blankie
A CSP plugin for hapi.
Usage
This plugin depends on scooter to function.
To use it:
var Hapi = require('hapi');
var Blankie = require('blankie');
var Scooter = require('scooter');
var server = new Hapi.Server();
server.register([Scooter, {
register: Blankie,
options: {} // specify options here
}], function (err) {
if (err) {
throw err;
}
server.start();
});
Options may also be set on a per-route basis:
var Hapi = require('hapi');
var Blankie = require('blankie');
var Scooter = require('scooter');
var server = new Hapi.Server();
server.route({
method: 'GET',
path: '/something',
config: {
handler: function (request, reply) {
reply('these settings are changed');
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
});
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.blankie
equal to false
on a route to disable CSP headers completely for that route.
Options
-
childSrc
: Values forchild-src
directive. -
connectSrc
: Values for theconnect-src
directive. Defaults'self'
. -
defaultSrc
: Values for thedefault-src
directive. Defaults to'none'
. -
fontSrc
: Values for thefont-src
directive. -
formAction
: Values for theform-action
directive. -
frameAncestors
: Values for theframe-ancestors
directive. -
frameSrc
: Values for theframe-src
directive. -
imgSrc
: Values for theimage-src
directive. Defaults to'self'
. -
manifestSrc
: Values for themanifest-src
directive. -
mediaSrc
: Values for themedia-src
directive. -
objectSrc
: Values for theobject-src
directive. -
oldSafari
: Force enabling buggy CSP for Safari 5. -
pluginTypes
: Values for theplugin-types
directive. -
reflectedXss
: Value for thereflected-xss
directive. Must be one of'allow'
,'block'
or'filter'
. -
reportOnly
: Append '-Report-Only' to the name of the CSP header to enable report only mode. -
reportUri
: Value for thereport-uri
directive. This should be the path to a route that accepts CSP violation reports. -
sandbox
: Values for thesandbox
directive. May be a boolean or one of'allow-forms'
,'allow-same-origin'
,'allow-scripts'
or'allow-top-navigation'
. -
scriptSrc
: Values for thescript-src
directive. Defaults to'self'
. -
styleSrc
: Values for thestyle-src
directive. Defaults to'self'
.