Enables a hash-based strict Content Security Policy for static HTML files and single page applications.
⚠️ This is experimental. Make sure to check what's not supported. Keep in mind that the Report-Only mode is not supported here since the policy is added via a meta tag (Content-Security-Policy-Report-Only is unfortunately not supported in meta tags).
💡 Are you using webpack? Head over to strict-csp-html-webpack-plugin instead. It uses this library under the hood to generate a CSP you can use in your webpack project!
Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.
strict-csp is a bundler-agnostic library that helps protect your single-page application against XSS attacks. It does so by configuring a strict, hash-based Content-Security-Policy (CSP) for your web application.
A strict CSP, added in the form of an HTML meta tag, looks as follows:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'">
</meta>
Let's say that htmlString is your SPA's html as a string.
const s = new StrictCsp(htmlString);
// Refactor sourced scripts so that we can set a strict hash-based CSP
s.refactorSourcedScriptsForHashBasedCsp();
// Hash inline scripts from this html file, if there are any
const scriptHashes = s.hashAllInlineScripts();
// Generate a strict CSP as a string
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, {
enableBrowserFallbacks: true,
});
// Set this CSP via a meta tag
s.addMetaTag(strictCsp);
const htmlStringWithCsp = s.serializeDom();
TL;DR: this library automates the steps to add a hash-based strict CSP to your site.
getStrictCspBy default, strict-csp will generate up a valid, strict, hash-based CSP.
You can use additional options to configure it:
| Option | What it does |
|---|---|
enableBrowserFallbacks (defaults to true) | When true, enables fallbacks for older browsers. This does not weaken the policy. |
enableTrustedTypes (defaults to false) | When true, enables trusted types for additional protections against DOM XSS attacks. |
enableUnsafeEval (defaults to false) | When true, enables unsafe-eval in case you cannot remove all uses of eval(). |
Here's what the library does:
This CSP efficiently helps protect your site against XSS. This CSP is set in a meta tag. It looks like this:
script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';.
{HASH-INLINE-SCRIPT} is the hash on the inline script that dynamically loads all sourced scripts.
TL;DR: this library automates the steps to add a hash-based CSP to your site.
FAQs
Enables a hash-based strict Content Security Policy for static HTML files and single page applications.
The npm package strict-csp receives a total of 1,243 weekly downloads. As such, strict-csp popularity was classified as popular.
We found that strict-csp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.
Security News
React's CRA deprecation announcement sparked community criticism over framework recommendations, leading to quick updates acknowledging build tools like Vite as valid alternatives.
Security News
Ransomware payment rates hit an all-time low in 2024 as law enforcement crackdowns, stronger defenses, and shifting policies make attacks riskier and less profitable.