Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nlf/blankie

a hapi CSP plugin
https://github.com/nlf/blankie

Last synced: 9 days ago
JSON representation

a hapi CSP plugin

Awesome Lists containing this project

README 

        
## blankie



A CSP plugin for [hapi](https://github.com/hapijs/hapi).



### Usage



This plugin depends on [scooter](https://github.com/hapijs/scooter) to function.



To use it:



```javascript

'use strict';



const Hapi = require('@hapi/hapi');

const Blankie = require('blankie');

const Scooter = require('@hapi/scooter');



const internals = {};



const server = Hapi.server();



internals.init = async () => {



    await server.register([Scooter, {

        plugin: Blankie,

        options: {} // specify options here

    }]);



    await server.start();

};



internals.init().catch((err) => {



    throw err;

});

```



Options may also be set on a per-route basis:



```javascript

'use strict';



const Hapi = require('@hapi/hapi');

const Blankie = require('blankie');

const Scooter = require('@hapi/scooter');



const server = Hapi.server();



server.route({

    method: 'GET',

    path: '/something',

    config: {

        handler: (request, h) => {



            return 'these settings are changed';

        },

        plugins: {

            blankie: {

                scriptSrc: 'self'

            }

        }

    }

});

```



Note that this setting will *NOT* be merged with your server-wide settings.



You may also set `config.plugins.blankie` equal to `false` on a route to disable CSP headers completely for that route.



### Options



* `baseUri`: Values for `base-uri` directive. Defaults `'self'`.

* `childSrc`: Values for `child-src` directive.

* `connectSrc`: Values for the `connect-src` directive. Defaults `'self'`.

* `defaultSrc`: Values for the `default-src` directive. Defaults to `'none'`.

* `fontSrc`: Values for the `font-src` directive.

* `formAction`: Values for the `form-action` directive.

* `frameAncestors`: Values for the `frame-ancestors` directive.

* `frameSrc`: Values for the `frame-src` directive.

* `imgSrc`: Values for the `image-src` directive. Defaults to `'self'`.

* `manifestSrc`: Values for the `manifest-src` directive.

* `mediaSrc`: Values for the `media-src` directive.

* `objectSrc`: Values for the `object-src` directive.

* `oldSafari`: Force enabling buggy CSP for Safari 5.

* `pluginTypes`: Values for the `plugin-types` directive.

* `reflectedXss`: Value for the `reflected-xss` directive. Must be one of `'allow'`, `'block'` or `'filter'`.

* `reportOnly`: Append '-Report-Only' to the name of the CSP header to enable report only mode.

* `reportUri`: Value for the `report-uri` directive. This should be the path to a route that accepts CSP violation reports.

* `requireSriFor`: Value for `require-sri-for` directive.

* `sandbox`: Values for the `sandbox` directive. May be a boolean or one of `'allow-forms'`, `'allow-same-origin'`, `'allow-scripts'` or `'allow-top-navigation'`.

* `scriptSrc`: Values for the `script-src` directive. Defaults to `'self'`.

* `styleSrc`: Values for the `style-src` directive. Defaults to `'self'`.

* `workerSrc`: Values for the `worker-src` directive. Defaults to `'self'`.

* `generateNonces`: Whether or not to automatically generate nonces. Defaults to `true`. May be a boolean or one of `'script'` or `'style'`. When enabled your templates rendered through [vision](https://github.com/hapijs/vision) will have `script-nonce` and/or `style-nonce` automatically added to their context, additionally `request.plugins.blankie.nonces` will contain one or both of the `'script'` and `'style'` properties containing these values for use outside of vision.