{"id":19414,"library":"content-security-policy","title":"content-security-policy","description":"Express/Connect middleware for setting Content-Security-Policy HTTP headers according to the W3C CSP specification (v0.3.4). This library provides helper constants (SRC_NONE, SRC_SELF, SRC_DATA) and a convenient getCSP() function to generate middleware for global or route-specific policies. It is minimal and focused solely on CSP headers, unlike more comprehensive security packages such as helmet (which includes CSP as one of many middleware). The package requires Node >= 0.4.0 and has no external dependencies, making it lightweight and easy to integrate into existing Express applications. The API is stable but the package has not seen updates since 2018; consider evaluating its suitability for modern CSP requirements.","status":"maintenance","version":"0.3.4","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/samuelerdtman/content-security-policy","tags":["javascript","express","connect","content-security-policy","security","csp"],"install":[{"cmd":"npm install content-security-policy","lang":"bash","label":"npm"},{"cmd":"yarn add content-security-policy","lang":"bash","label":"yarn"},{"cmd":"pnpm add content-security-policy","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package does not ship ESM; use CommonJS require() or a dynamic import().","wrong":"import csp from 'content-security-policy';","symbol":"csp","correct":"const csp = require('content-security-policy');"},{"note":"Named exports are not available as ESM; destructure from require.","wrong":"import { SRC_NONE } from 'content-security-policy';","symbol":"SRC_NONE","correct":"const { SRC_NONE } = require('content-security-policy');"},{"note":"Both patterns work in CJS, but destructuring is preferred.","wrong":"const getCSP = require('content-security-policy').getCSP;","symbol":"getCSP","correct":"const { getCSP } = require('content-security-policy');"}],"quickstart":{"code":"const csp = require('content-security-policy');\nconst express = require('express');\nconst app = express();\n\nconst policy = {\n  'default-src': csp.SRC_NONE,\n  'script-src': [csp.SRC_SELF],\n  'report-uri': '/csp-report'\n};\n\napp.use(csp.getCSP(csp.STARTER_OPTIONS));\n\napp.get('/secure', csp.getCSP(policy), (req, res) => {\n  res.send('This route has CSP enforced.');\n});\n\napp.listen(3000);","lang":"javascript","description":"Express app using content-security-policy middleware: global policy from STARTER_OPTIONS, custom policy for a specific route."},"warnings":[{"fix":"Ensure every directive value is a valid source expression string, e.g., 'self' not SRC_SELF directly.","message":"CSP policy values must be strings or arrays of strings; using objects will be ignored.","severity":"gotcha","affected_versions":">=0.0.0"},{"fix":"If you need CSP in HTML, consider a different approach or add meta tag manually.","message":"The middleware does not set CSP via a meta tag; it only sets the HTTP header.","severity":"gotcha","affected_versions":">=0.0.0"},{"fix":"Define your own baseline policy instead of relying on STARTER_OPTIONS.","message":"STARTER_OPTIONS is not documented and may be removed; prefer defining a custom default policy.","severity":"deprecated","affected_versions":">=0.3.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Use const { getCSP } = require('content-security-policy'); or use dynamic import().","cause":"Importing default export instead of named function when using ESM syntax.","error":"TypeError: csp.getCSP is not a function"},{"fix":"Run `npm install content-security-policy --save` and ensure require path is correct.","cause":"Package not installed or incorrect import path.","error":"Error: Cannot find module 'content-security-policy'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}