Skip to content

Instantly share code, notes, and snippets.

@adunkman adunkman/index.js
Last active Aug 29, 2015

Embed
What would you like to do?
Simple proof-of-concept for Content-Security-Policy in report-only mode.
var app = require("express")();
// JSON parse the body of requests with `application/csp-report` content type.
app.use(require("body-parser").json({
type: "application/csp-report"
}));
// Page with CSP header (in report-only mode).
app.get("/", function (req, res) {
res.setHeader("Content-Security-Policy-Report-Only", [
"default-src 'self' *.harvestapp.com",
"report-uri /csp-report-endpoint"
].join("; "));
res.end("hello there");
});
// Receiver of CSP reports (sent by browser automatically).
app.post("/csp-report-endpoint", function (req, res) {
console.log(req.body);
res.end();
});
// Start server.
app.listen(process.env.PORT || 3000, function () {
console.log("listening", this.address());
});
{
"name": "csp-test",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"body-parser": "^1.13.3",
"express": "^4.13.3"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.