express-csp-header - npm Package Compare versions

Comparing version 0.1.0 to 1.0.0

index.js

		var cspHeader = require('csp-header');
		var crypto = require('crypto');
		var parseDomain = require('parse-domain');
		var CSP_HEADER_NAME = 'Content-Security-Policy';
		var CSP_REPORT_ONLY = '-Report-Only';

		function expressCsp(policies, reportUri){
		function expressCsp(params){
		var policies,
		reportUri,
		reportOnly;

		params = params \|\| {};
		policies = params.policies;
		reportUri = params.reportUri;
		reportOnly = Boolean(params.reportOnly);

		return function(req, res, next){
		@@ -24,3 +35,3 @@ var cspString = cspHeader({
		}
		res.set('Content-Security-Policy', cspString);
		res.set(CSP_HEADER_NAME + (reportOnly ? CSP_REPORT_ONLY : ''), cspString);
		next();
		@@ -27,0 +38,0 @@ }

package.json

		{
		"name": "express-csp-header",
		"version": "0.1.0",
		"version": "1.0.0",
		"description": "Content-Security-Policy middleware for Express",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -8,6 +8,8 @@ # Content-Security-Policy middleware for Express
		app.use(csp({
		'default-src': [ csp.SELF ],
		'script-src': [ csp.SELF, csp.INLINE, 'somehost.com' ],
		'style-src': [ csp.SELF, 'mystyles.net' ],
		'img-src': [ 'data:', 'images.com' ]
		policies: {
		'default-src': [ csp.SELF ],
		'script-src': [ csp.SELF, csp.INLINE, 'somehost.com' ],
		'style-src': [ csp.SELF, 'mystyles.net' ],
		'img-src': [ 'data:', 'images.com' ]
		}
		}));
		@@ -24,3 +26,5 @@
		app.use(csp({
		'script-src': [ csp.NONCE ]
		policies: {
		'script-src': [ csp.NONCE ]
		}
		}));
		@@ -40,3 +44,5 @@ // express will send header with a random nonce key "Content-Security-Policy: script-src 'nonce-pSQ9TwXOMI+HezKshnuRaw==';"
		app.use(csp({
		'script-src': [ `mystatic.${CSP.TLD}` ]
		policies: {
		'script-src': [ `mystatic.${CSP.TLD}` ]
		}
		}));
		@@ -48,2 +54,16 @@ // for myhost.com it will send: "Content-Security-Policy: script-src mystatic.com;"

		### Content-Security-Policy-Report-Only mode

		To switch on Report-Only mode just specify `reportOnly` param:

		```js
		app.use(csp({
		policies: {
		'script-src': [ CSP.SELF ]
		},
		reportOnly: true
		}));
		// it will send: "Content-Security-Policy-Report-Only: script-src 'self';"
		```

		### report-uri parameter
		@@ -55,4 +75,7 @@
		app.use(csp({
		'script-src': [ csp.SELF ]
		}, 'https://cspreport.com/send'));
		policies: {
		'script-src': [ csp.SELF ]
		},
		reportUri: 'https://cspreport.com/send'
		}));
		// express will send header with a random nonce key "Content-Security-Policy: script-src 'self'; report-uri https://cspreport.com/send;"
		@@ -65,5 +88,8 @@ ```
		app.use(csp({
		'script-src': [ csp.SELF ]
		}, function(req, res){
		return 'https://cspreport.com/send?time=' + Number(new Date());
		policies: {
		'script-src': [ csp.SELF ]
		},
		reportUri: function(req, res){
		return 'https://cspreport.com/send?time=' + Number(new Date());
		}
		}));
		@@ -74,3 +100,9 @@ // express will send header with a random nonce key "Content-Security-Policy: script-src 'self'; report-uri https://cspreport.com/send?time=1460467355592;"
		### Release notes:

		#### v1.0.0:

		* All arguments combined into single ``params`` argument
		* Added boolean param ``reportOnly`` that switches on Content-Security-Policy-Report-Only mode

		#### v0.1.0:
		* Dynamic tld (thanks to [@msmirnov](https://github.com/msmirnov))

test/index.test.js

		@@ -20,4 +20,6 @@ var should = require('should'),
		var actual = mockApp.use(expressCsp({
		'script-src': [ expressCsp.SELF, 'myhost.com' ],
		'style-src': [ expressCsp.SELF, expressCsp.INLINE ]
		policies: {
		'script-src': [ expressCsp.SELF, 'myhost.com' ],
		'style-src': [ expressCsp.SELF, expressCsp.INLINE ]
		}
		}));
		@@ -29,4 +31,6 @@ actual.res.headers['Content-Security-Policy'].should.be.equal('script-src \'self\' myhost.com; style-src \'self\' \'unsafe-inline\';');
		var actual = mockApp.use(expressCsp({
		'script-src': [ expressCsp.NONCE ]
		}));
		policies: {
		'script-src': [ expressCsp.NONCE ]
		}
		}));

		@@ -39,4 +43,5 @@ /^script\-src \'nonce\-.+\'\;/.test(actual.res.headers['Content-Security-Policy']).should.be.ok();
		var actual = mockApp.use(expressCsp({
		'script-src': [ expressCsp.SELF ]
		}, 'https://cspreport.com'));
		policies: { 'script-src': [ expressCsp.SELF ] },
		reportUri: 'https://cspreport.com'
		}));

		@@ -48,5 +53,8 @@ /report\-uri https\:\/\/cspreport\.com\;$/.test(actual.res.headers['Content-Security-Policy']).should.be.ok();
		var actual = mockApp.use(expressCsp({
		'script-src': [ expressCsp.SELF ]
		}, function(req, res){
		return 'https://cspreport.com/send?time=' + Number(new Date());
		policies: {
		'script-src': [ expressCsp.SELF ]
		},
		reportUri: function(req, res){
		return 'https://cspreport.com/send?time=' + Number(new Date());
		}
		}));
		@@ -59,3 +67,5 @@
		var actual = mockApp.use(expressCsp({
		'script-src': [ 'myhost.' + expressCsp.TLD ]
		policies: {
		'script-src': [ 'myhost.' + expressCsp.TLD ]
		}
		}), {
		@@ -70,3 +80,5 @@ hostname: 'example.com'
		var actual = mockApp.use(expressCsp({
		'script-src': [ 'myhost.' + expressCsp.TLD ]
		policies: {
		'script-src': [ 'myhost.' + expressCsp.TLD ]
		}
		}), {
		@@ -78,7 +90,13 @@ hostname: 'localhost'
		});
		});

		console.log(mockApp.use(expressCsp({
		'script-src': [ expressCsp.NONCE ],
		'style-src': [ expressCsp.NONCE ]
		})).res.headers);
		it('should supports Report-Only mode', function(){
		var actual = mockApp.use(expressCsp({
		policies: {
		'script-src': [ 'myhost.com' ]
		},
		reportOnly: true
		}));

		actual.res.headers['Content-Security-Policy-Report-Only'].should.be.equal('script-src myhost.com;');
		});
		});

express-csp-header - npm Package Compare versions

Fixed alerts

Improved metrics