Skip to content

Commit 2b6a01f

Browse files
fruxfrux
authored
Merge pull request #18 from rifler/custom-processing
add processCspString param
2 parents 124ed66 + 5fec77a commit 2b6a01f

File tree

3 files changed

+35
-0
lines changed

3 files changed

+35
-0
lines changed

packages/express-csp-header/README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,23 @@ app.use(expressCspHeader({
7979
// etc
8080
```
8181

82+
### Custom processing
83+
84+
```js
85+
const { expressCspHeader } = require('express-csp-header');
86+
87+
app.use(expressCspHeader({
88+
directives: {
89+
'default-src': ["#someString#"],
90+
'script-src': ["#someOtherString#"],
91+
},
92+
processCspString: (cspString, req, res) => {
93+
// here you can process final cspString
94+
return cspString.replaceAll('#someString#', 'https://example.com').replaceAll('#someOtherString#', 'https://example2.com');
95+
}
96+
}));
97+
```
98+
8299
## CSP violation report
83100
For more information read [csp-header documentation](https://github.com/frux/csp/tree/master/packages/csp-header#csp-violation-report). `express-csp-header` helps you manage both `Content-Security-Policy` and `Reporting-Endpoints` headers. [Report-to headers is no longer recommended to use](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Report-To)
84101

packages/express-csp-header/src/index.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ export interface ExpressCSPParams extends Omit<CSPHeaderParams, 'reportUri'> {
3333
reportTo?: ReportTo[] | ReportToFunction,
3434
reportUri?: string | ReportUriFunction,
3535
reportingEndpoints?: ReportingEndpoint[] | ((req: Request, res: Response) => ReportingEndpoint[]),
36+
processCspString?: (cspString: string, req: Request, res: Response) => string;
3637
}
3738

3839
export function expressCspHeader(params?: ExpressCSPParams): RequestHandler {
@@ -46,6 +47,7 @@ export function expressCspHeader(params?: ExpressCSPParams): RequestHandler {
4647
let cspString = getCspString(req, res, params);
4748
cspString = applyNonce(req ,res, cspString);
4849
cspString = applyAutoTld(req, cspString, domainOptions);
50+
cspString = params.processCspString ? params.processCspString(cspString, req, res) : cspString;
4951

5052
res.set(params.reportOnly ? CSP_REPORT_ONLY_HEADER : CSP_HEADER, cspString);
5153

packages/express-csp-header/tests/index.test.ts

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -308,3 +308,19 @@ describe('Reporting-Endpoints', () => {
308308
);
309309
});
310310
});
311+
312+
describe('processCspString', () => {
313+
test('should process CSP string', () => {
314+
const { res } = execMiddleware({
315+
directives: {
316+
'default-src': ["#someString#"],
317+
'script-src': ["#someOtherString#"],
318+
},
319+
processCspString: (cspString, req, res) => {
320+
return cspString.replaceAll('#someString#', 'https://example.com').replaceAll('#someOtherString#', 'https://example2.com');
321+
}
322+
});
323+
324+
expect(res.headers['Content-Security-Policy']).toStrictEqual("default-src https://example.com; script-src https://example2.com;");
325+
});
326+
});

0 commit comments

Comments
 (0)