rspec/rules/S5728/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In a Express.js application, the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware] is not used or used without the default directive:
----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({ // Sensitive: defaultSrc directive is not used
  directives: {
    scriptSrc: ["'self'", "'unsafe-inline'"]
  }
});
app.use(csp);
----

== Compliant Solution

In a Express.js application, a standard way to implement CSP is the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware]:
----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({ // Compliant
  directives: {
    scriptSrc: ["'self'", "'unsafe-inline'"],
    defaultSrc: ["'self'", 'example.com'],
  }
});

app.use(csp);
----

include::../see.adoc[]