search

tobias-kaerst-software / elysia-helmet

Help secure Elysia apps with various HTTP headers 🔒
https://www.npmjs.com/package/elysia-helmet
MIT License
27 stars 3 forks source link

Hability to configure request-specific nonce on CSP #1

Open gtramontina opened 7 months ago

gtramontina commented 7 months ago

Hey there. First of all, thank you for this port!

I've been looking for ways of configuring CSP directives to include nonces, like we can in the express version:

directives: {
  scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
  styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},

This doesn't seem to be possible in this port. Am I missing something or is this potentially a gap in parity?

Cheers!

DevTobias commented 7 months ago

Hi! I think this is not possible right now. I can try to implement this if I find the free time for it. Also feel free to open a pr for this, I would gladly take a look at it :)

gtramontina commented 7 months ago

Thanks, @DevTobias. I can't promise a PR, but might eventually do it. From a quick glance at the codebase, it seems we'll need to forward both request and response from the plugin definition into the CSP policy in order to enable something like the above.