npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@netlify/plugin-csp-nonce

v1.3.6

Published

Use a nonce for the script-src and style-src directives of your Content Security Policy.

Downloads

12,255

Readme

@netlify/plugin-csp-nonce

Use a nonce for the script-src directive of your Content Security Policy (CSP) to help prevent cross-site scripting (XSS) attacks.

This plugin deploys an edge function that adds a response header and transforms the HTML response body to contain a unique nonce on every request, along with an optional function to log CSP violations.

Scripts that do not contain a matching nonce attribute, or that were not created from a trusted script (see strict-dynamic), will not be allowed to run.

You can use this plugin whether or not your site already has a CSP in place. If your site already has a CSP, the nonce will merge with your existing directives.

Installation

First, add the dependency:

npm i @netlify/plugin-csp-nonce

Then, include the plugin inside your netlify.toml:

# netlify.toml
[[plugins]]
  package = "@netlify/plugin-csp-nonce"

Configuration options

Sample configuration:

# netlify.toml
[[plugins]]
  package = "@netlify/plugin-csp-nonce"
  [plugins.inputs]
    reportOnly = false
    excludedPath = [
      "/api/*",
      "**/*.bespoke.extension"
    ]

reportOnly

Default: true.

When true, uses the Content-Security-Policy-Report-Only header instead of the Content-Security-Policy header. Setting reportOnly to true is useful for testing the CSP with real production traffic without actually blocking resources. Be sure to monitor your logging function to observe potential violations.

reportUri

Default: undefined.

The relative or absolute URL to report any violations. If left undefined, violations are reported to the __csp-violations function, which this plugin deploys. If your site already has a report-uri directive defined in its CSP header, then that value will take precedence.

unsafeEval

Default: true.

When true, adds 'unsafe-eval' to the CSP for easier adoption. Set to false to have a safer policy if your code and code dependencies does not use eval().

path

Default: "/*".

The glob expressions of path(s) that should invoke the CSP nonce edge function. Can be a string or array of strings.

excludedPath

Default: []

The glob expressions of path(s) that should not invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (*.css, *.js, *.svg, etc).

Debugging

Limiting edge function invocations

By default, the edge function that inserts the nonce will be invoked on all requests whose path

  • does not begin with /.netlify/
  • does not end with common non-HTML filetype extensions

To further limit invocations, add globs to the excludedPath configuration option that are specific to your site.

Requests that invoke the nonce edge function will contain a x-debug-csp-nonce: invoked response header. Use this to determine if unwanted paths are invoking the edge function, and add those paths to the excludedPath array.

Also, monitor the edge function logs in the Netlify UI. If the edge function is invoked but the response is not transformed, the request's path will be logged.

Not transforming as expected

If your HTML does not contain the nonce attribute on the <script> tags that you expect, ensure that all of these criteria are met:

  • The request method is GET
  • The content-type response header starts with text/html
  • The path of the request is satisfied by the path config option, and not included in the excludedPath config option
  • This site does not use Split Testing. There is a known limitation that requests to sites with Split Testing enabled will not execute edge functions.

Controlling rollout

You may want to gradually rollout the effects of this plugin while you monitor violation reports, without modifying code.

You can ramp up or ramp down the inclusion of the Content-Security-Policy header by setting the CSP_NONCE_DISTRIBUTION environment variable to a value between 0 and 1.

  • If 0, the plugin is completely skipped at build time, and no extra functions or edge functions get deployed. Functionally, this acts the same as if the plugin isn't installed at all.
  • If 1, 100% of traffic for all matching paths will include the nonce. Functionally, this acts the same as if the CSP_NONCE_DISTRIBUTION environment variable was not defined.
  • Any value in between 0 and 1 will include the nonce in randomly distributed traffic. For example, a value of 0.25 will put the nonce in the Content-Security-Policy header 25% of requests for matching paths. The other 75% of matching requests will have the nonce in the Content-Security-Policy-Report-Only header.

The CSP_NONCE_DISTRIBUTION environment variable needs to be scoped to both Builds and Functions.