https://github.com/val-istar-guo/koa-csp

Used to set response header: Content-Security-Policy
https://github.com/val-istar-guo/koa-csp

content-security-policy csp koa koa-csp koa2

Last synced: 10 days ago
JSON representation

Used to set response header: Content-Security-Policy

• Host: GitHub
• URL: https://github.com/val-istar-guo/koa-csp
• Owner: Val-istar-Guo
• License: mit
• Created: 2017-04-06T11:19:04.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2024-09-04T16:52:21.000Z (8 months ago)
• Last Synced: 2025-04-15T20:52:53.317Z (about 1 month ago)
• Topics: content-security-policy, csp, koa, koa-csp, koa2
• Language: TypeScript
• Homepage:
• Size: 109 KB
• Stars: 2
• Watchers: 1
• Forks: 8
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Code of conduct: .github/CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        



  



KOA-CSP


[![version](https://img.shields.io/npm/v/koa-csp.svg?style=flat-square)](https://www.npmjs.com/package/koa-csp)

[![downloads](https://img.shields.io/npm/dm/koa-csp.svg?style=flat-square)](https://www.npmjs.com/package/koa-csp)

[![license](https://img.shields.io/npm/l/koa-csp.svg?style=flat-square)](https://www.npmjs.com/package/koa-csp)

[![dependencies](https://img.shields.io/librariesio/github/Val-istar-Guo/koa-csp.svg?style=flat-square)](https://www.npmjs.com/package/koa-csp)

[![coveralls](https://img.shields.io/coveralls/github/Val-istar-Guo/koa-csp.svg?style=flat-square)](https://coveralls.io/github/Val-istar-Guo/koa-csp)

This is a koa2 middleware used to set response header `Content-Security-Policy`.

[What is CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

## Usage

```javascript

import Koa from 'koa';

import csp from 'koa-csp';

const app = new Koa();

app.use(csp());

// It is equivalent to

app.use(csp({

  enableWarn: true,

  policy: { 'default-src': ['self'] },

}));

// Add you can add more policy

app.use(csp({

  enableWarn: true,

  policy: {

    'img-src': ['self', 'img.example.com'],

    'script-src': ['script.example.com', '*.script.example.com'],

  },

}));

// some key words will be auto add single quotes

app.use(csp({

  policy: {

    'default-src': ['self', 'none', 'unsafe-inline', 'unsafe-eval', 'example.com'],

    // you can alse add single quotes manually

    'img-src': ["'self'"],

  },

}));

// OUTPUT: Content-Security-Policy: default-src 'self' 'none' 'unsafe-inline' 'unsafe-eval' example.com; img-src 'self'

// CamelCase Support

app.use(csp({

  policy: {

    defaultSrc: ['self', 'none', 'unsafe-inline', 'unsafe-eval', 'example.com'],

    // you can alse add single quotes manually

    imgSrc: ["'self'"],

  },

}));

// OUTPUT: Content-Security-Policy: default-src 'self' 'none' 'unsafe-inline' 'unsafe-eval' example.com; img-src 'self'

```

## Contributing & Development

If there is any doubt, it is very welcome to discuss the issue together.

Please read [Contributor Covenant Code of Conduct](.github/CODE_OF_CONDUCT.md) and [CONTRIBUTING](.github/CONTRIBUTING.md).