Name: blankie
Owner: npm
Description: a hapi CSP plugin
Forked from: nlf/blankie
Created: 2016-02-18 18:55:09.0
Updated: 2018-01-22 18:46:51.0
Pushed: 2016-02-22 16:44:24.0
Homepage: null
Size: 26
Language: JavaScript
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
A CSP plugin for hapi.
This plugin depends on scooter to function.
To use it:
Hapi = require('hapi');
Blankie = require('blankie');
Scooter = require('scooter');
server = new Hapi.Server();
er.register([Scooter, {
register: Blankie,
options: {} // specify options here
function (err) {
if (err) {
throw err;
}
server.start();
Options may also be set on a per-route basis:
Hapi = require('hapi');
Blankie = require('blankie');
Scooter = require('scooter');
server = new Hapi.Server();
er.route({
method: 'GET',
path: '/something',
config: {
handler: function (request, reply) {
reply('these settings are changed');
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.blankie equal to false on a route to disable CSP headers completely for that route.
childSrc: Values for child-src directive.connectSrc: Values for the connect-src directive. Defaults 'self'.defaultSrc: Values for the default-src directive. Defaults to 'none'.fontSrc: Values for the font-src directive.formAction: Values for the form-action directive.frameAncestors: Values for the frame-ancestors directive.frameSrc: Values for the frame-src directive.imgSrc: Values for the image-src directive. Defaults to 'self'.manifestSrc: Values for the manifest-src directive.mediaSrc: Values for the media-src directive.objectSrc: Values for the object-src directive.oldSafari: Force enabling buggy CSP for Safari 5.pluginTypes: Values for the plugin-types directive.reflectedXss: Value for the reflected-xss directive. Must be one of 'allow', 'block' or 'filter'.reportOnly: Append '-Report-Only' to the name of the CSP header to enable report only mode.reportUri: Value for the report-uri directive. This should be the path to a route that accepts CSP violation reports.sandbox: Values for the sandbox directive. May be a boolean or one of 'allow-forms', 'allow-same-origin', 'allow-scripts' or 'allow-top-navigation'.scriptSrc: Values for the script-src directive. Defaults to 'self'.styleSrc: Values for the style-src directive. Defaults to 'self'.