		'script-src': ['api.my-super-service.com'],
		'img-src': ['images.my-super-service.com']
		'script-src': ['api.my-super-service.com'],
		'img-src': ['images.my-super-service.com']
		};
		```

		Then someone wants to configure its CSP to work with your service. And now it's so easy:
		And you will get a lot of thanks ;)


		## Extend 🔥 DEPRECATED! use `presets` instead 🔥
		If you want to extend your config by some rules:
		```js
		@@ -58,7 +95,7 @@ const myCSPPolicies = require('./my-csp-rules');
		csp({
		policies: myCSPPolicies,
		presets: ['my-super-service']
		policies: myCSPPolicies,
		extend: {
		'connect-src': ['test.com']
		}
		});
		```

		And you will get a lot of thanks ;)

test/index.test.js

		@@ -75,2 +75,12 @@ import test from 'ava';

		test('Presets \| object', t => {
		const actual = csp({
		presets: {
		test: require('./fixtures/presets/csp-preset-test')
		}
		});

		t.is(actual, 'script-src test.com; style-src test.com;');
		});

		test('Presets \| resolve', t => {
		@@ -77,0 +87,0 @@ t.is(csp.resolvePreset('csp-preset-test'), 'csp-preset-test');

csp-header - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics