UNPKG

lusca

Version:

Application security for express.

github.com/krakenjs/lusca

krakenjs/lusca

89 lines (74 loc) 2.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
'use strict'; /** * Content Security Policy (CSP) * https://www.owasp.org/index.php/Content_Security_Policy * @param {Object} options The CSP policy. */ module.exports = function (options) { var policyRules = options && options.policy, isReportOnly = options && options.reportOnly, reportUri = options && options.reportUri, styleNonce = options && options.styleNonce, scriptNonce = options && options.scriptNonce, value, name; name = 'content-security-policy'; if (isReportOnly) { name += '-report-only'; } if (policyRules && policyRules["default-src"]) { if (styleNonce && !policyRules["style-src"]) { policyRules["style-src"] = policyRules["default-src"]; } if (scriptNonce && !policyRules["script-src"]) { policyRules["script-src"] = policyRules["default-src"]; } } value = createPolicyString(policyRules); if (reportUri) { if (value !== '') { value += '; '; } value += 'report-uri ' + reportUri; } return function csp(req, res, next) { if (styleNonce) { var styleMatch = value.match(/style-src 'nonce-.{48}'/); if (styleMatch) { value = value.replace(styleMatch[0], 'style-src \'nonce-' + res.locals.nonce + '\''); } else { value = value.replace('style-src', 'style-src \'nonce-' + res.locals.nonce + '\''); } } if (scriptNonce) { var scriptMatch = value.match(/script-src 'nonce-.{48}'/); if (scriptMatch) { value = value.replace(scriptMatch[0], 'script-src \'nonce-' + res.locals.nonce + '\''); } else { value = value.replace('script-src', 'script-src \'nonce-' + res.locals.nonce + '\''); } } res.header(name, value); next(); }; }; var createPolicyString = module.exports.createPolicyString = function (policy) { var entries; if (typeof policy === 'string') { return policy; } if (Array.isArray(policy)) { return policy.map(createPolicyString).join('; '); } if (typeof policy === 'object' && policy !== null) { entries = Object.keys(policy).map(function (directive) { if (policy[directive] === 0 || policy[directive]) { directive += ' ' + policy[directive]; } return directive; }); return createPolicyString(entries); } throw Error('invalid csp policy - must be array, string, or plain object'); };