How to use the koa-helmet.contentSecurityPolicy function in koa-helmet
To help you get started, we’ve selected a few koa-helmet examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
outline / outline / server / app.js View on Github 
// we don't need to report every time a request stops to the bug tracker
if (error.code === 'EPIPE' || error.code === 'ECONNRESET') {
console.warn('Connection error', { error });
} else {
bugsnag.koaHandler(error, ctx);
}
});
}
}
app.use(mount('/auth', auth));
app.use(mount('/api', api));
app.use(helmet());
app.use(
contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
'gist.github.com',
'www.google-analytics.com',
'd2wy8f7a9ursnm.cloudfront.net',
],
styleSrc: ["'self'", "'unsafe-inline'", 'github.githubassets.com'],
imgSrc: ['*', 'data:', 'blob:'],
frameSrc: ['*'],
connectSrc: compact([
"'self'",
process.env.AWS_S3_UPLOAD_BUCKET_URL,process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [process.on('unhandledRejection', (error, promise) => {
console.error('unhandled promise rejection:', { // eslint-disable-line no-console
error,
promise,
});
});
app.use(koaMount('/healthcare', healthcare));
// XmlHttpRequest shim for IE
app.use(xdomainRoute);
// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
credentials: true,
exposeHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowHeaders: [
'Authorization',
'Content-Disposition',
'Content-Type',
'X-Entities',
],
allowMethods: [function createApp() {
const app = new Koa()
app.use(cors())
app.use(compress())
app.use(logger())
// app.use(mount('/rpc', rpc))
app.use(mount("/api", api))
app.use(
contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
},
}),
)
app.use(notFoundMiddleware)
return app
}useAccountRecoveryApi(app);
useOauthLogin(app);
useGeneralApi(app);
useNotificationsApi(app);
// helmet wants some things as bools and some as lists, makes config difficult.
// our config uses strings, this splits them to lists on whitespace.
if (env === 'production') {
const helmetConfig = {
directives: convertEntriesToArrays(config.get('helmet.directives')),
reportOnly: config.get('helmet.reportOnly'),
setAllHeaders: config.get('helmet.setAllHeaders')
};
helmetConfig.directives.reportUri = '/api/v1/csp_violation';
app.use(helmet.contentSecurityPolicy(helmetConfig));
}
app.use(
favicon(path.join(__dirname, '../app/assets/images/favicons/favicon.ico'))
);
app.use(isBot());
app.use(
mount(
'/favicons',
staticCache(
path.join(__dirname, '../app/assets/images/favicons'),
cacheOpts
)
)
);
app.use(useGeneralApi(app);
// helmet wants some things as bools and some as lists, makes config difficult.
// our config uses strings, this splits them to lists on whitespace.
if (env === 'production') {
const helmetConfig = {
directives: convertEntriesToArrays(config.get('helmet.directives')),
reportOnly: config.get('helmet.reportOnly'),
setAllHeaders: config.get('helmet.setAllHeaders'),
};
helmetConfig.directives.reportUri = helmetConfig.directives.reportUri[0];
if (helmetConfig.directives.reportUri === '-') {
delete helmetConfig.directives.reportUri;
}
app.use(helmet.contentSecurityPolicy(helmetConfig));
}
if (env !== 'test') {
const appRender = require('./app_render');
// Load special posts and store them on the ctx for later use. Since
// we're inside a generator, we can't `await` here, so we pass a promise
// so `src/server/app_render.jsx` can `await` on it.
app.specialPostsPromise = specialPosts();
// refresh special posts every five minutes
setInterval(function() {
return new Promise(function(resolve, reject) {
app.specialPostsPromise = specialPosts();
resolve();
});
}, 300000);app.use(helmet());
app.use(mount('/static', staticCache(path.join(__dirname, '../app/assets/static'), cacheOpts)));
app.use(mount('/robots.txt', function* () {
this.set('Cache-Control', 'public, max-age=86400000');
this.type = 'text/plain';
this.body = "User-agent: *\nAllow: /";
}));
useRedirects(app);
// useEnterAndConfirmEmailPages(app);
if (env === 'production') {
app.use(helmet.contentSecurityPolicy(config.helmet));
}
// useAccountRecoveryApi(app);
// useOauthLogin(app);
// useGeneralApi(app);
app.use(favicon(path.join(__dirname, '../app/assets/images/favicons/favicon.ico')));
app.use(isBot());
app.use(mount('/favicons', staticCache(path.join(__dirname, '../app/assets/images/favicons'), cacheOpts)));
app.use(mount('/images', staticCache(path.join(__dirname, '../app/assets/images'), cacheOpts)));
// Proxy asset folder to webpack development server in development mode
if (env === 'development') {
const PORT = parseInt(process.env.PORT, 10) + 1 || 3001;
const proxy = require('koa-proxy')({
host: 'http://0.0.0.0:' + PORT,
map: (filePath) => 'assets/' + filePathkoa-helmet
Security header middleware collection for koa
