Fastify plugin to set Content-Security-Policy header.
You may know csp as a csp middleware used in helmet. And you could use it as a middleware in fastify also. So why i made this plugin?
You may find the reason in benchmark result and wish you like it. :)
This plugin has passed all csp test cases. But there are some differences to csp:
- Don't support kebab case directive name. All directive name shoud be in camel case.
- Use lru cache for static policy generation which won't effect dynamic situation.
Via npm:
npm i fastify-csp
Via yarn:
yarn add fastify-csp
const fastify = require('fastify');
const fastifyCsp = require('fastify-csp');
const app = fastify();
app.register(fastifyCsp, {
directives: {
defaultSrc: ["'self'"]
}
// e.t.c
});
app.listen(3000, err => {
if (err) throw err;
});
This plugin has the same options as the middleware in helmet. To learn more, you may check out the spec or reference guide.
This option is required.
All directive name shoud be in camel case.
Specify directives with at least one directive field. Supported directives:
baseUri
(asbase-url
)blockAllMixedContent
(asblock-all-mixed-content
)childSrc
(aschild-src
)connectSrc
(asconnect-src
)defaultSrc
(asdefault-src
)fontSrc
(asfont-src
)formAction
(asform-action
)frameAncestors
(asframe-ancestors
)frameSrc
(asframe-src
)imgSrc
(asimg-src
)manifestSrc
(asmanifest-src
)mediaSrc
(asmedia-src
)objectSrc
(asobject-src
)pluginTypes
(asplugin-types
)prefetchSrc
(asprefetch-src
)reportTo
(asreport-to
)reportUri
(asreport-uri
)requireSriFor
(asrequire-sri-for
)sandbox
(assandbox
)scriptSrc
(asscript-src
)styleSrc
(asstyle-src
)upgradeInsecureRequests
(asupgrade-insecure-requests
)workerSrc
(asworker-src
)
Default is false
.
This module will detect common mistakes in your directives and throw errors if finds any.
To disable this, set true
to loose
option.
Default is false
.
Set to true
if you only want browsers to report errors, not block them.
You may also set this to a function(request, reply)
in order to decide dynamically
whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
Default is false
.
Set to true
if you want to blindly set all headers: Content-Security-Policy
, X-WebKit-CSP
, and X-Content-Security-Policy
.
Default is false
.
Set to true
if you want to disable CSP on Android where it can be buggy.
Default is true
.
Set to false
if you want to completely disable any user-agent sniffing.
This may make the headers less compatible but it will be much faster.
- 0.1.0
- Update performance
- Add benchmarks
- Add test case
- Add code coverage
- 0.0.1:
- Init version