Name: blankie
Owner: npm
Description: a hapi CSP plugin
Forked from: nlf/blankie
Created: 2016-02-18 18:55:09.0
Updated: 2018-01-22 18:46:51.0
Pushed: 2016-02-22 16:44:24.0
Homepage: null
Size: 26
Language: JavaScript
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A CSP plugin for hapi.
This plugin depends on scooter to function.
To use it:
Hapi = require('hapi');
Blankie = require('blankie');
Scooter = require('scooter');
server = new Hapi.Server();
er.register([Scooter, {
register: Blankie,
options: {} // specify options here
function (err) {
if (err) {
throw err;
}
server.start();
Options may also be set on a per-route basis:
Hapi = require('hapi');
Blankie = require('blankie');
Scooter = require('scooter');
server = new Hapi.Server();
er.route({
method: 'GET',
path: '/something',
config: {
handler: function (request, reply) {
reply('these settings are changed');
},
plugins: {
blankie: {
scriptSrc: 'self'
}
}
}
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.blankie
equal to false
on a route to disable CSP headers completely for that route.
childSrc
: Values for child-src
directive.connectSrc
: Values for the connect-src
directive. Defaults 'self'
.defaultSrc
: Values for the default-src
directive. Defaults to 'none'
.fontSrc
: Values for the font-src
directive.formAction
: Values for the form-action
directive.frameAncestors
: Values for the frame-ancestors
directive.frameSrc
: Values for the frame-src
directive.imgSrc
: Values for the image-src
directive. Defaults to 'self'
.manifestSrc
: Values for the manifest-src
directive.mediaSrc
: Values for the media-src
directive.objectSrc
: Values for the object-src
directive.oldSafari
: Force enabling buggy CSP for Safari 5.pluginTypes
: Values for the plugin-types
directive.reflectedXss
: Value for the reflected-xss
directive. Must be one of 'allow'
, 'block'
or 'filter'
.reportOnly
: Append '-Report-Only' to the name of the CSP header to enable report only mode.reportUri
: Value for the report-uri
directive. This should be the path to a route that accepts CSP violation reports.sandbox
: Values for the sandbox
directive. May be a boolean or one of 'allow-forms'
, 'allow-same-origin'
, 'allow-scripts'
or 'allow-top-navigation'
.scriptSrc
: Values for the script-src
directive. Defaults to 'self'
.styleSrc
: Values for the style-src
directive. Defaults to 'self'
.