Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/johnhunter/yaml2csp

A node CLI utility for converting a yaml file to a CSP header value.
https://github.com/johnhunter/yaml2csp

cli csp yaml

Last synced: 3 months ago
JSON representation

A node CLI utility for converting a yaml file to a CSP header value.

Host: GitHub
URL: https://github.com/johnhunter/yaml2csp
Owner: johnhunter
Created: 2024-07-13T20:37:38.000Z (6 months ago)
Default Branch: main
Last Pushed: 2024-07-14T11:53:13.000Z (6 months ago)
Last Synced: 2024-09-30T23:01:26.549Z (3 months ago)
Topics: cli, csp, yaml
Language: JavaScript
Homepage: https://www.npmjs.com/package/@johnhunter/yaml2csp
Size: 16.6 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: readme.md

Awesome Lists containing this project

README

# yaml2csp

A node CLI utility for converting a yaml file to a [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) header value.

## Motivation

CSP header values are often complex and it is useful to format these for
readability. However, http header values need to be a single line string.
By using yaml as a format we can include structure and comments.

These strings can then be used in http header configuration for servers and
reverse-proxies.

## Usage

1. Create your CSP yaml file
2. Install and run the utility
- Either: `npx @johnhunter/yaml2csp parse `
- Or:
- `npm install -g @johnhunter/yaml2csp`
- Then `yaml2csp parse `
3. Copy result from the console (or specify an output file with `-o`)

## Example

### Yaml source file:

```yaml
frame-ancestors:
- 'self'
- 'https://www.coolwebsite.com'

default-src:
- 'self' # we can use comments!!
- 'https://*.foo.com'

script-src:
- 'self'
- 'unsafe-eval'
- 'blob:'
- 'https://www.coolwebsite.com'
- 'https://*.another-website.com'

img-src:
- 'data:'
- '*'
```

### Generated output:

```text
frame-ancestors 'self' https://www.coolwebsite.com; default-src 'self' https://*.foo.com; script-src 'self' 'unsafe-eval' blob: https://www.coolwebsite.com https://*.another-website.com; img-src data: *
```

## Resources

- MDN documentation for [CSP concepts](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and the [http header syntax](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
- https://cspvalidator.org - validate the output string for correctness