strict-csp
v1.0.4
Published
Enables a hash-based strict Content Security Policy for static HTML files and single page applications.
Downloads
8,577
Maintainers
Readme
strict-csp
⚠️ This is experimental. Make sure to check what's not supported. Keep in mind that the Report-Only
mode is not supported here since the policy is added via a meta tag (Content-Security-Policy-Report-Only
is unfortunately not supported in meta tags).
What this library does: defense-in-depth against XSS 🛡
💡 Are you using webpack? Head over to strict-csp-html-webpack-plugin instead. It uses this library under the hood to generate a CSP you can use in your webpack project!
Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.
strict-csp is a bundler-agnostic library that helps protect your single-page application against XSS attacks. It does so by configuring a strict, hash-based Content-Security-Policy (CSP) for your web application.
A strict CSP, added in the form of an HTML meta
tag, looks as follows:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'">
</meta>
Example usage
Let's say that htmlString
is your SPA's html as a string.
const s = new StrictCsp(htmlString);
// Refactor sourced scripts so that we can set a strict hash-based CSP
s.refactorSourcedScriptsForHashBasedCsp();
// Hash inline scripts from this html file, if there are any
const scriptHashes = s.hashAllInlineScripts();
// Generate a strict CSP as a string
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, {
enableBrowserFallbacks: true,
});
// Set this CSP via a meta tag
s.addMetaTag(strictCsp);
const htmlStringWithCsp = s.serializeDom();
TL;DR: this library automates the steps to add a hash-based strict CSP to your site.
Arguments for the options object in getStrictCsp
By default, strict-csp will generate up a valid, strict, hash-based CSP.
You can use additional options to configure it:
| Option | What it does |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| enableBrowserFallbacks
(defaults to true
) | When true
, enables fallbacks for older browsers. This does not weaken the policy. |
| enableTrustedTypes
(defaults to false
) | When true
, enables trusted types for additional protections against DOM XSS attacks. |
| enableUnsafeEval
(defaults to false
) | When true
, enables unsafe-eval in case you cannot remove all uses of eval()
. |
How does this library work?
Here's what the library does:
- It replaces sourced scripts with an inline script that dynamically loads all sourced scripts. It calculates the hash of this script.
- It calculates the hash of other inline scripts.
- It creates a strict hash-based CSP, that includes the hashes calculated in (1) and (2).
This CSP efficiently helps protect your site against XSS. This CSP is set in a meta
tag. It looks like this:
script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';
.
{HASH-INLINE-SCRIPT}
is the hash on the inline script that dynamically loads all sourced scripts.
TL;DR: this library automates the steps to add a hash-based CSP to your site.