npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@vchernin/strict-csp-html-webpack-plugin

v1.0.5

Published

A webpack plugin that adds a hash-based strict CSP to help protect your site against XSS attacks.

Downloads

7

Readme

strict-csp-html-webpack-plugin

Available on npm

⚠️ This is experimental. Make sure to check what's not supported. Keep in mind that the Report-Only mode is not supported here since the policy is added via a meta tag (Content-Security-Policy-Report-Only is unfortunately not supported in meta tags).

What this plugin does: defense-in-depth against XSS 🛡

💡 Not using webpack? Head over to strict-csp instead. It's the bundler-agnostic library this webpack plugin is based on, and it enables you to easily set a strict CSP.

Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.

strict-csp-html-webpack-plugin helps protect your single-page application against XSS attacks. It does so by configuring a strict Content-Security-Policy (CSP) for your web application.

A strict CSP, added in the form of an HTML meta tag, looks as follows:

<meta 
      http-equiv="Content-Security-Policy" 
      content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'">
</meta>

Quickstart 🚀

Step 1: install the plugin

npm i --save strict-csp-html-webpack-plugin@beta

(or with yarn)

Step 2: Configure the plugin

In your site's or app's webpack.config.js:

const HtmlWebpackPlugin = require('html-webpack-plugin');
const StrictCspHtmlWebpackPlugin = require('strict-csp-html-webpack-plugin');

module.exports = function (webpackEnv) {
  return {
    // ...
    plugins: [
      new HtmlWebpackPlugin(
        Object.assign(
          {}
          // ... HtmlWebpackPlugin config
        )
      ),
      new StrictCspHtmlWebpackPlugin(HtmlWebpackPlugin),
    ],
  };
};

⚠️ If you have a React app created with create-react-app, you'll need to eject in order to configure and use this plugin (because you need access to the webpack config).

Step 3: Restart the app

  • The app should run without errors (check the console).
  • Observe that a meta HTML tag has been added to the application's index.html, and that one inline script now loads all scripts.

✨ Your app is now protected from many XSS attacks.

Options

By default, strict-csp-html-webpack-plugin will set up a valid, strict, hash-based CSP.

You can use additional options to configure the plugin:

| Option | Default | What it does | | -------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------- | | enabled | true | When true, activates the plugin. | | enableTrustedTypes | false | When true, enables trusted types for additional protections against DOM XSS attacks. | | enableUnsafeEval | false | When true, enables unsafe-eval in case you cannot remove all uses of eval(). |

FAQ

Does this plugin protect my users from XSS attacks?

A CSP offers an extra layer of security (also called "defense-in-depth" technique) to mitigate XSS attacks. It's not a replacement for properly escaping user-controlled data and sanitizing user input.

Now, this plugin sets a hash-based strict CSP. While this does remove several common XSS attack surfaces, it doesn't guarantee that your application is XSS-free.

To cover most of the XSS attack surface, we recommend to also enable Trusted Types (DOM XSS).

Where should I use this plugin?

This plugin is best-suited for use in single-page applications that are served statically. If you are rendering HTML on the server-side, you will also have to consider stored and reflected XSS. In this case we recommend using a nonce-based strict CSP instead.

How does this plugin, strict-csp-html-webpack-plugin, differ from csp-html-webpack-plugin?

This plugin strict-csp-html-webpack-plugin focuses on one thing: it mitigates XSS vulnerabilities. It does so by setting up a strict CSP, that is, an efficient defense-in-depth mechanism against XSS attacks. It automatically sets up a secure CSP and frees you from manual configurations.

csp-html-webpack-plugin on the other hand, has a numbers of options to choose from. If you're using a CSP for other purposes than XSS mitigation, check out csp-html-webpack-plugin. Note that at the moment, static nonces risk making csp-html-webpack-plugin's CSP bypassable, though this may be resolved in the future.

I already have a CSP on my site, with an allowlist*. Should I consider using this plugin?

*An allowlist CSP looks as follows: default-src https://cdn.example https://site1.example https://site2.example;.

It depends.

If you're using your allowlist CSP purely to load scripts coming from a certain origin, you can keep using it.

But if you're relying on your allowlist CSP for XSS protection: migrate to the more secure strict CSP approach, and consider using this plugin to help you do so.

Allowlist-based CSP are not recommended anymore for XSS protection, because don't efficiently protect sites against XSS attacks: research has shown that they can be bypassed. 🥲 They're also harder to maintain!

Instead, strict CSPs are now recommended, because they're both more secure and easier to maintain than allowlist-based CSPs.

This plugin automatically adds a strict CSP to your application.

Can this plugin slow down my site?

See issue #15.

How does a strict CSP compare with subresource integrity (SRI)?

SRI can be used to ensure the integrity of scripts, e.g. to protect your site in case your CDN gets compromised. However, SRI will not mitigate XSS caused by an injection vulnerability in your own site.

Why should sourced scripts be replaced by an inline script?

A strict hash-based CSP allows certain scripts based on their hash. However, Firefox (bug) and Safari (bug) do not support hashes for externally-sourced scripts⏤only for inline scripts. Because this plugin aims at setting a CSP that helps protect your users in all browsers, it first transforms your externally-sourced scripts into an inline script.

How does this plugin work?

strict-csp-webpack-plugin uses the strict-csp custom library to form a strict CSP and hooks into HtmlWebpackPlugin to set up this CSP as a meta HTML tag.

Learn more about what the strict-csp library exactly does here.

TL;DR: this library automates the steps to add a hash-based strict CSP to your site.

Resources