Content-Security-Policy header generator for Node.js.
Install
npm install --save csp-header
Usage
const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');
getCSP({
directives: {
'script-src': [
SELF,
INLINE,
EVAL,
nonce('gg3g43#$g32gqewgaAEGeag2@#GFQ#g=='),
'example.com'
],
'style-src': [
SELF,
'mystyle.net'
]
},
reportUri: 'https://cspreport.com/send'
});
Params
{
directives: { [key: string]: string[] },
presets: policies[] | { [key: string]: policies },
reportUri: string,
extend: policies
}
CSP violation report
There are two ways to send CSP violation report. The first is a report-uri directive. Though it's supported by this library, it's deprecated and should be used only for old browsers. The modern way is a report-to directive. Note that csp-header
only build a Content-Security-Policy
header, so you have to manage Report-To
header on your own. But if you use Express, there's an express-csp-header middleware that takes care about it.
const { getCSP, nonce, EVAL, INLINE, SELF } = require('csp-header');
getCSP({
directives: {
'script-src': [SELF],
'report-to': 'my-report-group'
},
reportUri: 'https://cspreport.com/send'
});
Presets
It's a good idea to group your csp rules into presets. csp-header
supports two ways of specifying presets. As an array of policies:
{
presets: [ cspRulesForSomeServiceAPI, cspRulesForMyStaticCDN, someOtherCSPRules ]
}
or as a map of presets:
{
presets: {
api: cspRulesForSomeServiceAPI,
statics: cspRulesForMyStaticCDN,
youtubeVideos: cspRulesForYouTube
}
}
Preset format
If you have a web-service feel free to publish preset of rules for using your service. For example, your service is my-super-service.com
. Just publish preset csp-preset-my-super-service
containing following code:
modules.exports = {
'script-src': ['api.my-super-service.com'],
'img-src': ['images.my-super-service.com']
};
And you'll get a lot of thanks ;)
Links