0.1.1 • Published 6 years ago

fastify-csp v0.1.1

Weekly downloads
17
License
MIT
Repository
github
Last release
6 years ago

fastify-csp

Build Status Code coverage Code style Dependency Status Dev Dependency Status NPM version NPM downloads NPM license

Fastify plugin to set Content-Security-Policy header.

Why?

You may know csp as a csp middleware used in helmet. And you could use it as a middleware in fastify also. So why i made this plugin?

You may find the reason in benchmark result and wish you like it. :)

Difference

This plugin has passed all csp test cases. But there are some differences to csp:

  • Don't support kebab case directive name. All directive name shoud be in camel case.
  • Use lru cache for static policy generation which won't effect dynamic situation.

Install

Via npm:

npm i fastify-csp

Via yarn:

yarn add fastify-csp

Usage

const fastify = require('fastify');
const fastifyCsp = require('fastify-csp');

const app = fastify();
app.register(fastifyCsp, {
  directives: {
    defaultSrc: ["'self'"]
  }
  // e.t.c
});

app.listen(3000, err => {
  if (err) throw err;
});

Options

This plugin has the same options as the middleware in helmet. To learn more, you may check out the spec or reference guide.

directives {object}

This option is required.

All directive name shoud be in camel case.

Specify directives with at least one directive field. Supported directives:

  • baseUri (as base-url)
  • blockAllMixedContent (as block-all-mixed-content)
  • childSrc (as child-src)
  • connectSrc (as connect-src)
  • defaultSrc (as default-src)
  • fontSrc (as font-src)
  • formAction (as form-action)
  • frameAncestors (as frame-ancestors)
  • frameSrc (as frame-src)
  • imgSrc (as img-src)
  • manifestSrc (as manifest-src)
  • mediaSrc (as media-src)
  • objectSrc (as object-src)
  • pluginTypes (as plugin-types)
  • prefetchSrc (as prefetch-src)
  • reportTo (as report-to)
  • reportUri (as report-uri)
  • requireSriFor (as require-sri-for)
  • sandbox (as sandbox)
  • scriptSrc (as script-src)
  • styleSrc (as style-src)
  • upgradeInsecureRequests (as upgrade-insecure-requests)
  • workerSrc (as worker-src)

loose {boolean}

Default is false.

This module will detect common mistakes in your directives and throw errors if finds any. To disable this, set true to loose option.

reportOnly {boolean|function}

Default is false.

Set to true if you only want browsers to report errors, not block them. You may also set this to a function(request, reply) in order to decide dynamically whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.

setAllHeaders {boolean}

Default is false.

Set to true if you want to blindly set all headers: Content-Security-Policy, X-WebKit-CSP, and X-Content-Security-Policy.

disableAndroid {boolean}

Default is false.

Set to true if you want to disable CSP on Android where it can be buggy.

browserSniff {boolean}

Default is true.

Set to false if you want to completely disable any user-agent sniffing. This may make the headers less compatible but it will be much faster.

Changelog

  • 0.1.0
    • Update performance
    • Add benchmarks
    • Add test case
    • Add code coverage
  • 0.0.1:
    • Init version
fastifyfastify-pluginhelmetcsp
fastify-pluginlru-cacheplatform
@infinitebrahmanuniverse/nolb-fasti@everything-registry/sub-chunk-1650fastify-fast-helmetfastify-fast-helmet-wrapper@zalastax/nolb-fasti
0.1.1

6 years ago

0.1.0

6 years ago

0.0.1

6 years ago