helmet-csp

Content Security Policy middleware

MIT 42 个版本

express security content-security-policy csp xss

主页

仓库

提交 Issue

安装

npm install helmet-csp

yarn add helmet-csp

pnpm add helmet-csp

bun add helmet-csp

README

Content Security Policy middleware

The Content-Security-Policy header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See MDN's introductory article on Content Security Policy.

This header is powerful but likely requires some configuration for your specific app.

To configure this header, pass an object with a nested directives object. Each key is a directive name in camel case (such as defaultSrc) or kebab case (such as default-src). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.

const contentSecurityPolicy = require("helmet-csp");

// Sets all of the defaults, but overrides `script-src`
// and disables the default `style-src`.
app.use(
  contentSecurityPolicy({
    directives: {
      "script-src": ["'self'", "example.com"],
      "style-src": null,
    },
  }),
);

// Sets the `script-src` directive to
// "'self' 'nonce-e33cc...'"
// (or similar)
app.use((req, res, next) => {
  res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
  next();
});
app.use(
  contentSecurityPolicy({
    directives: {
      scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
    },
  }),
);

These directives are merged into a default policy, which you can disable by setting useDefaults to false.

// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
  contentSecurityPolicy({
    useDefaults: false,
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "example.com"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: [],
    },
  }),
);

You can get the default directives object with contentSecurityPolicy.getDefaultDirectives(). Here is the default policy (formatted for readability):

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests

The default-src directive can be explicitly disabled by setting its value to contentSecurityPolicy.dangerouslyDisableDefaultSrc, but this is not recommended.

You can set the Content-Security-Policy-Report-Only instead:

// Sets the Content-Security-Policy-Report-Only header
app.use(
  contentSecurityPolicy({
    directives: {
      /* ... */
    },
    reportOnly: true,
  }),
);

This module performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.

版本列表

4.0.0 2024-06-01

3.4.0 2021-05-02

3.3.1 2020-12-27

3.3.0 2020-12-27

3.2.0 2020-11-01

3.1.0 2020-08-15

3.0.0 2020-08-02

2.10.0 2020-03-24

2.9.5 2020-02-23

2.9.4 2019-10-21

2.9.3 2019-10-01

2.9.2 2019-09-20

2.9.1 2019-09-04

2.9.0 2019-08-28

2.8.0 2019-07-24

2.7.1 2018-07-20

2.7.0 2018-01-23

2.6.0 2017-10-13

2.5.1 2017-07-28

2.5.0 2017-07-21

2.4.0 2017-03-06

2.3.0 2017-01-13

2.2.0 2016-12-22

2.1.0 2016-11-03

2.0.0 2016-10-28

1.2.2 2016-07-27

1.2.1 2016-06-10

1.2.0 2016-05-18

1.1.0 2016-02-29

1.0.3 2016-01-08

1.0.2 2016-01-03

1.0.1 2015-12-19

1.0.0 2015-12-19

0.3.0 2015-09-18

0.2.3 2015-04-22

0.2.2 2015-03-23

0.2.1 2015-02-13

0.2.0 2015-01-22

0.1.3 2014-12-08

0.1.2 2014-11-16

0.1.1 2014-11-09

0.1.0 2014-10-28