Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nlf/blankie
a hapi CSP plugin
https://github.com/nlf/blankie
Last synced: 27 days ago
JSON representation
a hapi CSP plugin
- Host: GitHub
- URL: https://github.com/nlf/blankie
- Owner: nlf
- Created: 2014-07-14T22:25:50.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2023-05-22T21:11:40.000Z (over 1 year ago)
- Last Synced: 2024-04-28T03:18:55.093Z (8 months ago)
- Language: JavaScript
- Size: 354 KB
- Stars: 52
- Watchers: 2
- Forks: 20
- Open Issues: 17
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-nodejs-security - blankie - CSP plugin for [hapi](https://github.com/hapijs/hapi). (Web Framework Hardening)
- awesome-nodejs-security - blankie - CSP plugin for [hapi](https://github.com/hapijs/hapi). (Web Framework Hardening)
README
## blankie
A CSP plugin for [hapi](https://github.com/hapijs/hapi).
### Usage
This plugin depends on [scooter](https://github.com/hapijs/scooter) to function.
To use it:
```javascript
'use strict';const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');const internals = {};
const server = Hapi.server();
internals.init = async () => {
await server.register([Scooter, {
plugin: Blankie,
options: {} // specify options here
}]);await server.start();
};internals.init().catch((err) => {
throw err;
});
```Options may also be set on a per-route basis:
```javascript
'use strict';const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');const server = Hapi.server();
server.route({
method: 'GET',
path: '/something',
config: {
handler: (request, h) => {return 'these settings are changed';
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
});
```Note that this setting will *NOT* be merged with your server-wide settings.
You may also set `config.plugins.blankie` equal to `false` on a route to disable CSP headers completely for that route.
### Options
* `baseUri`: Values for `base-uri` directive. Defaults `'self'`.
* `childSrc`: Values for `child-src` directive.
* `connectSrc`: Values for the `connect-src` directive. Defaults `'self'`.
* `defaultSrc`: Values for the `default-src` directive. Defaults to `'none'`.
* `fontSrc`: Values for the `font-src` directive.
* `formAction`: Values for the `form-action` directive.
* `frameAncestors`: Values for the `frame-ancestors` directive.
* `frameSrc`: Values for the `frame-src` directive.
* `imgSrc`: Values for the `image-src` directive. Defaults to `'self'`.
* `manifestSrc`: Values for the `manifest-src` directive.
* `mediaSrc`: Values for the `media-src` directive.
* `objectSrc`: Values for the `object-src` directive.
* `oldSafari`: Force enabling buggy CSP for Safari 5.
* `pluginTypes`: Values for the `plugin-types` directive.
* `reflectedXss`: Value for the `reflected-xss` directive. Must be one of `'allow'`, `'block'` or `'filter'`.
* `reportOnly`: Append '-Report-Only' to the name of the CSP header to enable report only mode.
* `reportUri`: Value for the `report-uri` directive. This should be the path to a route that accepts CSP violation reports.
* `requireSriFor`: Value for `require-sri-for` directive.
* `sandbox`: Values for the `sandbox` directive. May be a boolean or one of `'allow-forms'`, `'allow-same-origin'`, `'allow-scripts'` or `'allow-top-navigation'`.
* `scriptSrc`: Values for the `script-src` directive. Defaults to `'self'`.
* `styleSrc`: Values for the `style-src` directive. Defaults to `'self'`.
* `workerSrc`: Values for the `worker-src` directive. Defaults to `'self'`.
* `generateNonces`: Whether or not to automatically generate nonces. Defaults to `true`. May be a boolean or one of `'script'` or `'style'`. When enabled your templates rendered through [vision](https://github.com/hapijs/vision) will have `script-nonce` and/or `style-nonce` automatically added to their context, additionally `request.plugins.blankie.nonces` will contain one or both of the `'script'` and `'style'` properties containing these values for use outside of vision.