Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

helmet-csp

Package Overview
Dependencies
Maintainers
1
Versions
42
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

helmet-csp - npm Package Compare versions

Comparing version 1.0.1 to 1.0.2

2

index.js

@@ -45,3 +45,3 @@ var camelize = require('camelize')

if (directivesAreDynamic) {
directives = parseDynamicDirectives(directives, [req])
directives = parseDynamicDirectives(directives, [req, res])
}

@@ -48,0 +48,0 @@

4

package.json

@@ -8,3 +8,3 @@ {

"description": "Content Security Policy middleware.",
"version": "1.0.1",
"version": "1.0.2",
"license": "MIT",

@@ -40,4 +40,4 @@ "keywords": [

"devDependencies": {
"connect": "^3.3.5",
"content-security-policy-parser": "^0.1.0",
"express": "^4.13.3",
"lodash": "^3.7.0",

@@ -44,0 +44,0 @@ "mocha": "^2.3.4",

20

README.md

@@ -6,2 +6,4 @@ Content Security Policy middleware

[_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md)
Content Security Policy helps prevent unwanted content being injected into your webpages; this can mitigate XSS vulnerabilities, unintended frames, malicious frames, and more. If you want to learn how CSP works, check out the fantastic [HTML5 Rocks guide](http://www.html5rocks.com/en/tutorials/security/content-security-policy/), the [Content Security Policy Reference](http://content-security-policy.com/), and the [Content Security Policy specification](http://www.w3.org/TR/CSP/). This module helps set Content Security Policies.

@@ -75,3 +77,3 @@

app.use(function (req, res, next) {
req.locals.nonce = uuid.v4()
res.locals.nonce = uuid.v4()
next()

@@ -81,13 +83,15 @@ })

app.use(csp({
scriptSrc: [
"'self'",
function (req) {
return "'nonce-" + req.locals.nonce + "'" // 'nonce-614d9122-d5b0-4760-aecf-3a5d17cf0ac9'
}
]
directives: {
scriptSrc: [
"'self'",
function (req, res) {
return "'nonce-" + res.locals.nonce + "'" // 'nonce-614d9122-d5b0-4760-aecf-3a5d17cf0ac9'
}
]
}
}))
app.use(function (req, res) {
res.end('<script nonce="' + req.nonce + '">alert(1 + 1);</script>')
res.end('<script nonce="' + res.locals.nonce + '">alert(1 + 1);</script>')
})
```

10

test/index.js

@@ -5,3 +5,3 @@ var csp = require('..')

var parseCsp = require('content-security-policy-parser')
var connect = require('connect')
var express = require('express')
var request = require('supertest')

@@ -14,4 +14,4 @@ var assert = require('assert')

'script-src': ['scripts.biz'],
styleSrc: ['styles.biz', function (req) {
return req.nonce
styleSrc: ['styles.biz', function (req, res) {
return res.locals.nonce
}],

@@ -32,5 +32,5 @@ objectSrc: [],

function use (options) {
var result = connect()
var result = express()
result.use(function (req, res, next) {
req.nonce = 'abc123'
res.locals.nonce = 'abc123'
next()

@@ -37,0 +37,0 @@ })

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc