Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
helmet-csp
Advanced tools
The Content-Security-Policy
header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See MDN's introductory article on Content Security Policy.
This header is powerful but likely requires some configuration for your specific app.
To configure this header, pass an object with a nested directives
object. Each key is a directive name in camel case (such as defaultSrc
) or kebab case (such as default-src
). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.
const contentSecurityPolicy = require("helmet-csp");
// Sets all of the defaults, but overrides `script-src`
// and disables the default `style-src`.
app.use(
contentSecurityPolicy({
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
}),
);
// Sets the `script-src` directive to
// "'self' 'nonce-e33cc...'"
// (or similar)
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
next();
});
app.use(
contentSecurityPolicy({
directives: {
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
}),
);
These directives are merged into a default policy, which you can disable by setting useDefaults
to false
.
// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
contentSecurityPolicy({
useDefaults: false,
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
}),
);
You can get the default directives object with contentSecurityPolicy.getDefaultDirectives()
. Here is the default policy (formatted for readability):
default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
The default-src
directive can be explicitly disabled by setting its value to contentSecurityPolicy.dangerouslyDisableDefaultSrc
, but this is not recommended.
You can set the Content-Security-Policy-Report-Only
instead:
// Sets the Content-Security-Policy-Report-Only header
app.use(
contentSecurityPolicy({
directives: {
/* ... */
},
reportOnly: true,
}),
);
This module performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.
4.0.0 - 2020-08-02
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
helmet.contentSecurityPolicy
:
default-src
directive is supplied, an error is thrownhelmet.contentSecurityPolicy
:
helmet.xssFilter
now disables the buggy XSS filter by default. See #230helmet.featurePolicy
. If you still need it, use the feature-policy
package on npm.helmet.hpkp
. If you still need it, use the hpkp
package on npm.helmet.noCache
. If you still need it, use the nocache
package on npm.helmet.contentSecurityPolicy
:
browserSniff
and disableAndroid
parameters). See helmetjs/csp#97reportOnly
. Read this if you need help.setAllHeaders
parameter). Read this if you need help.loose
optionhelmet.frameguard
:
ALLOW-FROM
action. Read more here.helmet.hidePoweredBy
no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts
:
includeSubdomains
with a lowercase D. See #231setIf
. Read this if you need help. See #232helmet.xssFilter
no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report
directive with X-XSS-Protection" if you need the legacy behavior.FAQs
Content Security Policy middleware
The npm package helmet-csp receives a total of 290,163 weekly downloads. As such, helmet-csp popularity was classified as popular.
We found that helmet-csp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.