How to use the contentSecurityPolicy function from helmet
Find comprehensive JavaScript helmet.contentSecurityPolicy code examples handpicked from public code repositorys.
helmet.contentSecurityPolicy sets the Content Security Policy for the app to help prevent cross-site scripting attacks.
133 134 135 136 137 138 139 140 141 142Примеры: ```js // устанавливаем дефолтные директивы, перезаписываем `script-src` и отключаем `style-src` app.use( helmet.contentSecurityPolicy({ useDefaults: true, directives: { 'script-src': [`'self'`, 'example.com'], 'style-src': null,
493
2
1+ 11 other calls in file
GitHub: AthenZ/athenz
48 49 50 51 52 53 54 55 56 57workerSrc: [`'self'`], formAction: [`'self'`], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src // we have set all the directives which defaultSrc sets for us, and we let nextjs set up style-src for us defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc, }, useDefaults: false, }; if (config.cspImgSrc && config.cspImgSrc.length !== 0) {
25777152How does helmet.contentSecurityPolicy work?
helmet.contentSecurityPolicy is a middleware function in the Helmet library for Express.js that sets the Content-Security-Policy header of an HTTP response, which helps to mitigate cross-site scripting (XSS), clickjacking, and other code injection attacks by defining a policy for which content is allowed to be loaded or executed on a web page. When the helmet.contentSecurityPolicy middleware is used, it generates a default policy that blocks all content from external sources and only allows content from trusted sources such as the same domain, trusted subdomains, or explicitly whitelisted sources. The policy can be customized by specifying a configuration object with various directives to specify allowed sources and types of content, as well as other security-related options such as whether to report violations.
GitHub: ging/fiware-idm
80 81 82 83 84 85 86 87 88 89} if (config.csp.script_src) { csp_options.directives.scriptSrc = config.csp.script_src; } app.use( helmet.contentSecurityPolicy(csp_options) ); app.use( helmet.dnsPrefetchControl({ allow: process.env.IDM_DNS_PREFETCH_ALLOW === 'true'
743116+ 3 other calls in file
GitHub: sharetribe/web-template
122 123 124 125 126 127 128 129 130 131if (!reportOnly) { directives.upgradeInsecureRequests = []; } // See: https://helmetjs.github.io/docs/csp/ return helmet.contentSecurityPolicy({ useDefaults: false, directives, reportOnly, });
1046Ai Example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25const express = require("express"); const helmet = require("helmet"); const app = express(); // Use the contentSecurityPolicy middleware app.use( helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "example.com"], styleSrc: ["'self'", "maxcdn.bootstrapcdn.com"], }, }) ); // Define a route handler app.get("/", (req, res) => { res.send("Hello, world!"); }); // Start the server app.listen(3000, () => { console.log("Server listening on port 3000"); });
In this example, the helmet.contentSecurityPolicy() middleware is used to set the Content Security Policy headers for the application. The directives option is used to specify the various directives that should be included in the CSP header. In this case, the defaultSrc directive is set to 'self', which means that resources can only be loaded from the same origin. The scriptSrc directive is set to allow scripts to be loaded from both the same origin ('self') and from example.com. Finally, the styleSrc directive is set to allow stylesheets to be loaded from both the same origin ('self') and from maxcdn.bootstrapcdn.com. The helmet.contentSecurityPolicy() middleware provides a convenient way to set the CSP headers for an application, helping to improve security by reducing the risk of cross-site scripting (XSS) attacks.
64 65 66 67 68 69 70 71 72 73} next(); }); const defaultDirectives = helmet.contentSecurityPolicy.getDefaultDirectives(); app.use( helmet.contentSecurityPolicy({ directives: { imgSrc: [...defaultDirectives['img-src'], '*.imgur.com'] }, }),
021+ 17 other calls in file
GitHub: naataliie1/docs
67 68 69 70 71 72 73// Exception for search in deprecated Enterprise docs <=2.12 (static site era) if (versionSatisfiesRange(requestedVersion, '<=2.12')) { csp.directives.scriptSrc.push("'unsafe-inline'") } return contentSecurityPolicy(csp)(req, res, next) }
023+ 3 other calls in file
41 42 43 44 45 46 47 48 49 50// includeSubDomains: false, // }) // ); // //CSP preventing cross-site scription. if not set all HTTP response on the browser. // app.use( // helmet.contentSecurityPolicy({ // useDefaults: true, // directives: { // "script-src": ["'self'", "securecoding.com"], // "style-src": null,
000GitHub: arkime/arkime
127 128 129 130 131 132 133 134 135 136// need unsafe-eval for vue full build: https://vuejs.org/v2/guide/installation.html#CSP-environments scriptSrc: ["'self'", "'unsafe-eval'", (req, res) => `'nonce-${res.locals.nonce}'`], objectSrc: ["'none'"], imgSrc: ["'self'", 'data:'] }; const cspHeader = helmet.contentSecurityPolicy({ directives: cspDirectives }); const cyberchefCspHeader = helmet.contentSecurityPolicy({ directives: {
00354+ 3 other calls in file
GitHub: baronrustamov/NodeBB
186 187 188 189 190 191 192 193 194 195} function setupHelmet(app) { /** * The only reason why these middlewares are all explicitly spelled out is because * helmet.contentSecurityPolicy() is too restrictive and breaks plugins. * * It should be implemented in the future... 🔜 */ if (meta.config['cross-origin-embedder-policy']) {
000+ 3 other calls in file
helmet.contentSecurityPolicy is the most popular function in helmet (195 examples)