{"id":15307,"library":"content-security-policy-builder","title":"Content Security Policy Builder","description":"The `content-security-policy-builder` package, currently at version 2.3.0, provides a focused utility for programmatically constructing Content Security Policy (CSP) strings from a JavaScript object or Map. It streamlines the process of defining CSP directives by supporting various input formats, including `camelCased` or `dash-separated` directive names, and accepting both strings and arrays for directive values. The module is explicitly designated as feature-complete, with the maintainer indicating that future development will be limited to maintenance. This means no new features or breaking changes are planned, making it a stable, though static, choice for generating CSP headers. Its key differentiator lies in its robust input parsing and its singular, complete focus on translating structured input into a valid CSP string.","status":"maintenance","version":"2.3.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/content-security-policy-builder","tags":["javascript","security","content","policy","csp","builder","typescript"],"install":[{"cmd":"npm install content-security-policy-builder","lang":"bash","label":"npm"},{"cmd":"yarn add content-security-policy-builder","lang":"bash","label":"yarn"},{"cmd":"pnpm add content-security-policy-builder","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The library exports a default function. Attempting a named import will fail.","wrong":"import { builder } from 'content-security-policy-builder';","symbol":"builder","correct":"import builder from 'content-security-policy-builder';"},{"note":"While CommonJS `require` might work in some environments, the package's primary export is ESM. Using `require` in an ESM-first project can lead to `ReferenceError` or unexpected behavior. Stick to `import`.","wrong":"const builder = require('content-security-policy-builder');","symbol":"builder","correct":"import builder from 'content-security-policy-builder';"},{"note":"Import types using `import type` to ensure they are stripped from the JavaScript output, preventing runtime errors.","wrong":"import { CSPDirectiveMap } from 'content-security-policy-builder';","symbol":"CSPDirectiveMap","correct":"import type { CSPDirectiveMap } from 'content-security-policy-builder';"}],"quickstart":{"code":"import builder from \"content-security-policy-builder\";\n\n// --- Example 1: Basic directives with different input styles ---\nconst policy1 = builder({\n  directives: {\n    defaultSrc: [\"'self'\", \"default.com\"],\n    scriptSrc: \"scripts.com\",\n    \"style-src\": [\"'self'\", \"styles.com\", \"*.cdn.com\"], // dash-separated\n    imgSrc: [\"'self'\", \"data:\", \"images.example.com\"],\n    fontSrc: [\"'self'\", \"fonts.gstatic.com\"],\n    objectSrc: [\"'none'\"], // Explicitly disable object sources\n    baseUri: [\"'self'\"]\n  }\n});\nconsole.log(\"Policy 1:\", policy1);\n// Expected output: default-src 'self' default.com; script-src scripts.com; style-src 'self' styles.com *.cdn.com; img-src 'self' data: images.example.com; font-src 'self' fonts.gstatic.com; object-src 'none'; base-uri 'self'\n\n// --- Example 2: Using a Map for directives (useful for dynamic scenarios) ---\nconst dynamicDirectives = new Map([\n  [\"defaultSrc\", [\"'self'\"]],\n  [\"scriptSrc\", [\"'self'\", \"https://cdn.example.com\"]],\n  [\"connectSrc\", [\"'self'\", \"wss://api.example.com\"]],\n  [\"reportUri\", \"/csp-report-endpoint\"]\n]);\nconst policy2 = builder({ directives: dynamicDirectives });\nconsole.log(\"Policy 2:\", policy2);\n// Expected output: default-src 'self'; script-src 'self' https://cdn.example.com; connect-src 'self' wss://api.example.com; report-uri /csp-report-endpoint\n\n// This demonstrates building complex CSP strings with various directive types and sources,\n// including handling both camelCase and dash-separated directive names, and array/string values.","lang":"typescript","description":"This quickstart demonstrates how to use the `content-security-policy-builder` to construct CSP strings from both a plain JavaScript object and a Map, showcasing its flexibility with different directive naming conventions and value types."},"warnings":[{"fix":"Upgrade your Node.js environment to version 18.0.0 or newer.","message":"The package explicitly requires Node.js version 18.0.0 or higher. Running in older Node.js environments will result in errors.","severity":"breaking","affected_versions":"<18.0.0"},{"fix":"Regularly review your generated CSP against the latest W3C Content Security Policy specification to ensure it remains effective and secure, manually updating directives as needed.","message":"The module is considered 'feature-complete' by its maintainer. This means no new CSP directives or features are planned to be added, which could lead to an outdated CSP if new standards or directives emerge in the future.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Thoroughly test and review your generated CSP using browser developer tools and online CSP validators (e.g., CSP Evaluator) to ensure its correctness and effectiveness.","message":"The builder constructs the CSP string based on the input provided but does not perform semantic validation of the directive values (e.g., ensuring URLs are valid, or that `'self'` is correctly quoted). Supplying syntactically incorrect or insecure values will still produce a string, but the resulting CSP may be ineffective or even introduce vulnerabilities.","severity":"gotcha","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Change your import statement from `const builder = require('content-security-policy-builder');` to `import builder from 'content-security-policy-builder';`.","cause":"Attempting to use `require()` to import the library in a modern Node.js project configured for ES Modules.","error":"ReferenceError: require is not defined in ES module scope"},{"fix":"Change your import statement to `import builder from 'content-security-policy-builder';`.","cause":"Attempting to use `import { builder } from 'content-security-policy-builder';` when the package exports a default function.","error":"TypeError: content_security_policy_builder_1.builder is not a function"}],"ecosystem":"npm"}