npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

strict-csp

v1.0.4

Published

Enables a hash-based strict Content Security Policy for static HTML files and single page applications.

Downloads

8,577

Readme

strict-csp

Available on npm

⚠️ This is experimental. Make sure to check what's not supported. Keep in mind that the Report-Only mode is not supported here since the policy is added via a meta tag (Content-Security-Policy-Report-Only is unfortunately not supported in meta tags).

What this library does: defense-in-depth against XSS 🛡

💡 Are you using webpack? Head over to strict-csp-html-webpack-plugin instead. It uses this library under the hood to generate a CSP you can use in your webpack project!

Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.

strict-csp is a bundler-agnostic library that helps protect your single-page application against XSS attacks. It does so by configuring a strict, hash-based Content-Security-Policy (CSP) for your web application.

A strict CSP, added in the form of an HTML meta tag, looks as follows:

<meta
      http-equiv="Content-Security-Policy"
      content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'">
</meta>

Example usage

Let's say that htmlString is your SPA's html as a string.

const s = new StrictCsp(htmlString);
// Refactor sourced scripts so that we can set a strict hash-based CSP
s.refactorSourcedScriptsForHashBasedCsp();
// Hash inline scripts from this html file, if there are any
const scriptHashes = s.hashAllInlineScripts();
// Generate a strict CSP as a string
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, {
  enableBrowserFallbacks: true,
});
// Set this CSP via a meta tag
s.addMetaTag(strictCsp);
const htmlStringWithCsp = s.serializeDom();

TL;DR: this library automates the steps to add a hash-based strict CSP to your site.

Arguments for the options object in getStrictCsp

By default, strict-csp will generate up a valid, strict, hash-based CSP.

You can use additional options to configure it:

| Option | What it does | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | enableBrowserFallbacks (defaults to true) | When true, enables fallbacks for older browsers. This does not weaken the policy. | | enableTrustedTypes (defaults to false) | When true, enables trusted types for additional protections against DOM XSS attacks. | | enableUnsafeEval (defaults to false) | When true, enables unsafe-eval in case you cannot remove all uses of eval(). |

How does this library work?

Here's what the library does:

  1. It replaces sourced scripts with an inline script that dynamically loads all sourced scripts. It calculates the hash of this script.
  2. It calculates the hash of other inline scripts.
  3. It creates a strict hash-based CSP, that includes the hashes calculated in (1) and (2).

This CSP efficiently helps protect your site against XSS. This CSP is set in a meta tag. It looks like this:

script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';.

{HASH-INLINE-SCRIPT} is the hash on the inline script that dynamically loads all sourced scripts.

TL;DR: this library automates the steps to add a hash-based CSP to your site.

Resources