# express-csp

**Rapid, configurable Content Security Policy middleware for Express**, powered by [Helmet](https://helmetjs.github.io/) and simple YAML configuration.

---

## Features

-  Secure defaults with CSP via `helmet`
-  Configuration in clean, readable YAML
-  Easily swappable policies per environment
-  Fully tested with Jest & Supertest

---

## Installation

```bash
npm install helmet yaml
npm install --save-dev jest supertest
```

## Usage

```
const express = require('express')
const csp = require('express-csp')
const app = express()

const policyPath = './csp-policy.yml'
app.use(csp(policyPath))

app.get('/', (req, res) => res.send('Secure by CSP!'))
app.listen(3000)
```

## Sample Policy

```
default-src: ["'self'"]
script-src:
  - "'self'"
  - example.com
style-src:
  - "'self'"
  - "https:"
  - "'unsafe-inline'"
img-src:
  - "'self'"
  - "data:"
object-src: ["'none'"]
upgrade-insecure-requests: []
```

## License

ISC License

----

## Contributing

PRs welcome! For bugs or suggestions, open an issue.