UNPKG

@ordojs/security

Version:

Security package for OrdoJS with XSS, CSRF, and injection protection

108 lines 3.22 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/** * Content Security Policy (CSP) manager for XSS protection */ /** * CSP directive types */ export type CspDirective = 'default-src' | 'script-src' | 'style-src' | 'img-src' | 'font-src' | 'connect-src' | 'media-src' | 'object-src' | 'frame-src' | 'child-src' | 'worker-src' | 'manifest-src' | 'base-uri' | 'form-action' | 'frame-ancestors' | 'plugin-types' | 'sandbox' | 'upgrade-insecure-requests' | 'block-all-mixed-content'; /** * CSP source values */ export type CspSource = "'self'" | "'unsafe-inline'" | "'unsafe-eval'" | "'strict-dynamic'" | "'none'" | string; /** * CSP policy configuration */ export interface CspPolicy { [directive: string]: CspSource[]; } /** * CSP manager options */ export interface CspManagerOptions { /** * Whether to report CSP violations * @default false */ reportViolations?: boolean; /** * URL to send CSP violation reports to */ reportUri?: string; /** * Whether to use CSP in report-only mode * @default false */ reportOnly?: boolean; } /** * Content Security Policy manager for XSS protection */ export declare class CspManager { private policy; private options; private nonces; /** * Create a new CSP manager * @param policy Initial CSP policy * @param options CSP manager options */ constructor(policy?: Partial<CspPolicy>, options?: CspManagerOptions); /** * Generate a cryptographically secure nonce for inline scripts/styles * @returns Base64 encoded nonce */ generateNonce(): string; /** * Add a nonce to the script-src directive * @param nonce The nonce to add */ addScriptNonce(nonce: string): void; /** * Add a nonce to the style-src directive * @param nonce The nonce to add */ addStyleNonce(nonce: string): void; /** * Add a hash to a directive for inline content * @param directive The CSP directive * @param hash The SHA hash (e.g., 'sha256-abc123...') */ addHash(directive: CspDirective, hash: string): void; /** * Add a source to a CSP directive * @param directive The CSP directive * @param source The source to add */ addSourceToDirective(directive: CspDirective, source: CspSource): void; /** * Remove a source from a CSP directive * @param directive The CSP directive * @param source The source to remove */ removeSourceFromDirective(directive: CspDirective, source: CspSource): void; /** * Generate the CSP header value * @returns CSP header value string */ generateHeader(): string; /** * Get the appropriate CSP header name * @returns CSP header name */ getHeaderName(): string; /** * Create a strict CSP policy for maximum security * @returns New CspManager with strict policy */ static createStrict(): CspManager; /** * Create a development-friendly CSP policy * @returns New CspManager with development policy */ static createDevelopment(): CspManager; } /** * Default CSP manager instance */ export declare const defaultCspManager: CspManager; //# sourceMappingURL=csp-manager.d.ts.map