npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

netlify-plugin-csp-headers

v0.0.1-alpha.8

Published

Add strict Content Security Policy (CSP) headers to your site.

Downloads

32

Readme

Netlify Plugin CSP Headers

Add strict Content Security Policy (CSP) headers to your site.

While static sites are fairly secure, there's still a risk of Cross Site Scripting and other malicious attacks affecting your users. Having a solid Content Security Policy can help mitigate those risks further.

CSP Headers can also help you get better scores on some automated tests, like Web Page Test

Installation

Currently, this plugin is not available in the Netlify UI. To install it, perform the following steps:

  1. Add it to your Netlify.toml by adding the following to the Netlify.toml. This plugin should go after any other plugins that modify your html pages. This will prevent hashes from getting mismatched.
[[plugins]]
package = "netlify-plugin-csp-headers"
  1. Install the plugin in your package.json using either npm or yarn.
npm install -D netlify-plugin-csp-headers
yarn add -D netlify-plugin-csp-headers
  1. Deploy your site. If you have deploy previews turned on, it's probably best to test this plugin in a deploy preview. This can help you make sure you don't accidentally break your site when you turn on CSP headers. Typically, this involves making the above changes in a pull request.

Inputs/Options

|Input | Environment Variable | Allowed Values | Description --- | --- | --- | --- |unsafeStyles | CSP_HEADERS_UNSAFE_STYLES | true, false | A value of true removes the style tag hashes from your inline styles. This way any post-processing modifications/runtime styles still work on your site. |reportUrl | CSP_HEADERS_REPORT_URL | a url (relative or absolute) | Browsers will send CSP reports to this url. By recording these values, you can keep track of violations. Useful for both debugging & security purposes.

Warning about Netlify Asset Optimizations

To improve the security of inline script & style tags, it takes a hash of the contents. This can stop attackers from modifying them after you've deployed your site. It also prevents new ones from being added. However, this also means that Netlify's Asset Optimization can break your site. Because Asset Optimization changes the URLs of static assets like fonts after your build is complete, it makes the hashes no longer match the ones generated by this plugin. This causes your browser to block those inline assets. Unfortunately, I haven't come up with a good way around this since the URLs are randomly generated. Unfortunately, even if you only use the Pretty URLs optimization, self hosted font urls will still get replaced. To get around this, I currently see 3 options:

  1. Move all <style> tags with font declarations to an external file. This will add additional network requests to your page load, and may cause performance to drop slightly.
  2. Turn off all optimizations (including pretty urls 😢). This will stop Netlify from changing anything about your code. You'll also be responsible for optimizing all of your own assets. It may also prevent "pretty urls" from working correctly on your site (so pages might be at https://example.com/route/index.html instead of https://example.com/route/).
  3. Add the environment variable CSP_HEADERS_UNSAFE_STYLE with a value of true in your Netlify UI Dashboard. The plugin will then not include any hashes for style tags in the CSP headers. This is probably mostly safe. However, there are some risks of malicious <style> elements, especially around images. The default CSP header added by the site should prevent at least some of the risks associated with images.