{"id":15392686,"url":"https://github.com/jackdbd/content-security-policy","last_synced_at":"2026-02-19T00:35:10.686Z","repository":{"id":112531958,"uuid":"609794784","full_name":"jackdbd/content-security-policy","owner":"jackdbd","description":"Content-Security-Policy in JavaScript, with validation and automatic hashes.","archived":false,"fork":false,"pushed_at":"2024-09-19T21:39:55.000Z","size":1286,"stargazers_count":1,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-29T07:00:03.258Z","etag":null,"topics":["content-security-policy","cross-site-scripting","csp","csp-directives","http","http-header","xss"],"latest_commit_sha":null,"homepage":"https://jackdbd.github.io/content-security-policy/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jackdbd.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-03-05T09:01:06.000Z","updated_at":"2024-09-19T21:39:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"3016a20f-cb6c-48fb-b6aa-2746af79c790","html_url":"https://github.com/jackdbd/content-security-policy","commit_stats":{"total_commits":29,"total_committers":2,"mean_commits":14.5,"dds":"0.48275862068965514","last_synced_commit":"b65c9dcee2303ad90e6b95cb15d8ff2896dfef39"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/jackdbd/content-security-policy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackdbd%2Fcontent-security-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackdbd%2Fcontent-security-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackdbd%2Fcontent-security-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackdbd%2Fcontent-security-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jackdbd","download_url":"https://codeload.github.com/jackdbd/content-security-policy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackdbd%2Fcontent-security-policy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29599397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T22:25:43.180Z","status":"ssl_error","status_checked_at":"2026-02-18T22:25:42.766Z","response_time":162,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","cross-site-scripting","csp","csp-directives","http","http-header","xss"],"created_at":"2024-10-01T15:15:40.794Z","updated_at":"2026-02-19T00:35:10.666Z","avatar_url":"https://github.com/jackdbd.png","language":"HTML","readme":"# content-security-policy\n\n[![npm package badge](https://badge.fury.io/js/@jackdbd%2Fcontent-security-policy.svg)](https://badge.fury.io/js/@jackdbd%2Fcontent-security-policy)\n[![install size badge](https://packagephobia.com/badge?p=@jackdbd/content-security-policy)](https://packagephobia.com/result?p=@jackdbd/content-security-policy)\n[![CI GitHub workflow badge](https://github.com/jackdbd/content-security-policy/actions/workflows/ci.yaml/badge.svg)](https://github.com/jackdbd/content-security-policy/actions/workflows/ci.yaml)\n[![CodeCov badge](https://codecov.io/gh/jackdbd/content-security-policy/graph/badge.svg?token=9jddzo5Dt3)](https://codecov.io/gh/jackdbd/content-security-policy)\n[![CodeFactor badge](https://www.codefactor.io/repository/github/jackdbd/content-security-policy/badge)](https://www.codefactor.io/repository/github/jackdbd/content-security-policy)\n[![Socket badge](https://socket.dev/api/badge/npm/package/@jackdbd/content-security-policy)](https://socket.dev/npm/package/@jackdbd/content-security-policy)\n[![Conventional Commits badge](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits\u0026logoColor=white)](https://conventionalcommits.org)\n\nWrite your Content-Security-Policy header in JavaScript, so you can have validation and automatic hashes.\n\n- [About](#about)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Configuration](#configuration)\n  - [Options](#options)\n  - [Supported CSP directives](#supported-csp-directives)\n  - [Deprecated CSP directives](#deprecated-csp-directives)\n  - [Experimental CSP directives](#experimental-csp-directives)\n- [Docs](#docs)\n- [Dependencies](#dependencies)\n- [Troubleshooting](#troubleshooting)\n- [Alternatives](#alternatives)\n- [License](#license)\n\n## About\n\nA [strict Content-Security-Policy](https://web.dev/articles/strict-csp) is probably the single most important line of defense against Cross-Site Scripting (XSS) attacks.\n\nUnfortunately, writing a good CSP header by hand is a pain. Here is why:\n\n- You might write an invalid CSP directive (e.g. typos, incorrect values).\n- You might write a CSP directive which is supported in one browser, but not in another one.\n- You might want to allow some inline CSS/JS in your HTML page, but you neither:\n  - want to compromise security by using [unsafe-inline](https://content-security-policy.com/unsafe-inline/), nor...\n  - want to compute the cryptographic hash of each snippet of CSS/JS that you inlined and whitelist them by hand.\n\nAlso, you should:\n\n- keep your CSP quite visible in your codebase, since it's such an important configuration for your website/app.\n- generate your CSP in multiple format (JS object literal, JS array, plain text), so other tools can easily consume it.\n\nThis package validates your Content-Security-Policy [directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives) and computes a cryptographic hash (SHA-256, SHA-384 or SHA-512) for each snippet of CSS/JS that you inline in your HTML file.\n\n## Installation\n\n```sh\nnpm install @jackdbd/content-security-policy\n```\n\n## Usage\n\nLet's suppose you have an Eleventy site that has the following characteristics:\n\n- fonts self-hosted on your origin\n- stylesheets self-hosted on your origin. No CSS inlined in the `\u003chead\u003e`\n- a few event handlers inlined in the HTML\n- a few images hosted on a CDN\n\nIf your Eleventy site was generated in the `_site` folder, you could generate a `Content-Security-Policy` header with this code:\n\n```js\nimport path from 'node:path'\nimport { cspHeader } from '@jackdbd/content-security-policy'\n\nconst directives = {\n  'base-uri': ['self'],\n  'default-src': ['none'],\n  'font-src': ['self'],\n  'img-src': ['self', 'cdn.example.com'],\n  'script-src-attr': ['self', 'unsafe-hashes', 'sha256'],\n  'style-src-elem': ['self']\n}\n\nconst patterns = [path.join('_site', '**/*.html')]\n\nconst header = await cspHeader({ directives, patterns })\n```\n\nThe Content-Security-Policy header is made of directives. If you don't know where to start, use one of the following policies:\n\n```js\nimport {\n  starter_policy,\n  recommended_policy\n} from '@jackdbd/content-security-policy/policies'\n\nconst directives = recommended_policy\n```\n\n## Configuration\n\n### Options\n\n| Key | Default | Description |\n|---|---|---|\n| `directives` | `undefined` | Directives for your `Content-Security-Policy` (or `Content-Security-Policy-Report-Only`). |\n| `patterns` | `undefined` | Glob patterns for your `.html` files. |\n\n### Supported CSP directives\n\n[base-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri), [child-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src), [connect-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src), [default-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src), [font-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src), [form-action](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action), [frame-ancestors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors), [frame-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src), [img-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src), [manifest-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src), [media-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src), [navigate-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to), [object-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src), [report-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to), [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox), [script-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src), [script-src-attr](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr), [script-src-elem](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem), [source-values](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/source-values), [style-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src), [style-src-attr](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr), [style-src-elem](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem), [upgrade-insecure-requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests), [worker-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)\n\n### Deprecated CSP directives\n\n[block-all-mixed-content](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content), [plugin-types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types), [prefetch-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src), [referrer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer), [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri), [require-sri-for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for)\n\n### Experimental CSP directives\n\n[fenced-frame-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src), [require-trusted-types-for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for), [trusted-types](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types)\n\n## Docs\n\n[Docs generated by TypeDoc](https://jackdbd.github.io/content-security-policy/)\n\n\u003e 📖 **API Docs**\n\u003e\n\u003e This project uses [API Extractor](https://api-extractor.com/) and [api-documenter markdown](https://api-extractor.com/pages/commands/api-documenter_markdown/) to generate a bunch of markdown files and a `.d.ts` rollup file containing all type definitions consolidated into a single file. I don't find this `.d.ts` rollup file particularly useful. On the other hand, the markdown files that api-documenter generates are quite handy when reviewing the public API of this project.\n\u003e\n\u003e *See [Generating API docs](https://api-extractor.com/pages/setup/generating_docs/) if you want to know more*.\n\n## Dependencies\n\n| Package | Version |\n|---|---|\n| [debug](https://www.npmjs.com/package/debug) | `^4.3.4` |\n| [globby](https://www.npmjs.com/package/globby) | `^14.0.1` |\n| [himalaya](https://www.npmjs.com/package/himalaya) | `^1.1.0` |\n| [zod](https://www.npmjs.com/package/zod) | `^3.23.4` |\n\nThis project is tested on Node.js \u003e=14.21.3.\n\nYou can use a Node.js version manager like [nvm](https://github.com/nvm-sh/nvm), [asdf](https://github.com/asdf-vm/asdf) or [volta](https://github.com/volta-cli/volta) to manage your Node.js versions.\n\n## Troubleshooting\n\nThis project uses the [debug](https://github.com/debug-js/debug) library for logging.\nYou can control what's logged using the `DEBUG` environment variable.\n\nFor example, if you set your environment variables in a `.envrc` file, you can do:\n\n```sh\n# print all logging statements\nexport DEBUG=csp:*\n```\n\n## Alternatives\n\n- [netlify-plugin-csp-generator](https://github.com/MarcelloTheArcane/netlify-plugin-csp-generator). It uses [jsdom](https://github.com/jsdom/jsdom) to find all inlined CSS/JS snippets in your website, it computes a SHA-256 for each one of them, then it appends the CSP to your `_headers` file. Really cool, but you have to host you site on Netlify to use it.\n- [seespee](https://github.com/papandreou/seespee). It uses [AssetGraph](https://github.com/assetgraph/assetgraph) to build a dependency graph of your website, then it computes hashes for the assets included in such graph.\n\n## License\n\n\u0026copy; 2022 - 2024 [Giacomo Debidda](https://www.giacomodebidda.com/) // [MIT License](https://spdx.org/licenses/MIT.html)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackdbd%2Fcontent-security-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjackdbd%2Fcontent-security-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackdbd%2Fcontent-security-policy/lists"}