65 lines
1.0 KiB
Markdown
65 lines
1.0 KiB
Markdown
# express-csp
|
|
|
|
**Rapid, configurable Content Security Policy middleware for Express**, powered by [Helmet](https://helmetjs.github.io/) and simple YAML configuration.
|
|
|
|
---
|
|
|
|
## Features
|
|
|
|
- Secure defaults with CSP via `helmet`
|
|
- Configuration in clean, readable YAML
|
|
- Easily swappable policies per environment
|
|
- Fully tested with Jest & Supertest
|
|
|
|
---
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
npm install helmet yaml
|
|
npm install --save-dev jest supertest
|
|
```
|
|
|
|
## Usage
|
|
|
|
```
|
|
const express = require('express')
|
|
const csp = require('express-csp')
|
|
const app = express()
|
|
|
|
const policyPath = './csp-policy.yml'
|
|
app.use(csp(policyPath))
|
|
|
|
app.get('/', (req, res) => res.send('Secure by CSP!'))
|
|
app.listen(3000)
|
|
```
|
|
|
|
## Sample Policy
|
|
|
|
```
|
|
default-src: ["'self'"]
|
|
script-src:
|
|
- "'self'"
|
|
- example.com
|
|
style-src:
|
|
- "'self'"
|
|
- "https:"
|
|
- "'unsafe-inline'"
|
|
img-src:
|
|
- "'self'"
|
|
- "data:"
|
|
object-src: ["'none'"]
|
|
upgrade-insecure-requests: []
|
|
```
|
|
|
|
## License
|
|
|
|
ISC License
|
|
|
|
----
|
|
|
|
## Contributing
|
|
|
|
PRs welcome! For bugs or suggestions, open an issue.
|
|
|