npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@jackdbd/eleventy-plugin-content-security-policy

v2.2.0

Published

Eleventy plugin that writes Content-Security-Policy and Content-Security-Policy-Report-Only headers to a `_headers` file when Eleventy builds your site.

Downloads

132

Readme

@jackdbd/eleventy-plugin-content-security-policy

npm version install size CodeCov badge Socket Badge

Eleventy plugin that writes Content-Security-Policy and Content-Security-Policy-Report-Only headers to a _headers file when Eleventy builds your site.

Installation

npm install @jackdbd/eleventy-plugin-content-security-policy

Note: this library was tested on Node.js >=18. It might work on other Node.js versions though.

About

Hosting providers like Cloudflare Pages and Netlify allow to define custom response headers in a plain text file called _headers. This file must be placed in the publish directory of your site (e.g. usually _site for a Eleventy site).

This plugin allows you to define a Content-Security-Policy (CSP) or a Content-Security-Policy-Report-Only header in your Eleventy configuration file, and then it automatically writes those headers into your _headers file when you build your site.

Usage

In your Eleventy config file:

import { contentSecurityPolicyPlugin } from '@jackdbd/eleventy-plugin-content-security-policy'

export default function (eleventyConfig) {
  // some other eleventy configuration...

  // use the default CSP directives (not recommended)...
  eleventyConfig.addPlugin(contentSecurityPolicyPlugin)

  // ...or define your CSP directives
  eleventyConfig.addPlugin(contentSecurityPolicyPlugin, {
    allowDeprecatedDirectives: true,
    
    directives: {
      'base-uri': ['self'],

      // allow only self-hosted fonts (i.e. fonts hosted on this origin)
      'font-src': ['self'],

      // allow scripts hosted on this origin, on plausible.io (analytics),
      // cloudflareinsights.com (analytics), unpkg.com (preact)
      'script-src-elem': [
        'self',
        'https://plausible.io/js/plausible.js',
        'https://static.cloudflareinsights.com/beacon.min.js',
        'https://unpkg.com/htm/preact/standalone.module.js'
      ],

      // allow CSS hosted on this origin, and inline styles that match a sha256
      // hash automatically computed at build time by this 11ty plugin.
      // See also here for the pros and cons of 'unsafe-inline'
      // https://stackoverflow.com/questions/30653698/csp-style-src-unsafe-inline-is-it-worth-it
      'style-src-elem': ['self', 'sha256'],
    },

    // Only .html files should be served with the Content-Security-Policy header. Avoid header bloat by making sure that other files are not served with Content-Security-Policy header.
    globPatternsDetach: ['/*.png'],

    includePatterns: ['/**/**.html']
  })

  // some other eleventy configuration...
}

Configuration

Refer also to the library @jackdbd/content-security-policy for the configuration.

| Option | Default | Explanation | | --- | --- | --- | | allowDeprecatedDirectives | false | whether deprecated directives should be allowed or not. | | directives | {} | Directives for the Content-Security-Policy (or Content-Security-Policy-Report-Only) header. | | excludePatterns | [] | Files that match these patterns will not be searched. | | globPatterns | ['/', '/*/'] | Files that match these patterns will be searched. | | globPatternsDetach | [] | Files that match these patterns will not be served with the Content-Security-Policy (or Content-Security-Policy-Report-Only) header. | | includePatterns | ['/**/**.html'] | Files that match these patterns will be served with the Content-Security-Policy (or Content-Security-Policy-Report-Only) header. | | jsonRecap | false | whether to write a JSON containing the configuration of this plugin. This can useful for troubleshooting the CSP and/or to consume the CSP with some other tool (e.g. send a Telegram message containing the current CSP directives). | | reportOnly | false | whether the policy should be applied to the Content-Security-Policy header, or to the Content-Security-Policy-Report-Only header. |

Troubleshooting

This plugin uses the debug library for logging. You can control what's logged using the DEBUG environment variable.

For example, if you set your environment variables in a .envrc file, you can do:

# print all logging statements
export DEBUG=11ty-plugin:*

Dependencies

| Package | Version | |---|---| | @jackdbd/content-security-policy | 3.0.0-canary.1 | | @jackdbd/hosting-utils | 1.0.0-canary.1 | | zod | ^3.23.0 | | zod-validation-error | ^3.1.0 |

⚠️ Peer Dependencies

This package defines 2 peer dependencies.

| Peer | Version range | |---|---| | @11ty/eleventy | >=2.0.0 or 3.0.0-alpha.6 | | debug | >=4.0.0 |

License

© 2022 - 2024 Giacomo Debidda // MIT License