57 lines
1.4 KiB
Plaintext
57 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware is used without the ``++blockAllMixedContent++`` directive:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet.contentSecurityPolicy({
|
|
directives: {
|
|
"default-src": ["'self'", 'example.com', 'code.jquery.com']
|
|
} // Sensitive: blockAllMixedContent directive is missing
|
|
})
|
|
);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In Express.js application a standard way to block mixed-content is to put in place the https://www.npmjs.com/package/helmet-csp[helmet-csp] or https://www.npmjs.com/package/helmet[helmet] middleware with the ``++blockAllMixedContent++`` directive:
|
|
|
|
[source,javascript]
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet.contentSecurityPolicy({
|
|
directives: {
|
|
"default-src": ["'self'", 'example.com', 'code.jquery.com'],
|
|
blockAllMixedContent: [] // Compliant
|
|
}
|
|
})
|
|
);
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|