{"id":19383896,"url":"https://github.com/docspring/better_content_security_policy","last_synced_at":"2025-10-05T19:17:41.176Z","repository":{"id":60701632,"uuid":"544681672","full_name":"DocSpring/better_content_security_policy","owner":"DocSpring","description":"A better way to configure Content-Security-Policy headers for your Rails application.","archived":false,"fork":false,"pushed_at":"2023-11-22T02:19:25.000Z","size":51,"stargazers_count":10,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-21T21:36:46.809Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DocSpring.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-03T03:13:28.000Z","updated_at":"2025-03-28T21:32:15.000Z","dependencies_parsed_at":"2023-11-22T02:06:47.117Z","dependency_job_id":"3d4b11a1-c57d-45a9-9686-64d226c77018","html_url":"https://github.com/DocSpring/better_content_security_policy","commit_stats":{"total_commits":19,"total_committers":1,"mean_commits":19.0,"dds":0.0,"last_synced_commit":"174aec5df35c5d0e8e2d9087ff6f8c3b15069ee3"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/DocSpring/better_content_security_policy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DocSpring%2Fbetter_content_security_policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DocSpring%2Fbetter_content_security_policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DocSpring%2Fbetter_content_security_policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DocSpring%2Fbetter_content_security_policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DocSpring","download_url":"https://codeload.github.com/DocSpring/better_content_security_policy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DocSpring%2Fbetter_content_security_policy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278505038,"owners_count":25998057,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-05T02:00:06.059Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T09:28:19.044Z","updated_at":"2025-10-05T19:17:41.157Z","avatar_url":"https://github.com/DocSpring.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Ruby CI builds](https://github.com/DocSpring/better_content_security_policy/actions/workflows/main.yml/badge.svg)\n\n# Better Content Security Policy\n\nThis gem allows you to configure flexible and dynamic `Content-Security-Policy` headers for your Rails application.\nBy default, Rails only allows you to configure one global Content Security Policy for your whole application, in `config/initializers/content_security_policy.rb`. This gem moves the CSP logic into your controllers and views, so you can create multiple unique policies for different controllers, or add new rules for a specific action.\n\nRead the MDN Web Docs to learn more about Content Security Policies: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\n\n## Features\n\n- Configure unique `Content-Security-Policy` rules for different controllers and actions.\n- Configure `Content-Security-Policy` rules alongside `script` tags in your views, so that rendering a view partial will automatically add all of the required CSP rules for those resources.\n- Still uses some features from Rails, such as `Rails.application.config.content_security_policy_nonce_generator` to generate nonce values.\n\n## Installation\n\nInstall the gem and add to the application's Gemfile by executing:\n\n    $ bundle add better_content_security_policy\n\nIf bundler is not being used to manage dependencies, install the gem by executing:\n\n    $ gem install better_content_security_policy\n\n## Usage\n\nInclude the `BetterContentSecurityPolicy::HasContentSecurityPolicy` concern in your `ApplicationController`,\nand the line `after_action :set_content_security_policy_header`.\n\n```ruby\nclass ApplicationController \u003c ActionController::Base\n  include BetterContentSecurityPolicy::HasContentSecurityPolicy\n  after_action :set_content_security_policy_header, if: -\u003e { request.format.html? }\n```\n\nDefine a `#configure_content_security_policy` method in `ApplicationController` to configure the default `Content-Security-Policy` rules:\n\n```ruby\n  def configure_content_security_policy\n    content_security_policy.default_src :none\n    content_security_policy.font_src :self\n    content_security_policy.script_src :self\n    content_security_policy.style_src :self\n    content_security_policy.img_src :self\n    content_security_policy.connect_src :self\n    content_security_policy.prefetch_src :self\n\n    content_security_policy.report_uri = \"http://example.com/csp_reports\"\n    content_security_policy.report_only = true\n  end\n```\n\nYou can define more `#configure_content_security_policy` methods in any other controllers. Call `super` if you want to inherit your default configuration from ApplicationController. Otherwise, you can omit the call to `super` if you want to start from scratch with a new policy.\n\nYou are now able to access content_security_policy in your controllers and views. After you have finished rendering the response, an `after_action` callback will generate and add the `Content-Security-Policy` header.\n\n## Examples\n\n#### Plausible Analytics\n\nHere's an example `HAML` partial that includes the JavaScript snippet for [Plausible Analytics](https://plausible.io/).\n\n```haml\n# app/views/layouts/_plausible_analytics.html.haml\n\n- if PLAUSIBLE_ANALYTICS_HOST\n  - content_security_policy.connect_src PLAUSIBLE_ANALYTICS_HOST\n  - content_security_policy.script_src PLAUSIBLE_ANALYTICS_HOST\n  = javascript_include_tag \"#{PLAUSIBLE_ANALYTICS_HOST}/js/script.js\", defer: true, data: { domain: local_assigns[:domain].presence || request.host }\n  = javascript_tag nonce: true do\n    window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }\n```\n\nWhenever this view partial is rendered, the connect-src and script-src directives will be automatically added to your `Content-Security-Policy` header.\n\n#### Gravatar Images\n\nYou can also override any helper methods that add resources from external sites, and update them so that they will automatically add the required `Content-Security-Policy` rules. Here's the overridden helper method that I use to generate Gravatar image URLs:\n\n```ruby\n  def gravatar_image_url(email, options = {})\n    content_security_policy.img_src 'https://secure.gravatar.com'\n    content_security_policy.img_src 'https://*.wp.com'\n    super\n  end\n```\n\n\u003e Note: It's fine to call this method multiple times. Any duplicate entries are automatically removed.\n\n## Nonces\n\nThis gem does not need to provide any extra functionality for working with `nonce` values. You can still set up the Rails nonce generator in `config/initializers/content_security_policy.rb`:\n\n```ruby\n\nRails.application.config.content_security_policy_nonce_generator = -\u003e(_request) { SecureRandom.base64(16) }\n```\n\nThe Rails `content_security_policy?` method will return false since we are not using the CSP feature from Rails, so the `csp_meta_tag` helper will not work. You will need to create the meta tag manually:\n\n```\n\u003c%= tag(\"meta\", name: \"csp-nonce\", content: content_security_policy_nonce) %\u003e\n```\n\nYou must also manually set up the `nonce-*` value in your `#configure_content_security_policy` method:\n\n```ruby\n  def configure_content_security_policy\n    content_security_policy.script_src :self, \"nonce-#{content_security_policy_nonce}\"\n    # ...\n```\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.\n\nTo install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/DocSpring/better_content_security_policy. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/DocSpring/better_content_security_policy/blob/main/CODE_OF_CONDUCT.md).\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n\n## Code of Conduct\n\nEveryone interacting in the BetterContentSecurityPolicy project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/DocSpring/better_content_security_policy/blob/main/CODE_OF_CONDUCT.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocspring%2Fbetter_content_security_policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocspring%2Fbetter_content_security_policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocspring%2Fbetter_content_security_policy/lists"}