A CSP plugin for hapi.
This plugin depends on scooter to function.
To use it:
'use strict';
const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');
const internals = {};
const server = Hapi.server();
internals.init = async () => {
await server.register([Scooter, {
plugin: Blankie,
options: {} // specify options here
}]);
await server.start();
};
internals.init().catch((err) => {
throw err;
});
Options may also be set on a per-route basis:
'use strict';
const Hapi = require('@hapi/hapi');
const Blankie = require('blankie');
const Scooter = require('@hapi/scooter');
const server = Hapi.server();
server.route({
method: 'GET',
path: '/something',
config: {
handler: (request, h) => {
return 'these settings are changed';
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
});
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.blankie
equal to false
on a route to disable CSP headers completely for that route.
baseUri
: Values forbase-uri
directive. Defaults'self'
.childSrc
: Values forchild-src
directive.connectSrc
: Values for theconnect-src
directive. Defaults'self'
.defaultSrc
: Values for thedefault-src
directive. Defaults to'none'
.fontSrc
: Values for thefont-src
directive.formAction
: Values for theform-action
directive.frameAncestors
: Values for theframe-ancestors
directive.frameSrc
: Values for theframe-src
directive.imgSrc
: Values for theimage-src
directive. Defaults to'self'
.manifestSrc
: Values for themanifest-src
directive.mediaSrc
: Values for themedia-src
directive.objectSrc
: Values for theobject-src
directive.oldSafari
: Force enabling buggy CSP for Safari 5.pluginTypes
: Values for theplugin-types
directive.reflectedXss
: Value for thereflected-xss
directive. Must be one of'allow'
,'block'
or'filter'
.reportOnly
: Append '-Report-Only' to the name of the CSP header to enable report only mode.reportUri
: Value for thereport-uri
directive. This should be the path to a route that accepts CSP violation reports.requireSriFor
: Value forrequire-sri-for
directive.sandbox
: Values for thesandbox
directive. May be a boolean or one of'allow-forms'
,'allow-same-origin'
,'allow-scripts'
or'allow-top-navigation'
.scriptSrc
: Values for thescript-src
directive. Defaults to'self'
.styleSrc
: Values for thestyle-src
directive. Defaults to'self'
.workerSrc
: Values for theworker-src
directive. Defaults to'self'
.generateNonces
: Whether or not to automatically generate nonces. Defaults totrue
. May be a boolean or one of'script'
or'style'
. When enabled your templates rendered through vision will havescript-nonce
and/orstyle-nonce
automatically added to their context, additionallyrequest.plugins.blankie.nonces
will contain one or both of the'script'
and'style'
properties containing these values for use outside of vision.