{"id":40909571,"url":"https://github.com/jamestoohey/csprefabricate","last_synced_at":"2026-02-21T04:04:22.062Z","repository":{"id":279529248,"uuid":"902108554","full_name":"JamesToohey/csprefabricate","owner":"JamesToohey","description":"Generate a valid CSP with TypeScript.","archived":false,"fork":false,"pushed_at":"2026-01-16T23:05:43.000Z","size":2879,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-17T11:27:55.265Z","etag":null,"topics":["contentsecuritypolicy","csp","security","typescript","web-security","xss-protection"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JamesToohey.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-12-11T23:25:33.000Z","updated_at":"2026-01-16T23:05:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"691e6f89-bf6c-441e-a8fa-c6997acb85ab","html_url":"https://github.com/JamesToohey/csprefabricate","commit_stats":null,"previous_names":["jamestoohey/csprefabricate"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/JamesToohey/csprefabricate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesToohey%2Fcsprefabricate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesToohey%2Fcsprefabricate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesToohey%2Fcsprefabricate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesToohey%2Fcsprefabricate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JamesToohey","download_url":"https://codeload.github.com/JamesToohey/csprefabricate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesToohey%2Fcsprefabricate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28651817,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["contentsecuritypolicy","csp","security","typescript","web-security","xss-protection"],"created_at":"2026-01-22T03:01:48.949Z","updated_at":"2026-01-22T03:01:49.628Z","avatar_url":"https://github.com/JamesToohey.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# csprefabricate\n\n**Generate a valid CSP with TypeScript.**\n\nContent Security Policies (CSPs) are cumbersome strings that are frustrating to work with:\n\n- Fickle syntax\n- Duplication when multiple TLDs are required\n- Easy to allow insecure configuration\n\nThis project aims to make creating useful and secure CSPs a more pleasant experience.\n\nCurrently `csprefabricate`:\n\n- Validates directive names\n- Supports providing a list of TLDs for a given domain name\n- Provides warnings for insecure or incomplete CSP configurations, with options to disable specific warnings\n\n## Common CSP Issues\n\nBy default, `csprefabricate` will warn you about common CSP issues, such as:\n\n- Overly permissive sources (e.g. using `*`)\n- Missing recommended directives (i.e. `object-src`, `base-uri`, `form-action`)\n- Use of `'unsafe-inline'` in `script-src`, even if nonces or hashes are present\n- Missing nonces or hashes when using `'unsafe-inline'` in `script-src`\n- Allowing `data:` in `img-src` or `media-src`\n\nYou can control which warnings are shown by passing an optional `WarningOptions` object to the `create` function:\n\n```typescript\nimport {\n    create,\n    Directive,\n    ContentSecurityPolicy,\n    WarningOptions,\n} from \"csprefabricate\";\n\nconst csp: ContentSecurityPolicy = {\n    [Directive.SCRIPT_SRC]: [\"*\"],\n    [Directive.IMG_SRC]: [\"data:\"],\n};\n\n// Disable all warnings\nconst warningOptions: WarningOptions = {\n    overlyPermissive: false,\n    missingDirectives: false,\n    unsafeInline: false,\n    missingNonceOrHash: false,\n    dataUri: false,\n};\n\ncreate(csp, warningOptions);\n```\n\nYou can selectively enable or disable specific warnings as needed.\n\n## Real World Examples\n\n### Example 1: Basic Strict Policy\n\n```typescript\nimport {create, Directive, ContentSecurityPolicy} from \"csprefabricate\";\n\nconst csp: ContentSecurityPolicy = {\n    [Directive.DEFAULT_SRC]: [\"'self'\"],\n    [Directive.SCRIPT_SRC]: [\"'self'\"],\n    [Directive.STYLE_SRC]: [\"'self'\"],\n    [Directive.IMG_SRC]: [\"'self'\"],\n    [Directive.OBJECT_SRC]: [\"'none'\"],\n    [Directive.BASE_URI]: [\"'self'\"],\n    [Directive.FORM_ACTION]: [\"'self'\"],\n};\n\nconst cspString = create(csp);\n// \"default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';\"\n```\n\n### Example 2: Allowing Google Analytics\n\n```typescript\nimport {create, Directive, ContentSecurityPolicy} from \"csprefabricate\";\n\nconst csp: ContentSecurityPolicy = {\n    [Directive.DEFAULT_SRC]: [\"'self'\"],\n    [Directive.SCRIPT_SRC]: [\"'self'\", \"*.googletagmanager.com\"],\n    [Directive.STYLE_SRC]: [\"'self'\"],\n    [Directive.IMG_SRC]: [\n        \"'self'\",\n        \"https://*.google-analytics.com\",\n        \"https://*.googletagmanager.com\",\n    ],\n    [Directive.OBJECT_SRC]: [\"'none'\"],\n    [Directive.BASE_URI]: [\"'self'\"],\n    [Directive.FORM_ACTION]: [\"'self'\"],\n    [Directive.CONNECT_SRC]: [\n        \"'self'\",\n        \"https://*.google-analytics.com\",\n        \"https://*.analytics.google.com\",\n        \"https://*.googletagmanager.com\",\n    ],\n};\n\nconst cspString = create(csp);\n// \"default-src 'self'; script-src 'self' *.googletagmanager.com; style-src 'self'; img-src 'self' https://*.google-analytics.com https://*.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;\"\n```\n\n### Example 3: Using TLD Expansion for Multiple Domains\n\n```typescript\nimport {create, Directive, ContentSecurityPolicy} from \"csprefabricate\";\n\nconst csp: ContentSecurityPolicy = {\n    [Directive.IMG_SRC]: [\"self\", {\"*.example\": [\".com\", \".co.uk\", \".net\"]}],\n};\n\nconst cspString = create(csp);\n// \"img-src 'self' *.example.com *.example.co.uk *.example.net;\"\n```\n\n## Baseline Recommended CSPs\n\nYou can quickly generate a recommended Content Security Policy for common use cases using built-in baselines.\n\nAvailable Baselines:\n\n- BASELINE_STRICT_CSP\n- GOOGLE_ANALYTICS_CSP\n- GOOGLE_ANALYTICS_WITH_SIGNALS_CSP\n\n### Google Analytics Baseline CSP\n\nAllow Google Analytics and Tag Manager:\n\n```typescript\nimport {create, Baseline} from \"csprefabricate\";\n\nconst cspString = create(Baseline.GOOGLE_ANALYTICS_CSP);\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamestoohey%2Fcsprefabricate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjamestoohey%2Fcsprefabricate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamestoohey%2Fcsprefabricate/lists"}