fastify-csp
v0.1.1
Published
Fastify plugin to set Content-Security-Policy header
Downloads
5
Maintainers
Readme
fastify-csp
Fastify plugin to set Content-Security-Policy header.
Why?
You may know csp as a csp middleware used in helmet. And you could use it as a middleware in fastify also. So why i made this plugin?
You may find the reason in benchmark result and wish you like it. :)
Difference
This plugin has passed all csp test cases. But there are some differences to csp:
- Don't support kebab case directive name. All directive name shoud be in camel case.
- Use lru cache for static policy generation which won't effect dynamic situation.
Install
Via npm:
npm i fastify-csp
Via yarn:
yarn add fastify-csp
Usage
const fastify = require('fastify');
const fastifyCsp = require('fastify-csp');
const app = fastify();
app.register(fastifyCsp, {
directives: {
defaultSrc: ["'self'"]
}
// e.t.c
});
app.listen(3000, err => {
if (err) throw err;
});
Options
This plugin has the same options as the middleware in helmet. To learn more, you may check out the spec or reference guide.
directives {object}
This option is required.
All directive name shoud be in camel case.
Specify directives with at least one directive field. Supported directives:
baseUri
(asbase-url
)blockAllMixedContent
(asblock-all-mixed-content
)childSrc
(aschild-src
)connectSrc
(asconnect-src
)defaultSrc
(asdefault-src
)fontSrc
(asfont-src
)formAction
(asform-action
)frameAncestors
(asframe-ancestors
)frameSrc
(asframe-src
)imgSrc
(asimg-src
)manifestSrc
(asmanifest-src
)mediaSrc
(asmedia-src
)objectSrc
(asobject-src
)pluginTypes
(asplugin-types
)prefetchSrc
(asprefetch-src
)reportTo
(asreport-to
)reportUri
(asreport-uri
)requireSriFor
(asrequire-sri-for
)sandbox
(assandbox
)scriptSrc
(asscript-src
)styleSrc
(asstyle-src
)upgradeInsecureRequests
(asupgrade-insecure-requests
)workerSrc
(asworker-src
)
loose {boolean}
Default is false
.
This module will detect common mistakes in your directives and throw errors if finds any.
To disable this, set true
to loose
option.
reportOnly {boolean|function}
Default is false
.
Set to true
if you only want browsers to report errors, not block them.
You may also set this to a function(request, reply)
in order to decide dynamically
whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
setAllHeaders {boolean}
Default is false
.
Set to true
if you want to blindly set all headers: Content-Security-Policy
, X-WebKit-CSP
, and X-Content-Security-Policy
.
disableAndroid {boolean}
Default is false
.
Set to true
if you want to disable CSP on Android where it can be buggy.
browserSniff {boolean}
Default is true
.
Set to false
if you want to completely disable any user-agent sniffing.
This may make the headers less compatible but it will be much faster.
Changelog
- 0.1.0
- Update performance
- Add benchmarks
- Add test case
- Add code coverage
- 0.0.1:
- Init version