npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

express-csp-generator

v1.0.3

Published

Content-Security-Policy Generator, Running as an express middleware that integrates with RapidSec.

Downloads

28

Readme

Content Security Policy Generator, Powered by RapidSec

Content Security Policy (CSP) helps prevent unwanted content from being injected/loaded into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, Clickjacking, Formjacking, malicious frames, unwanted trackers, client-side injected malware, and other web client-side attacks.

Getting started with CSP - create your report-uri and first CSP on RapidSec

Go to RapidSec and generate your first CSP. Choose a JSON export, that works with this specific express middleware. You could otherwise use the RapidSec Node.js MicroAgent which is even more automatic.

Install this package in your Express project

npm install express-csp-generator or yarn add express-csp-generator

Add the report-only policy that you generated on RapidSec to send violation data to the report-uri:

const contentSecurityPolicy = require("express-csp-generator");

app.use(
  contentSecurityPolicy({
    directives: {
      "frame-ancestors": ["'none'"],
      "block-all-mixed-content": [],
      "default-src": ["'none'"],
      "script-src": ["'self'", "'report-sample'"],
      "style-src": ["'self'", "'report-sample'"],
      "object-src": ["'none'"],
      "frame-src": ["'none'"],
      "child-src": ["'none'"],
      "img-src": ["'self'"],
      "font-src": ["'self'"],
      "connect-src": ["'none'"],
      "manifest-src": ["'none'"],
      "base-uri": ["'self'"],
      "form-action": ["'none'"],
      "media-src": ["'none'"],
      "prefetch-src": ["'none'"],
      "worker-src": ["'none'"],
      "report-uri": [
        "https://gate.rapidsec.net/YOUR_SPECIFIC_RAPIDSEC_ENDPOINT",
      ],
    },
    reportOnly: true,
  })
);

Now visit your local/ deployed site

You should see "Report-Only" CSP violations in your browser. See example from Google.com (if implementing the middleware with RapidSec's Generated CSP):

Use the CSP builder to generate your CSP based on the reports

See your new CSP violations quickly from the menu bar and easily Allow or Dismiss them by CSP directive. Includes explanations on the meaning of each directive.

Deploy versions of your CSP

Once you've allowed the appropriate assets, click "Build CSP", to generate a new version of your content-security-policy.

See In-depth Analytics

Explore your CSP reports. Dig into your data. Slice and dice by multiple parameters. Understand which assets / pages / browsers are generating CSP violations, and access a detailed report view.

Get Reports

Deployed your Report-Only CSP and now your users covered some additional flows with some additional browsers? You'll get an email with a summary of your new pending review CSP violations.

Note

This Express middleware does minimal validation on the CSP integrity and quality, and relies that you're generating proper CSPs via RapidSec. If you choose to build your CSP manually - use a more sophisticated CSP validator, like CSP Scanner to make sure your CSP is both valid, and effective at mitigating attacks.

See also

Legal

Original code modified from MIT licensed Helmet-CSP