mirror of
https://github.com/kevin-DL/sapper.git
synced 2026-01-16 12:54:38 +00:00
move old docs over
This commit is contained in:
Richard Harris
39
site/content/docs/12-security.md
Normal file
39
site/content/docs/12-security.md
Normal file
@@ -0,0 +1,39 @@
|
||||
---
|
||||
title: Security
|
||||
---
|
||||
|
||||
By default, Sapper does not add security headers to your app, but you may add them yourself using middleware such as [Helmet][].
|
||||
|
||||
### Content Security Policy (CSP)
|
||||
|
||||
Sapper generates inline `<script>`s, which can fail to execute if [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) headers disallow arbitrary script execution (`unsafe-inline`).
|
||||
|
||||
To work around this, Sapper can inject a [nonce](https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/) which can be configured with middleware to emit the proper CSP headers. Here is an example using [Express][] and [Helmet][]:
|
||||
|
||||
```js
|
||||
// server.js
|
||||
import uuidv4 from 'uuid/v4';
|
||||
import helmet from 'helmet';
|
||||
|
||||
app.use((req, res, next) => {
|
||||
res.locals.nonce = uuidv4();
|
||||
next();
|
||||
});
|
||||
app.use(helmet({
|
||||
contentSecurityPolicy: {
|
||||
directives: {
|
||||
scriptSrc: [
|
||||
"'self'",
|
||||
(req, res) => `'nonce-${res.locals.nonce}'`
|
||||
]
|
||||
}
|
||||
}
|
||||
}));
|
||||
app.use(sapper.middleware());
|
||||
```
|
||||
|
||||
Using `res.locals.nonce` in this way follows the convention set by
|
||||
[Helmet's CSP docs](https://helmetjs.github.io/docs/csp/#generating-nonces).
|
||||
|
||||
[Express]: https://expressjs.com/
|
||||
[Helmet]: https://helmetjs.github.io/
|
||||
Reference in New Issue
Block a user