express-standard
Easy method to define standard express headers and assist with Content-Security-Policy (CSP) including social media widgets
Install 🔨
npm install express-standard
Usage 🔧
headers = ; headers); headers; headers; // optional area, set to valueheaders; // add 'self' to an area, default area is 'default'headers; // now "Basic-Content-Security": "default-src 'self' https:"headers; // add http: to all *-src headers; // allow PureCSS stylesheetheaders; // report script-src eventsheaders; // set report callbackheaders; // if notEval is set to true then unsafe_eval is not included, default area is script headers; // default protocols: http://, https:// & ws:// headers; // https only and all subdomain includedheaders; // allow PureCss stylesheet over all protocolsheaders; // multiple domains can be supplied as an arrayheaders; // multiple areas comma delimitedheaders; // default is ['facebook', 'twitter', 'google+']headers; // allow youtubeheaders; // allow firebase app;
add_csp areas are as per http://www.w3.org/TR/CSP/
-src can be omitted, ex: instead of headers.add_csp('frame-src', 'http:')
you could specify headers.add_csp('frame', 'http:')
add_csp_allow_unsafe() is best avoided as per content security policy; however, it is included to assist with transitioning to using CSP
For sample report-uri data and social media attribution see: content-security-policy
add_social_widgets()
can accept a comma delimited string, ex: facebook,twitter
Powered By 🔧
app;console // { x-powered-by:"Awesomeness"}
Powered By Details from Application Package 🔧
// package.json: {name:'Awesomeness', version: '2.0.0', ...}app; // option to include versionconsole // { x-powered-by:"Awesomeness/2.0.0"}
SSL Only Basic Content Security Policy 💡
ssl_only = "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'"; app;