{"id":30741015,"url":"https://github.com/eason-dev/csp-kit","last_synced_at":"2025-09-04T00:18:57.274Z","repository":{"id":301790940,"uuid":"1010319744","full_name":"eason-dev/csp-kit","owner":"eason-dev","description":"Modern Content Security Policy (CSP) generator for popular web services and libraries","archived":false,"fork":false,"pushed_at":"2025-08-25T11:59:21.000Z","size":2025,"stargazers_count":4,"open_issues_count":13,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-29T11:55:17.258Z","etag":null,"topics":["content-security-policy","csp","javascript","typescript","web","web-security"],"latest_commit_sha":null,"homepage":"https://csp-kit.eason.ch","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eason-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-28T20:20:50.000Z","updated_at":"2025-08-13T03:53:04.000Z","dependencies_parsed_at":"2025-07-19T21:19:38.975Z","dependency_job_id":"dfc55ee2-9e5f-4dc6-8191-a020b126d92d","html_url":"https://github.com/eason-dev/csp-kit","commit_stats":null,"previous_names":["kamigami55/csp-js","eason-dev/csp-js","eason-dev/csp-kit"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/eason-dev/csp-kit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eason-dev%2Fcsp-kit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eason-dev%2Fcsp-kit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eason-dev%2Fcsp-kit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eason-dev%2Fcsp-kit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eason-dev","download_url":"https://codeload.github.com/eason-dev/csp-kit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eason-dev%2Fcsp-kit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273530866,"owners_count":25122079,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","csp","javascript","typescript","web","web-security"],"created_at":"2025-09-04T00:18:53.698Z","updated_at":"2025-09-04T00:18:57.231Z","avatar_url":"https://github.com/eason-dev.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CSP Kit 🛡️\n\n\u003cdiv align=\"center\"\u003e\n\n[![Generator Version](https://img.shields.io/npm/v/@csp-kit/generator?label=%40csp-kit%2Fgenerator)](https://www.npmjs.com/package/@csp-kit/generator)\n[![Data Version](https://img.shields.io/npm/v/@csp-kit/data?label=%40csp-kit%2Fdata)](https://www.npmjs.com/package/@csp-kit/data)\n[![NPM Downloads](https://img.shields.io/npm/dm/@csp-kit/data)](https://www.npmjs.com/package/@csp-kit/data)\n[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/eason-dev/csp-kit/blob/main/LICENSE)\n\n**The modern Content Security Policy toolkit for developers** \\\n**Open Source • 106+ services • Zero config • TypeScript-first • Web interface**\n\n[📖 Documentation](https://csp-kit.eason.ch/docs) • [🌐 Web Generator](https://csp-kit.eason.ch) • [🚀 Quick Start](#-quick-start)\n\n\u003c/div\u003e\n\n---\n\n## Table of Contents\n\n- [Why CSP Kit?](#-why-csp-kit)\n- [Features](#-features)\n- [Quick Start](#-quick-start)\n- [API Reference](#-api-reference)\n- [Custom Services](#-custom-services)\n- [Available Services](#-available-services)\n- [Documentation \u0026 Resources](#-documentation--resources)\n- [Keeping Up-to-Date](#-keeping-up-to-date)\n- [Contributing](#-contributing)\n- [License](#-license)\n\n## 🎯 Why CSP Kit?\n\nContent Security Policy is **critical for web security**, but manually managing CSP headers is complex and error-prone. CSP Kit transforms this experience:\n\n```javascript\n// ❌ Traditional approach: Manual, error-prone, hard to maintain\nconst csp =\n  \"script-src 'self' https://www.googletagmanager.com https://js.stripe.com; style-src 'self' https://fonts.googleapis.com; connect-src 'self' https://api.stripe.com...\";\n\n// ✅ CSP Kit approach: Type-safe, automatic, always up-to-date\nimport { generateCSP } from '@csp-kit/generator';\nimport { GoogleAnalytics, Stripe, GoogleFonts } from '@csp-kit/data';\n\nconst { header } = generateCSP({\n  services: [GoogleAnalytics, Stripe, GoogleFonts],\n});\n```\n\n**Key Benefits:**\n\n- 🎯 **Service-First**: Import services directly, no manual CSP directives\n- 📦 **106+ Services**: Pre-configured CSP for all major web services\n- 🔧 **TypeScript**: Full type safety and IntelliSense support\n- 🌐 **Web Interface**: Visual generator at [csp-kit.eason.ch](https://csp-kit.eason.ch)\n\n## ✨ Features\n\n- **[Web Interface](https://csp-kit.eason.ch)**: Visual service selection, instant CSP generation\n- **TypeScript API**: Type-safe service imports with tree-shaking\n- **Nonce Support**: Built-in cryptographic nonce generation\n- **Multiple Outputs**: Headers, meta tags, or JSON format\n\n## 🚀 Quick Start\n\n### 1. Try the Web Interface _(Recommended)_\n\nVisit **[csp-kit.eason.ch](https://csp-kit.eason.ch)** for an interactive experience:\n\n- Select services visually\n- See real-time CSP generation\n- Copy ready-to-use headers\n- No installation required\n\n### 2. Install for Your Project\n\n**Core packages** (both required):\n\n```bash\n# npm\nnpm install @csp-kit/generator @csp-kit/data\n\n# yarn\nyarn add @csp-kit/generator @csp-kit/data\n\n# pnpm\npnpm add @csp-kit/generator @csp-kit/data\n```\n\n### 3. Basic Usage\n\n```typescript\nimport { generateCSP } from '@csp-kit/generator';\nimport { GoogleAnalytics, Stripe, GoogleFonts } from '@csp-kit/data';\n\n// 🎯 Generate CSP for multiple services\nconst result = generateCSP({\n  services: [GoogleAnalytics, Stripe, GoogleFonts],\n});\n\nconsole.log(result.header);\n// Output: \"script-src 'self' https://www.googletagmanager.com https://js.stripe.com; style-src 'self' https://fonts.googleapis.com; ...\"\n\n// 🚀 Use in Express.js\napp.use((req, res, next) =\u003e {\n  res.setHeader('Content-Security-Policy', result.header);\n  next();\n});\n\n// 🔐 Use in Next.js\nexport default function handler(req, res) {\n  res.setHeader('Content-Security-Policy', result.header);\n  // Your API logic\n}\n```\n\n### 4. Advanced Configuration\n\n```typescript\nimport { generateCSP, generateNonce } from '@csp-kit/generator';\nimport { GoogleAnalytics, Typeform, Youtube } from '@csp-kit/data';\n\n// 🔧 Advanced configuration with custom rules\nconst nonce = generateNonce();\n\nconst result = generateCSP({\n  services: [GoogleAnalytics, Typeform, Youtube],\n  nonce, // Use cryptographic nonce\n  additionalRules: {\n    'script-src': ['https://my-custom-domain.com'],\n    'img-src': ['data:', 'blob:'],\n  },\n  reportUri: 'https://my-site.com/csp-report',\n  includeSelf: true,\n});\n\nconsole.log(result);\n// {\n//   header: \"script-src 'self' 'nonce-abc123' https://www.googletagmanager.com ...\",\n//   directives: { 'script-src': [...], 'style-src': [...] },\n//   reportOnlyHeader: \"Content-Security-Policy-Report-Only: ...\",\n//   includedServices: [\"google-analytics\", \"typeform\", \"youtube\"],\n//   warnings: [],\n//   nonce: \"abc123\"\n// }\n\n// 📋 Use report-only for testing\nres.setHeader('Content-Security-Policy-Report-Only', result.reportOnlyHeader);\n```\n\n## 📚 API Reference\n\n### Complete Example with All Options\n\n```typescript\nimport { generateCSP, generateNonce } from '@csp-kit/generator';\nimport { GoogleAnalytics, Stripe, Cloudflare } from '@csp-kit/data';\n\n// Generate a cryptographic nonce\nconst nonce = generateNonce();\n\n// Configure CSP with all available options\nconst result = generateCSP({\n  // Required: Services to include\n  services: [GoogleAnalytics, Stripe, Cloudflare],\n\n  // Optional: Nonce for inline scripts\n  nonce: nonce, // or true to auto-generate, or your own string\n\n  // Optional: Additional custom rules\n  additionalRules: {\n    'script-src': ['https://my-custom-cdn.com'],\n    'img-src': ['data:', 'blob:'],\n    'font-src': ['https://my-fonts.com'],\n  },\n\n  // Optional: CSP violation reporting endpoint\n  reportUri: 'https://my-site.com/csp-violations',\n\n  // Optional: Include 'self' in directives (default: false)\n  includeSelf: true,\n\n  // Optional: Allow unsafe-inline (NOT recommended, default: false)\n  includeUnsafeInline: false,\n\n  // Optional: Allow unsafe-eval (NOT recommended, default: false)\n  includeUnsafeEval: false,\n\n  // Optional: Environment-specific overrides\n  development: {\n    includeUnsafeEval: true, // Allow eval() in development only\n    includeUnsafeInline: true, // Allow inline scripts in development\n  },\n  production: {\n    reportUri: 'https://production.com/csp-report',\n  },\n});\n\n// Access all result properties\nconsole.log(result.header); // \"script-src 'self' 'nonce-xyz' https://...\"\nconsole.log(result.directives); // { 'script-src': [...], 'style-src': [...] }\nconsole.log(result.reportOnlyHeader); // \"Content-Security-Policy-Report-Only: ...\"\nconsole.log(result.includedServices); // [\"google-analytics\", \"stripe\", \"cloudflare\"]\nconsole.log(result.unknownServices); // [] (services that weren't found)\nconsole.log(result.nonce); // \"xyz123...\" (the generated nonce)\n\n// Apply the CSP header\napp.use((req, res, next) =\u003e {\n  res.setHeader('Content-Security-Policy', result.header);\n  next();\n});\n```\n\n### Key Functions\n\n```typescript\nimport {\n  generateCSP, // Main generator function (shown above)\n  generateCSPHeader, // Returns only the header string\n  generateNonce, // Generate cryptographic nonce\n  defineService, // Define custom services\n} from '@csp-kit/generator';\n\n// generateCSPHeader - Shorthand for getting just the header\nconst header = generateCSPHeader({\n  services: [GoogleAnalytics, Stripe],\n});\n// Returns: \"script-src 'self' https://www.google-analytics.com...\"\n\n// generateNonce - Create secure nonces\nconst nonce = generateNonce(); // Default: 16 bytes, base64\nconst hexNonce = generateNonce({\n  encoding: 'hex', // 'base64' or 'hex'\n  length: 32, // Length in bytes\n});\n```\n\n## 🔧 Custom Services\n\nDefine your own services for internal or unsupported third-party services:\n\n```typescript\nimport { defineService } from '@csp-kit/data';\nimport { generateCSP } from '@csp-kit/generator';\n\n// Define a custom service - only directives are required\nconst MyCustomService = defineService({\n  directives: {\n    'script-src': ['https://analytics.internal.company.com'],\n    'connect-src': ['https://api.internal.company.com'],\n    'img-src': ['https://assets.internal.company.com'],\n  },\n});\n\n// Use it like any other service\nconst result = generateCSP({\n  services: [MyCustomService, GoogleAnalytics, Stripe],\n});\n```\n\n## 📦 Available Services\n\nCSP Kit includes 106+ pre-configured services. Import them by name from `@csp-kit/data`:\n\n```typescript\nimport {\n  // Analytics\n  AdobeAnalytics, // Adobe Analytics\n  Amplitude, // Amplitude Analytics\n  CloudflareAnalytics, // Cloudflare Web Analytics\n  CrazyEgg, // Crazy Egg Analytics\n  FathomAnalytics, // Fathom Analytics\n  GoogleAnalytics, // Google Analytics 4\n  GoogleOptimize, // Google Optimize\n  GoogleTagManager, // Google Tag Manager\n  Hotjar, // Hotjar Analytics\n  MicrosoftClarity, // Microsoft Clarity\n  Mixpanel, // Mixpanel Analytics\n  PlausibleAnalytics, // Plausible Analytics\n  Segment, // Segment CDP\n  Vwo, // VWO Analytics\n\n  // Payment\n  ApplePay, // Apple Pay\n  GooglePay, // Google Pay\n  Paypal, // PayPal\n  Shopify, // Shopify\n  Square, // Square Payments\n  Stripe, // Stripe\n\n  // Authentication\n  Auth0, // Auth0\n  FirebaseAuth, // Firebase Authentication\n  Okta, // Okta\n  Onelogin, // OneLogin\n  PingIdentity, // Ping Identity\n\n  // Video \u0026 Media\n  Bigbluebutton, // BigBlueButton\n  GoogleMeet, // Google Meet\n  JitsiMeet, // Jitsi Meet\n  MicrosoftTeams, // Microsoft Teams\n  Twitch, // Twitch\n  Vimeo, // Vimeo\n  Youtube, // YouTube\n  Zoom, // Zoom\n\n  // Social Media\n  Discord, // Discord Widget\n  Facebook, // Facebook SDK\n  FacebookAds, // Facebook Ads\n  Instagram, // Instagram Embeds\n  Linkedin, // LinkedIn\n  LinkedinAds, // LinkedIn Ads\n  Pinterest, // Pinterest\n  Slack, // Slack\n  Snapchat, // Snapchat\n  Tiktok, // TikTok\n  Twitter, // Twitter/X\n  TwitterAds, // Twitter Ads\n  Whatsapp, // WhatsApp\n\n  // Chat \u0026 Support\n  CrispChat, // Crisp Chat\n  Drift, // Drift Chat\n  Freshchat, // Freshchat\n  Intercom, // Intercom\n  TawkTo, // Tawk.to\n  Zendesk, // Zendesk\n\n  // Forms \u0026 Email\n  Calendly, // Calendly\n  CampaignMonitor, // Campaign Monitor\n  ConstantContact, // Constant Contact\n  Convertkit, // ConvertKit\n  Mailchimp, // Mailchimp\n  Mailgun, // Mailgun\n  Sendgrid, // SendGrid\n  Typeform, // Typeform\n  Unbounce, // Unbounce\n\n  // CDN \u0026 Infrastructure\n  AwsCloudfront, // AWS CloudFront\n  AzureCdn, // Azure CDN\n  Cdnjs, // cdnjs\n  Cloudflare, // Cloudflare (legacy alias for AwsCloudfront)\n  Fastly, // Fastly CDN\n  Jsdelivr, // jsDelivr\n  Keycdn, // KeyCDN\n  Maxcdn, // MaxCDN\n  Unpkg, // unpkg\n\n  // Monitoring \u0026 Analytics\n  Datadog, // Datadog RUM\n  NewRelic, // New Relic Browser\n  Sentry, // Sentry\n\n  // Marketing \u0026 Advertising\n  GoogleAds, // Google Ads\n  Hubspot, // HubSpot\n  MicrosoftAds, // Microsoft Ads\n  Optimizely, // Optimizely\n\n  // Maps\n  GoogleMaps, // Google Maps\n  Mapbox, // Mapbox\n  OpenstreetmapLeaflet, // OpenStreetMap with Leaflet\n\n  // Fonts\n  GoogleFonts, // Google Fonts\n\n  // CMS \u0026 Platforms\n  Contentful, // Contentful\n  Divi, // Divi\n  Drupal, // Drupal\n  Elementor, // Elementor\n  Gitbook, // GitBook\n  Sanity, // Sanity\n  Squarespace, // Squarespace\n  Strapi, // Strapi\n  Teachable, // Teachable\n  Thinkific, // Thinkific\n  Udemy, // Udemy\n  Webflow, // Webflow\n  Wix, // Wix\n  Woocommerce, // WooCommerce\n  Wordpress, // WordPress\n\n  // Search \u0026 Discovery\n  Algolia, // Algolia\n  Constructor, // Constructor.io\n  Elasticsearch, // Elasticsearch\n  Klevu, // Klevu\n  Swiftype, // Swiftype\n\n  // Other\n  Notion, // Notion\n} from '@csp-kit/data';\n```\n\nView the full interactive list at [csp-kit.eason.ch/services](https://csp-kit.eason.ch/services)\n\n## 📚 Documentation \u0026 Resources\n\n| Resource                                                                | Description                                     |\n| ----------------------------------------------------------------------- | ----------------------------------------------- |\n| **[🌐 Web Generator](https://csp-kit.eason.ch)**                        | Interactive CSP generator with visual interface |\n| **[📖 Full Documentation](https://csp-kit.eason.ch/docs)**              | Complete guides, API reference, and examples    |\n| **[🛠️ API Reference](https://csp-kit.eason.ch/docs/api-reference)**     | Detailed API documentation                      |\n| **[📦 Service Catalog](https://csp-kit.eason.ch/services)**             | Browse all 106+ supported services              |\n| **[🤝 Contributing Guide](https://csp-kit.eason.ch/docs/contributing)** | How to contribute new services                  |\n| **[💻 Development Setup](./DEVELOPMENT.md)**                            | Complete IDE and environment setup              |\n\n## 🔄 Keeping Up-to-Date\n\n### Getting Updates\n\n```bash\n# Update to latest versions\nnpm update @csp-kit/generator @csp-kit/data\n\n# Check for available updates\nnpm outdated @csp-kit/generator @csp-kit/data\n```\n\n## 🤝 Contributing\n\nWe welcome contributions! CSP Kit is community-driven, and we appreciate:\n\n- 🆕 **New Service Definitions**: Add support for new services\n- 🐛 **Bug Reports**: Help us identify and fix issues\n- 📖 **Documentation**: Improve guides and examples\n- 🌐 **Translations**: Help internationalize the project\n- ⚡ **Performance**: Optimize code and reduce bundle size\n\nSee our [Contributing Guide](CONTRIBUTING.md) for detailed instructions.\n\n## 📄 License\n\nCSP Kit is [MIT licensed](LICENSE). Free for commercial and personal use.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**[Get Started →](https://csp-kit.eason.ch)** | **[Documentation](https://csp-kit.eason.ch/docs)** | **[GitHub](https://github.com/eason-dev/csp-kit)**\n\nMade with ❤️ by [contributors](https://github.com/eason-dev/csp-kit/graphs/contributors)\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feason-dev%2Fcsp-kit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feason-dev%2Fcsp-kit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feason-dev%2Fcsp-kit/lists"}