You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

csp-helper

Package Overview
Dependencies
Maintainers
1
Versions
13
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

csp-helper

Helpers for managing Content Security Policy (CSP)

0.10.0
latest
Source
npmnpm
Version published
Weekly downloads
16
-30.43%
Maintainers
1
Weekly downloads
 
Created
Source

csp-helper

github check npm coverage license

Helpers for creating Content Security Policy (CSP) headers.

  • Zero dependencies
  • Build with TypeScript
  • Merging multiple CSP configurations
  • Providing preset CSP configurations for:
    • Datadog
    • Google Ads
    • Google Analytics 4
    • Google Fonts
    • Google Identity
    • Google Tag Manager
    • Hotjar
    • Infogram
    • Podscribe
    • Reddit
    • TikTok
    • Vimeo
    • X
    • Youtube
    • ... and more

Installation

npm install csp-helper

Usage

createCspHeader

Create a CSP header string from a CSP configuration object.

import {
  CSP_PRESET_DATADOG_INTAKE_URLS,
  CSP_PRESET_DATADOG_WEB_WORKER,
  CSP_PRESET_GOOGLE_ANALYTICS_4,
  CSP_PRESET_GOOGLE_TAG_MANAGER_UNSAFE_INLINE,
  CSP_PRESET_HOTJAR,
  createCspHeader,
} from 'csp-helper';

const cspHeader = createCspHeader(
  {
    'default-src': `'self'`,
    'script-src': `'self' https://example.com`,
    'style-src': `'self' https://example.com`,
  },
  {
    includeHeaderName: true,
    presets: [
      CSP_PRESET_DATADOG_INTAKE_URLS,
      CSP_PRESET_DATADOG_WEB_WORKER,
      CSP_PRESET_GOOGLE_ANALYTICS_4,
      CSP_PRESET_GOOGLE_TAG_MANAGER_UNSAFE_INLINE,
      CSP_PRESET_HOTJAR,
    ],
  },
);

console.log(cspHeader);

mergeCspConfigs

Merge multiple CSP configurations into one.

  • Same values will be automatically deduplicated.
  • Presets could also be used for merging.
import {
  CSP_PRESET_GOOGLE_ANALYTICS_4,
  CSP_PRESET_GOOGLE_TAG_MANAGER_UNSAFE_INLINE,
  mergeCspConfigs,
} from 'csp-helper';

const cspConfig = mergeCspConfigs([
  {
    'default-src': `'self'`,
    'script-src': `'self' https://example.com`,
    'style-src': `'self' https://example.com`,
  },
  {
    'script-src': `'self' https://example.com https://example2.com`,
    'style-src': `'self' https://example.com https://example2.com`,
  },
  CSP_PRESET_GOOGLE_ANALYTICS_4,
  CSP_PRESET_GOOGLE_TAG_MANAGER_UNSAFE_INLINE,
]);

console.log(cspConfig);

License

MIT © meteorlxy & Contributors

Keywords

content-security-policy
csp
datadog
google-ads
google-analytics
google-identity

FAQs

Package last updated on 10 Jun 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Application Security

/

Security News

AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despite their risks, still points toward a more secure and innovative future.

By Sarah Gooding  -  Jul 25, 2025