totole/sapper
1
0
Fork 0
mirror of https://github.com/kevin-DL/sapper.git synced 2026-01-12 11:15:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
62969d59f6db9d67b22beddf7ad04de3e10a67ff
sapper/site/content/docs/12-security.md
Richard Harris 381af86f04 move old docs over
2019-04-28 21:44:34 -04:00

1.2 KiB
Raw Blame History

title
title
Security

By default, Sapper does not add security headers to your app, but you may add them yourself using middleware such as Helmet.

Content Security Policy (CSP)

Sapper generates inline <script>s, which can fail to execute if Content Security Policy (CSP) headers disallow arbitrary script execution (unsafe-inline).

To work around this, Sapper can inject a nonce which can be configured with middleware to emit the proper CSP headers. Here is an example using Express and Helmet:

// server.js
import uuidv4 from 'uuid/v4';
import helmet from 'helmet';

app.use((req, res, next) => {
	res.locals.nonce = uuidv4();
	next();
});
app.use(helmet({
	contentSecurityPolicy: {
		directives: {
			scriptSrc: [
				"'self'",
				(req, res) => `'nonce-${res.locals.nonce}'`
			]
		}
	}
}));
app.use(sapper.middleware());

Using res.locals.nonce in this way follows the convention set by Helmet's CSP docs.