Content Security Policy builder

Take an object and turn it into a Content Security Policy string.

It can handle a lot of things you can you throw at it; camelCased or dash-separated directives, arrays or strings, et cetera.

Usage:

import builder from "content-security-policy-builder";

// default-src 'self' default.com; script-src scripts.com; whatever-src something; object-src
builder({
  directives: {
    defaultSrc: ["'self'", "default.com"],
    scriptSrc: "scripts.com",
    "whatever-src": "something",
    objectSrc: true,
  },
});

// default-src 'self'; whatever-src something
builder({
  directives: new Map([
    ["defaultSrc", ["'self'", "default.com"]],
    ["whatever-src", "something"],
  ]),
});

This module is considered complete. I expect to continue maintenance if needed, but I don't plan to add features or make breaking changes.

Changelog

2.3.0 - 2025-03-28

Added

• Maps are now supported as arguments

Changed

• Arrays are now readonly. This is a TypeScript-only change

2.2.0 - 2024-04-25

Added

• Added ECMAScript Module support

Removed

• Breaking: Drop support for old Node versions. Node 18+ is now required

2.1.1 - 2022-03-23

Changed

• Fixed bug where names on Object.prototype didn't work
• Marked inputs as Readonly (TypeScript-only)
• Shrink package size a bit

2.1.0 - 2019-06-13

Added

• Added TypeScript type definitions. See #6
• Created a changelog

Changed

• Excluded useless files from npm package

This changelog was started after the release of version 2.1.0.