42 lines
1011 B
Plaintext
42 lines
1011 B
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
In a Express.js application, the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware] is not used or used without the default directive:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
const helmetCsp = require('helmet-csp');
|
||
|
|
|
||
|
|
let app = express();
|
||
|
|
let csp = helmetCsp({ // Sensitive: defaultSrc directive is not used
|
||
|
|
directives: {
|
||
|
|
scriptSrc: ["'self'", "'unsafe-inline'"]
|
||
|
|
}
|
||
|
|
});
|
||
|
|
app.use(csp);
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
In a Express.js application, a standard way to implement CSP is the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware]:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
const helmetCsp = require('helmet-csp');
|
||
|
|
|
||
|
|
let app = express();
|
||
|
|
let csp = helmetCsp({ // Compliant
|
||
|
|
directives: {
|
||
|
|
scriptSrc: ["'self'", "'unsafe-inline'"],
|
||
|
|
defaultSrc: ["'self'", 'example.com'],
|
||
|
|
}
|
||
|
|
});
|
||
|
|
|
||
|
|
app.use(csp);
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|