Rapid configurable Content Security Policy middleware

Go to file

Bill Ross 4b35c9fe09 Expanded config for more options		2025-04-15 14:19:01 -06:00
test	Expanded config for more options	2025-04-15 14:19:01 -06:00
.gitignore	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
.prettierrc	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
csp-policy.yml	Expanded config for more options	2025-04-15 14:19:01 -06:00
index.cjs	Expanded config for more options	2025-04-15 14:19:01 -06:00
index.mjs	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
LICENSE	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
package-lock.json	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
package.json	Configurable CSP Headers	2025-04-15 13:02:14 -06:00
README.md	Configurable CSP Headers	2025-04-15 13:02:14 -06:00

README.md

express-csp

Rapid, configurable Content Security Policy middleware for Express, powered by Helmet and simple YAML configuration.

Features

Secure defaults with CSP via helmet
Configuration in clean, readable YAML
Easily swappable policies per environment
Fully tested with Jest & Supertest

Installation

npm install helmet yaml
npm install --save-dev jest supertest

Usage

const express = require('express')
const csp = require('express-csp')
const app = express()

const policyPath = './csp-policy.yml'
app.use(csp(policyPath))

app.get('/', (req, res) => res.send('Secure by CSP!'))
app.listen(3000)

Sample Policy

default-src: ["'self'"]
script-src:
  - "'self'"
  - example.com
style-src:
  - "'self'"
  - "https:"
  - "'unsafe-inline'"
img-src:
  - "'self'"
  - "data:"
object-src: ["'none'"]
upgrade-insecure-requests: []

License

ISC License

Contributing

PRs welcome! For bugs or suggestions, open an issue.