{"id":19982411,"url":"https://github.com/netlify/integration-csp","last_synced_at":"2025-05-04T05:32:22.145Z","repository":{"id":190275952,"uuid":"677341276","full_name":"netlify/integration-csp","owner":"netlify","description":"Netlify integration to use a nonce for the script-src directive of your site's Content Security Policy.","archived":true,"fork":false,"pushed_at":"2025-02-12T00:36:16.000Z","size":832,"stargazers_count":7,"open_issues_count":13,"forks_count":4,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-05-01T00:30:54.457Z","etag":null,"topics":["csp","netlify","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/netlify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-11T10:27:17.000Z","updated_at":"2025-02-13T20:20:24.000Z","dependencies_parsed_at":"2023-10-14T03:03:22.384Z","dependency_job_id":"1a691326-95b0-4153-af48-20c184d88927","html_url":"https://github.com/netlify/integration-csp","commit_stats":{"total_commits":24,"total_committers":3,"mean_commits":8.0,"dds":"0.29166666666666663","last_synced_commit":"a2ef151871b166cb0981895d767dd4541bf009cd"},"previous_names":["netlify/integration-csp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fintegration-csp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fintegration-csp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fintegration-csp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fintegration-csp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/netlify","download_url":"https://codeload.github.com/netlify/integration-csp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252293082,"owners_count":21724960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","netlify","security"],"created_at":"2024-11-13T04:11:11.008Z","updated_at":"2025-05-04T05:32:21.863Z","avatar_url":"https://github.com/netlify.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Netlify CSP Integration\n\nUse a [nonce](https://content-security-policy.com/nonce/) for the `script-src` directive of your Content Security Policy (CSP) to help prevent [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_scripting_xss) attacks.\n\nThis integration deploys an edge function that adds a response header and transforms the HTML response body to contain a unique nonce on every request, along with an optional function to log CSP violations.\n\nScripts that do not contain a matching `nonce` attribute, or that were not created from a trusted script (see [strict-dynamic](https://content-security-policy.com/strict-dynamic/)), will not be allowed to run.\n\nYou can use this integration whether or not your site already has a CSP in place. If your site already has a CSP, the nonce will merge with your existing directives.\n\n🧩 This integration is installed and configured in the Netlify UI. If you prefer a configuration-as-code approach, check out the [@netlify/plugin-csp-nonce](https://www.npmjs.com/package/@netlify/plugin-csp-nonce) npm package.\n\n\n## Configuration options\n\n\n#### `reportOnly`\n\n_Default: `true`_.\n\nWhen true, uses the `Content-Security-Policy-Report-Only` header instead of the `Content-Security-Policy` header. Setting `reportOnly` to `true` is useful for testing the CSP with real production traffic without actually blocking resources. Be sure to monitor your logging function to observe potential violations.\n\n#### `reportUri`\n\n_Default: `undefined`_.\n\nThe relative or absolute URL to report any violations. If left undefined, violations are reported to the `__csp-violations` function, which this integration deploys. If your site already has a `report-uri` directive defined in its CSP header, then that value will take precedence.\n\n#### `unsafeEval`\n\n_Default: `true`._\n\nWhen true, adds `'unsafe-eval'` to the CSP for easier adoption. Set to `false` to have a safer policy if your code and code dependencies does not use `eval()`.\n\n#### `path`\n\n_Default: `/*`._\n\nThe glob expressions of path(s) that should invoke the CSP nonce edge function. Can be a string or array of strings. \n\n#### `excludedPath`\n\n_Default: `[]`_\n\nThe glob expressions of path(s) that _should not_ invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (`*.css`, `*.js`, `*.svg`, etc).\n\n## Debugging\n\n### Limiting edge function invocations\n\nBy default, the edge function that inserts the nonce will be invoked on all requests whose path\n\n- does not begin with `/.netlify/`\n- does not end with common non-HTML filetype extensions\n\nTo further limit invocations, add globs to the `excludedPath` configuration option that are specific to your site.\n\nRequests that invoke the nonce edge function will contain a `x-debug-csp-nonce: invoked` response header. Use this to determine if unwanted paths are invoking the edge function, and add those paths to the `excludedPath` array.\n\nAlso, monitor the edge function logs in the Netlify UI. If the edge function is invoked but the response is not transformed, the request's path will be logged.\n\n### Not transforming as expected\n\nIf your HTML does not contain the `nonce` attribute on the `\u003cscript\u003e` tags that you expect, ensure that all of these criteria are met:\n\n- The request method is `GET`\n- The `content-type` response header starts with `text/html`\n- The path of the request is satisfied by the `path` config option, and not included in the `excludedPath` config option\n\n### Controlling rollout\n\nYou may want to gradually rollout the effects of this integration while you monitor violation reports, without modifying code.\n\nYou can ramp up or ramp down the inclusion of the `Content-Security-Policy` header by setting the `CSP_NONCE_DISTRIBUTION` environment variable to a value between `0` and `1`.\n\n- If `0`, the integration is completely skipped at build time, and no extra functions or edge functions get deployed. Functionally, this acts the same as if the integration isn't installed at all.\n- If `1`, 100% of traffic for all matching paths will include the nonce. Functionally, this acts the same as if the `CSP_NONCE_DISTRIBUTION` environment variable was not defined.\n- Any value in between `0` and `1` will include the nonce in randomly distributed traffic. For example, a value of `0.25` will put the nonce in the `Content-Security-Policy` header 25% of requests for matching paths. The other 75% of matching requests will have the nonce in the `Content-Security-Policy-Report-Only` header.\n\nThe `CSP_NONCE_DISTRIBUTION` environment variable needs to be scoped to both `Builds` and `Functions`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetlify%2Fintegration-csp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetlify%2Fintegration-csp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetlify%2Fintegration-csp/lists"}