Content-Security-Policy middleware for Express
Usage
var csp = require('express-csp-header');
app.use(csp({
policies: {
'default-src': [ csp.SELF ],
'script-src': [ csp.SELF, csp.INLINE, 'somehost.com' ],
'style-src': [ csp.SELF, 'mystyles.net' ],
'img-src': [ 'data:', 'images.com' ],
'worker-src': [ csp.NONE ],
'block-all-mixed-content': true
}
}));
nonce parameter
If you want to use nonce parameter you should use NONCE constant. Nonce key will be generated automatically. Also generated nonce key will be stored in req.nonce
:
app.use(csp({
policies: {
'script-src': [ csp.NONCE ]
}
}));
app.use(function(req, res){
console.log(req.nonce);
})
Auto tld
If you have more than one tlds you may want to keep current tld in your security policy. And you able to do this by replacing tld by TLD constant:
app.use(csp({
policies: {
'script-src': [ `mystatic.${CSP.TLD}` ]
}
}));
Policy extending
Sometimes you need to extend existing policies. You can do it by extend
param:
var defaultPolicies = {
'script-src': [ 'mydefaulthost.com' ]
};
app.use(csp({
policies: defaultPolicies,
extend: {
'script-src': [ 'myadditionalhost.com' ],
'style-src': [ 'mystyles.com' ]
}
}));
Presets
Your policies can also be extended by presets. Presets are npm-modules containing CSP rules and prefixed by csp-preset
. Example of preset:
module.exports = {
'connect-src': ['my-super-service.com'],
'style-src': ['my-super-service.com']
};
Presets can be easely applied to existing CSP rules by presets
property:
app.use(csp({
policies: myCSPPolicies,
presets: ['yandex-metrika', 'google-analytics']
}));
Content-Security-Policy-Report-Only mode
To switch on Report-Only mode just specify reportOnly
param:
app.use(csp({
policies: {
'script-src': [ CSP.SELF ]
},
reportOnly: true
}));
report-uri parameter
If you want to specify report-uri
param you should pass it as the second argument:
app.use(csp({
policies: {
'script-src': [ csp.SELF ]
},
reportUri: 'https://cspreport.com/send'
}));
If you want to pass some params to the report uri just pass function instead of string:
app.use(csp({
policies: {
'script-src': [ csp.SELF ]
},
reportUri: function(req, res){
return 'https://cspreport.com/send?time=' + Number(new Date());
}
}));