{"id":34687955,"url":"https://github.com/httpland/csp-middleware","last_synced_at":"2026-05-27T10:02:40.544Z","repository":{"id":143199048,"uuid":"614880917","full_name":"httpland/csp-middleware","owner":"httpland","description":"HTTP content security policy(CSP) middleware","archived":false,"fork":false,"pushed_at":"2023-04-11T06:37:44.000Z","size":88,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-01T11:04:53.357Z","etag":null,"topics":["content-security-policy","content-security-policy-report","csp","http","middlewear","security"],"latest_commit_sha":null,"homepage":"https://deno.land/x/csp_middleware","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/httpland.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-03-16T14:03:45.000Z","updated_at":"2023-04-11T04:23:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"de06d8ed-7128-4371-b8ce-fe9ea8f38250","html_url":"https://github.com/httpland/csp-middleware","commit_stats":{"total_commits":57,"total_committers":2,"mean_commits":28.5,"dds":"0.10526315789473684","last_synced_commit":"9c3ffb431a5b487da78086aa84644a76977ca2d4"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/httpland/csp-middleware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/httpland%2Fcsp-middleware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/httpland%2Fcsp-middleware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/httpland%2Fcsp-middleware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/httpland%2Fcsp-middleware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/httpland","download_url":"https://codeload.github.com/httpland/csp-middleware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/httpland%2Fcsp-middleware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33560727,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","content-security-policy-report","csp","http","middlewear","security"],"created_at":"2025-12-24T21:55:36.501Z","updated_at":"2026-05-27T10:02:40.528Z","avatar_url":"https://github.com/httpland.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# csp-middleware\n\n[![deno land](http://img.shields.io/badge/available%20on-deno.land/x-lightgrey.svg?logo=deno)](https://deno.land/x/csp_middleware)\n[![deno doc](https://doc.deno.land/badge.svg)](https://doc.deno.land/https/deno.land/x/csp_middleware/mod.ts)\n[![GitHub release (latest by date)](https://img.shields.io/github/v/release/httpland/csp-middleware)](https://github.com/httpland/csp-middleware/releases)\n[![codecov](https://codecov.io/github/httpland/csp-middleware/branch/main/graph/badge.svg?token=MNFZEQH8OK)](https://codecov.io/gh/httpland/csp-middleware)\n[![GitHub](https://img.shields.io/github/license/httpland/csp-middleware)](https://github.com/httpland/csp-middleware/blob/main/LICENSE)\n\n[![test](https://github.com/httpland/csp-middleware/actions/workflows/test.yaml/badge.svg)](https://github.com/httpland/csp-middleware/actions/workflows/test.yaml)\n[![NPM](https://nodei.co/npm/@httpland/csp-middleware.png?mini=true)](https://nodei.co/npm/@httpland/csp-middleware/)\n\nHTTP content security policy(CSP) middleware.\n\nCompliant with\n[Content Security Policy Level 3](https://w3c.github.io/webappsec-csp/).\n\n## Middleware\n\nFor a definition of Universal HTTP middleware, see the\n[http-middleware](https://github.com/httpland/http-middleware) project.\n\n## Usage\n\nMiddleware adds the `Content-Security-Policy` header to the response.\n\n```ts\nimport {\n  csp,\n  type Handler,\n} from \"https://deno.land/x/csp_middleware@$VERSION/mod.ts\";\nimport { assert } from \"https://deno.land/std/testing/asserts.ts\";\n\ndeclare const request: Request;\ndeclare const handler: Handler;\n\nconst middleware = csp();\nconst response = await middleware(request, handler);\n\nassert(response.headers.has(\"content-security-policy\"));\n```\n\nyield:\n\n```http\nContent-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'\n```\n\nThe default header field value is compliant with\n[Content Security Policy (CSP)\nQuick Reference Guide, Stater policy](https://content-security-policy.com/).\n\n## Options\n\nMiddleware factory takes following fields.\n\n| Name       | Type            | Description                            |\n| ---------- | --------------- | -------------------------------------- |\n| directives | `CSPDirectives` | CSP directives.                        |\n| reportOnly | `boolean`       | Whether the policy report only or not. |\n\n### Directives\n\n`directives` can be one of the following.\n\n- `CSPDirective`\n- Camel casing `CSPDirective`\n\n#### CSP directives\n\n`CSPDirectives` are structured `Content-Security-Policy` header field objects.\n\nBase types are as follows:\n\n```ts\ninterface Directives {\n  [k: string]: string | string[];\n}\n```\n\nEach key represents a directive name and each value represents a directive\nvalue.\n\nThe Directive supports all directives in\n[Content Security Policy Level 3](https://w3c.github.io/webappsec-csp/).\n\nEach directive may be restricted to a more strict type.\n\nFor example, a `webrtc` directive is restricted to `'allow'` or `'block'`.\n\n```ts\nimport { csp } from \"https://deno.land/x/csp_middleware@$VERSION/middleware.ts\";\n\nconst middleware = csp({\n  directives: {\n    \"default-src\": \"'none'\",\n    webrtc: \"'allow'\",\n  },\n});\n```\n\nCheck [deno doc](https://doc.deno.land/https/deno.land/x/csp_middleware/mod.ts)\nfor about `CSPDirectives`.\n\n##### Camel casing\n\nThe directive name can also be defined in camel case. Overloading makes it\nexclusive.\n\n```ts\nimport { csp } from \"https://deno.land/x/csp_middleware@$VERSION/middleware.ts\";\n\nconst middleware = csp({\n  directives: {\n    defaultSrc: \"'none'\",\n    scriptSrc: [\"'self'\", \"*.example.test\"],\n  },\n});\n```\n\n### Report Only\n\nThe header field changes depending on the value of `reportOnly`.\n\n| Value   | Header field                        |\n| ------- | ----------------------------------- |\n| `true`  | Content-Security-Policy-Report-Only |\n| `false` | Content-Security-Policy             |\n\nThe default `reportOnly` is `false`.\n\n```ts\nimport {\n  csp,\n  type Handler,\n} from \"https://deno.land/x/csp_middleware@$VERSION/mod.ts\";\nimport { assert } from \"https://deno.land/std/testing/asserts.ts\";\n\ndeclare const request: Request;\ndeclare const handler: Handler;\n\nconst middleware = csp({ reportOnly: true });\nconst response = await middleware(request, handler);\n\nassert(response.headers.has(\"content-security-policy-report-only\"));\n```\n\n### Serialization error\n\n[CSP directives](#csp-directives) will serialize into string.\n\nIn Serialization, the directive name and directive value are validated based on\n[ABNF](https://w3c.github.io/webappsec-csp/#framework-directives). If they are\ninvalid, an error may be thrown.\n\nErrors are thrown in the following cases:\n\n- None of the `directive` is present\n- Directive key does not compliant with\n  [`\u003cdirective-name\u003e`](https://w3c.github.io/webappsec-csp/#grammardef-directive-name)\n- Directive value does not compliant with\n  [`\u003cVCHAR\u003e` without \";\" and \",\"](https://w3c.github.io/webappsec-csp/#grammardef-directive-value)\n- Directive values has a duplicate value\n\n```ts\nimport { csp } from \"https://deno.land/x/csp_middleware@$VERSION/middleware.ts\";\nimport { assertThrows } from \"https://deno.land/std/testing/asserts.ts\";\n\nassertThrows(() =\u003e csp({ directives: {} }));\nassertThrows(() =\u003e csp({ directives: { defaultSrc: \"\u003cinvalid\u003e\" } }));\nassertThrows(() =\u003e\n  csp({ directives: { defaultSrc: [\"\u003cduplicate\u003e\", \"\u003cduplicate\u003e\"] } })\n);\n```\n\n## Effects\n\nMiddleware may make changes to the following elements of the HTTP message.\n\n- HTTP Headers\n  - Content-Security-Policy\n  - Content-Security-Policy-Report-Only\n\n## Conditions\n\nMiddleware will execute if all of the following conditions are met:\n\nDepends on [reportOnly](#report-only):\n\n- `Content-Security-Policy` header does not exists in response\n- `Content-Security-Policy-Report-Only` header does not exists in response\n\n## API\n\nAll APIs can be found in the\n[deno doc](https://doc.deno.land/https/deno.land/x/csp_middleware/mod.ts).\n\n## License\n\nCopyright © 2023-present [httpland](https://github.com/httpland).\n\nReleased under the [MIT](./LICENSE) license\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhttpland%2Fcsp-middleware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhttpland%2Fcsp-middleware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhttpland%2Fcsp-middleware/lists"}