var csp = require('express-csp');
app.use(csp({
'default-src': [ csp.SELF ],
'script-src': [ csp.SELF, csp.INLINE, 'somehost.com' ],
'style-src': [ csp.SELF, 'mystyles.net' ],
'img-src': [ 'data:', 'images.com' ]
}));
// express will send header "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' somehost.com; style-src 'self' mystyles.net; img-src data: images.com; report-uri https://cspreport.com/send;'If you want to use nonce parameter you should use NONCE constant. Nonce key will be generated automatically. Also generated nonce key will be stored in req.nonce:
app.use(csp({
'script-src': [ csp.NONCE ]
}));
// express will send header with a random nonce key "Content-Security-Policy: script-src 'nonce-pSQ9TwXOMI+HezKshnuRaw==';"
app.use(function(req, res){
console.log(req.nonce); // 'pSQ9TwXOMI+HezKshnuRaw=='
})If you want to specify report-uri param you should pass it as the second argument:
app.use(csp({
'script-src': [ csp.SELF ]
}, 'https://cspreport.com/send'));
// express will send header with a random nonce key "Content-Security-Policy: script-src 'self'; report-uri https://cspreport.com/send;"If you want to pass some params to the report uri just pass function instaed of string:
app.use(csp({
'script-src': [ csp.SELF ]
}, function(req, res){
return 'https://cspreport.com/send?time=' + Number(new Date());
}));
// express will send header with a random nonce key "Content-Security-Policy: script-src 'self'; report-uri https://cspreport.com/send?time=1460467355592;"