{"id":30739939,"url":"https://github.com/shaialon/express-csp-generator","last_synced_at":"2025-09-03T23:04:00.059Z","repository":{"id":54266794,"uuid":"340859230","full_name":"shaialon/express-csp-generator","owner":"shaialon","description":"Content Security Policy Generator, Powered by RapidSec","archived":false,"fork":false,"pushed_at":"2021-02-28T14:31:37.000Z","size":26,"stargazers_count":5,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-09T05:54:26.634Z","etag":null,"topics":["csp","security"],"latest_commit_sha":null,"homepage":"https://rapidsec.com/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shaialon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-21T09:06:22.000Z","updated_at":"2025-04-09T22:28:00.000Z","dependencies_parsed_at":"2022-08-13T10:30:51.207Z","dependency_job_id":null,"html_url":"https://github.com/shaialon/express-csp-generator","commit_stats":null,"previous_names":["rapidsec-com/express-csp-generator"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/shaialon/express-csp-generator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaialon%2Fexpress-csp-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaialon%2Fexpress-csp-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaialon%2Fexpress-csp-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaialon%2Fexpress-csp-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shaialon","download_url":"https://codeload.github.com/shaialon/express-csp-generator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaialon%2Fexpress-csp-generator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273523664,"owners_count":25120864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","security"],"created_at":"2025-09-03T23:02:08.005Z","updated_at":"2025-09-03T23:04:00.042Z","avatar_url":"https://github.com/shaialon.png","language":"TypeScript","funding_links":[],"categories":["security"],"sub_categories":[],"readme":"# Content Security Policy Generator, Powered by [RapidSec](https://rapidsec.com?utm_source=npm_csp_generator\u0026utm_medium=readme)\n\nContent Security Policy (CSP) helps prevent unwanted content from being injected/loaded into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, Clickjacking, Formjacking, malicious frames, unwanted trackers, client-side injected malware, and other [web client-side attacks](https://rapidsec.com/docs/client-side-attacks?utm_source=npm_csp_generator\u0026utm_medium=readme).\n\n## Getting started with CSP - create your report-uri and first CSP on RapidSec\n\nGo to [RapidSec and generate your first CSP](https://rapidsec.com/csp-automation?utm_source=npm_csp_generator\u0026utm_medium=readme).\nChoose a JSON export, that works with this specific express middleware.\u003cbr/\u003e\nYou could otherwise use the [RapidSec Node.js MicroAgent](https://www.npmjs.com/package/@rapidsec/node) which is even more automatic.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/3126207/109227014-50575f80-77c8-11eb-97d7-3cdacf183c3d.gif\" width=\"700\"/\u003e\n\n## Install this package in your Express project\n\n`npm install express-csp-generator`\nor\n`yarn add express-csp-generator`\n\n## Add the report-only policy that you generated on RapidSec to send violation data to the report-uri:\n\n```javascript\nconst contentSecurityPolicy = require(\"express-csp-generator\");\n\napp.use(\n  contentSecurityPolicy({\n    directives: {\n      \"frame-ancestors\": [\"'none'\"],\n      \"block-all-mixed-content\": [],\n      \"default-src\": [\"'none'\"],\n      \"script-src\": [\"'self'\", \"'report-sample'\"],\n      \"style-src\": [\"'self'\", \"'report-sample'\"],\n      \"object-src\": [\"'none'\"],\n      \"frame-src\": [\"'none'\"],\n      \"child-src\": [\"'none'\"],\n      \"img-src\": [\"'self'\"],\n      \"font-src\": [\"'self'\"],\n      \"connect-src\": [\"'none'\"],\n      \"manifest-src\": [\"'none'\"],\n      \"base-uri\": [\"'self'\"],\n      \"form-action\": [\"'none'\"],\n      \"media-src\": [\"'none'\"],\n      \"prefetch-src\": [\"'none'\"],\n      \"worker-src\": [\"'none'\"],\n      \"report-uri\": [\n        \"https://gate.rapidsec.net/YOUR_SPECIFIC_RAPIDSEC_ENDPOINT\",\n      ],\n    },\n    reportOnly: true,\n  })\n);\n```\n\n## Now visit your local/ deployed site\n\nYou should see \"Report-Only\" CSP violations in your browser.\nSee example from Google.com (if implementing the middleware with RapidSec's Generated CSP):\u003cbr/\u003e\n\u003cimg src=\"https://user-images.githubusercontent.com/3126207/109227786-8c3ef480-77c9-11eb-8315-c151deb05ebe.png\" width=\"700\"/\u003e\n\n## Use the CSP builder to generate your CSP based on the reports\n\nSee your new CSP violations quickly from the menu bar and easily Allow or Dismiss them by CSP directive.\nIncludes explanations on the meaning of each directive.\n\u003cimg src=\"https://user-images.githubusercontent.com/3126207/109228319-51898c00-77ca-11eb-8281-accdd1e94e0d.gif\" width=\"700\"/\u003e\n\n## Deploy versions of your CSP\n\nOnce you've allowed the appropriate assets, click \"Build CSP\", to generate a new version of your `content-security-policy`.\u003cbr/\u003e\n\n## See In-depth Analytics\n\nExplore your CSP reports. Dig into your data. Slice and dice by multiple parameters. Understand which assets / pages / browsers are generating CSP violations, and access a detailed report view.\n\u003cimg src=\"https://user-images.githubusercontent.com/3126207/109228314-4fbfc880-77ca-11eb-9c2a-603ac37d4b00.gif\" width=\"700\"/\u003e\n\n## Get Reports\n\nDeployed your Report-Only CSP and now your users covered some additional flows with some additional browsers?\u003cbr/\u003e\nYou'll get an email with a summary of your new pending review CSP violations.\n\u003cimg src=\"https://user-images.githubusercontent.com/3126207/109228310-4e8e9b80-77ca-11eb-8394-9da0116cf021.png\" width=\"700\"/\u003e\n\n## Note\n\nThis Express middleware does minimal validation on the CSP integrity and quality, and relies that you're [generating proper CSPs via RapidSec](https://rapidsec.com/csp-automation?utm_source=npm_csp_generator\u0026utm_medium=readme). If you choose to build your CSP manually - use a more sophisticated CSP validator, like [CSP Scanner](https://cspscanner.com/?utm_source=npm_csp_generator\u0026utm_medium=readme) to make sure your CSP is both valid, and effective at mitigating attacks.\n\n## See also\n\n- [RapidSec CSP Generator](https://rapidsec.com/csp-automation?utm_source=npm_csp_generator\u0026utm_medium=readme)\n- [CSP Scanner](https://cspscanner.com/?utm_source=npm_csp_generator\u0026utm_medium=readme)\n- [CSP Scanner Chrome Extension](https://chrome.google.com/webstore/detail/csp-scanner-test-analyze/eoiiiomeoogcpnkdedcodoeaacpdfmdj)\n- [CSP Bypasses](https://rapidsec.com/docs/csp-bypasses?utm_source=npm_csp_generator\u0026utm_medium=readme)\n\n## Legal\n\nOriginal code modified from MIT licensed [Helmet-CSP](https://github.com/helmetjs/helmet/tree/main/middlewares/content-security-policy)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshaialon%2Fexpress-csp-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshaialon%2Fexpress-csp-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshaialon%2Fexpress-csp-generator/lists"}