strict-csp-html-webpack-plugin
Advanced tools
Readme
⚠️⚠️⚠️⚠️
This is an MVP. Work in Progress. Do not use in production!
⚠️⚠️⚠️⚠️
strict-csp-html-webpack-plugin sets up a strict Content-Security-Policy (CSP) to help protect your site against XSS attacks. It's a hash-based CSP.
This plugin is best-suited for single-page applications. If you have server-side logics, use a nonce-based strict CSP instead.
script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';. {HASH-INLINE-SCRIPT} is the hash on the inline script that dynamically loads all sources scripts.Note: if you have other inline scripts, the plugin takes care of them too: it adds their hash to the CSP to ensure they can be loaded.
strict-csp-webpack-plugin uses the strict-csp library to form a strict CSP and hooks into HtmlWebpackPlugin to set up this CSP as a meta HTML tag.
prefetch scriptsnpm i --save strict-csp-html-webpack-plugin
(or with yarn)
In your site's or app's webpack.config.js:
const HtmlWebpackPlugin = require('html-webpack-plugin');
const StrictCspHtmlWebpackPlugin = require('strict-csp-html-webpack-plugin');
module.exports = function (webpackEnv) {
return {
// ...
plugins: [
new HtmlWebpackPlugin(
Object.assign(
{}
// ... HtmlWebpackPlugin config
)
),
new StrictCspHtmlWebpackPlugin(HtmlWebpackPlugin),
],
};
};
⚠️ If you have a React app created with create-react-app, you'll need to eject in order to configure and use this plugin (because you need access to the webpack config).
meta HTML tag has been added to the application's index.html, and that one inline script now loads all scripts.✨ Your app is now protected from many XSS attacks.
By default, strict-csp-html-webpack-plugin will set up a valid, strict, hash-based CSP.
You can use additional options to configure the plugin:
| Option | Default | What it does |
|---|---|---|
enabled | true | When true, activates the plugin. |
enableTrustedTypes | true | When true, enables trusted types for additional protections against DOM XSS attacks. |
FAQs
A webpack plugin that adds a hash-based strict CSP to help protect your site against XSS attacks.
We found that strict-csp-html-webpack-plugin demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.