Skip to content

nlf/blankie

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
lib
lib
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

blankie

A CSP plugin for hapi.

Usage

This plugin depends on scooter to function.

To use it:

'use strict';

const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');

const internals = {};

const server = Hapi.server();

internals.init = async () => {

    await server.register([Scooter, {
        plugin: Blankie,
        options: {} // specify options here
    }]);

    await server.start();
};

internals.init().catch((err) => {

    throw err;
});

Options may also be set on a per-route basis:

'use strict';

const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');

const server = Hapi.server();

server.route({
    method: 'GET',
    path: '/something',
    config: {
        handler: (request, h) => {

            return 'these settings are changed';
        },
        plugins: {
            blankie: {
                scriptSrc: 'self'
            }
        }
    }
});

Note that this setting will NOT be merged with your server-wide settings.

You may also set config.plugins.blankie equal to false on a route to disable CSP headers completely for that route.

Options

  • baseUri: Values for base-uri directive. Defaults 'self'.
  • childSrc: Values for child-src directive.
  • connectSrc: Values for the connect-src directive. Defaults 'self'.
  • defaultSrc: Values for the default-src directive. Defaults to 'none'.
  • fontSrc: Values for the font-src directive.
  • formAction: Values for the form-action directive.
  • frameAncestors: Values for the frame-ancestors directive.
  • frameSrc: Values for the frame-src directive.
  • imgSrc: Values for the image-src directive. Defaults to 'self'.
  • manifestSrc: Values for the manifest-src directive.
  • mediaSrc: Values for the media-src directive.
  • objectSrc: Values for the object-src directive.
  • oldSafari: Force enabling buggy CSP for Safari 5.
  • pluginTypes: Values for the plugin-types directive.
  • reflectedXss: Value for the reflected-xss directive. Must be one of 'allow', 'block' or 'filter'.
  • reportOnly: Append '-Report-Only' to the name of the CSP header to enable report only mode.
  • reportUri: Value for the report-uri directive. This should be the path to a route that accepts CSP violation reports.
  • requireSriFor: Value for require-sri-for directive.
  • sandbox: Values for the sandbox directive. May be a boolean or one of 'allow-forms', 'allow-same-origin', 'allow-scripts' or 'allow-top-navigation'.
  • scriptSrc: Values for the script-src directive. Defaults to 'self'.
  • styleSrc: Values for the style-src directive. Defaults to 'self'.
  • workerSrc: Values for the worker-src directive. Defaults to 'self'.
  • generateNonces: Whether or not to automatically generate nonces. Defaults to true. May be a boolean or one of 'script' or 'style'. When enabled your templates rendered through vision will have script-nonce and/or style-nonce automatically added to their context, additionally request.plugins.blankie.nonces will contain one or both of the 'script' and 'style' properties containing these values for use outside of vision.

About

a hapi CSP plugin

Resources

Readme
Activity

Stars

52 stars

Watchers

1 watching

Forks

16 forks
Report repository

Releases

10 tags

Packages

No packages published

Contributors 8

Languages
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy