Skip to content
/ csp Public

A tiny Go library that makes it easy to craft Content-Security-Policy HTTP headers.

License

Notifications You must be signed in to change notification settings

novrin/csp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

csp

GoDoc tests Go Report Card

csp is a tiny Go library that makes it easy to craft Content-Security-Policy HTTP headers.

Features

  • Tiny - less than 300 LOC and no external dependencies
  • Simple - easy to use API

Installation

go get github.com/novrin/csp

Usage

package main

import (
	"net/http"

	"github.com/novrin/csp"
)

func SecureHeader(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Use HeaderKey and Policy + Directives.
		w.Header().Set(csp.HeaderKey, csp.Policy(csp.Directives{
			DefaultSrc:    []string{"self", "example.com"},
			ImgSrc:        []string{"https:"},
			ScriptSrcElem: []string{"self", "https://example.com/static/app.js"},
			// Optionally use keyword source constants.
			StyleSrc: []string{csp.SourceSelf, csp.SourceUnsafeInline},
		}))
		...
		next.ServeHTTP(w, r)
	})
}

Optionally use convenience defaults. For example, Basic is a simple, non-strict CSP policy where sources is restricted to 'self' for the default-src,form-action, and frame-ancestors directives.

func SecureHeader(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Set a basic non-strict CSP.
		w.Header().Set(csp.HeaderKey, csp.Basic())
		...
		next.ServeHTTP(w, r)
	})
}

License

Copyright (c) 2023-present novrin

Licensed under MIT License

About

A tiny Go library that makes it easy to craft Content-Security-Policy HTTP headers.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages