Expanded config for more options

csp-policy.yml

@@ -5,24 +5,28 @@
 #      script-src 'self' example.com;object-src 'none';
 #      upgrade-insecure-requests"
 # Note: embedded single quotes are required
-default-src: [ "'self'" ]
+xFrameOptions: SAMEORIGIN
-base-uri: [ "'self'" ]
+contentSecurityPolicy:
-font-src:
+  useDefaults: false
-  - "'self'"
+  directives:
-  - "https:"
+    default-src: [ "'self'" ]
-  - "data:"
+    base-uri: [ "'self'" ]
-form-action: [ "'self'" ]
+    font-src:
-frame-ancestors: [ "'self'" ]
+      - "'self'"
-img-src:
+      - "https:"
-  - "'self'"
+      - "data:"
-  - "data:"
+    form-action: [ "'self'" ]
-object-src: [ "'none'" ]
+    frame-ancestors: [ "'self'" ]
-script-src: 
+    img-src:
-  - "'self'" 
+      - "'self'"
-  - example.com
+      - "data:"
-script-src-attr: [ "'none'" ]
+    object-src: [ "'none'" ]
-style-src:
+    script-src: 
-  - "'self'"
+      - "'self'" 
-  - "https:"
+      - example.com
-  - "'unsafe-inline'"
+    script-src-attr: [ "'none'" ]
-upgrade-insecure-requests: []
+    style-src:
+      - "'self'"
+      - "https:"
+      - "'unsafe-inline'"
+    upgrade-insecure-requests: []

index.cjs

@@ -7,11 +7,5 @@ module.exports = (path) => {
   const csppolicy = fs.readFileSync(path, 'utf8')
   const csp = YAML.parse(csppolicy)
 
-  return helmet({
+  return helmet(csp)
-    contentSecurityPolicy: {
-      useDefaults: false,
-      directives: csp,
-    },
-    xFrameOptions: 'SAMEORIGIN',
-  })
 }

test/index.test.js

@@ -19,8 +19,10 @@ describe('Rapid configurable Content Security Policy middleware', () => {
     fs.writeFileSync(
       customPolicyPath,
       `
-default-src: ["'self'"]
+contentSecurityPolicy:
-script-src: ["'self'", "https://cdn.example.com"]
+  directives:
+    default-src: ["'self'"]
+    script-src: ["'self'", "https://cdn.example.com"]
     `,
     )
   })