{"id":19982412,"url":"https://github.com/netlify/plugin-csp-nonce","last_synced_at":"2025-10-26T12:04:59.429Z","repository":{"id":190269704,"uuid":"644081097","full_name":"netlify/plugin-csp-nonce","owner":"netlify","description":"Build plugin to use a nonce for the script-src directive of your site's Content Security Policy.","archived":false,"fork":false,"pushed_at":"2025-03-27T14:05:30.000Z","size":3591,"stargazers_count":5,"open_issues_count":7,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-01T00:31:02.169Z","etag":null,"topics":["csp","netlify","security"],"latest_commit_sha":null,"homepage":"https://csp-nonce.netlify.app","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/netlify.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-22T19:19:55.000Z","updated_at":"2025-03-27T14:05:14.000Z","dependencies_parsed_at":"2023-08-23T22:41:54.559Z","dependency_job_id":"aa7f438b-cc35-43a9-9406-245d96cbb854","html_url":"https://github.com/netlify/plugin-csp-nonce","commit_stats":{"total_commits":53,"total_committers":3,"mean_commits":"17.666666666666668","dds":"0.41509433962264153","last_synced_commit":"3a5fd7712ef8f54d7d3981c74c022c6be8f20787"},"previous_names":["netlify/plugin-csp-nonce"],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fplugin-csp-nonce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fplugin-csp-nonce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fplugin-csp-nonce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netlify%2Fplugin-csp-nonce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/netlify","download_url":"https://codeload.github.com/netlify/plugin-csp-nonce/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251806153,"owners_count":21646839,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","netlify","security"],"created_at":"2024-11-13T04:11:11.077Z","updated_at":"2025-10-26T12:04:59.356Z","avatar_url":"https://github.com/netlify.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @netlify/plugin-csp-nonce\n\nUse a [nonce](https://content-security-policy.com/nonce/) for the `script-src` directive of your Content Security Policy (CSP) to help prevent [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#cross-site_scripting_xss) attacks.\n\nThis plugin deploys an edge function that adds a response header and transforms the HTML response body to contain a unique nonce on every request, along with an optional function to log CSP violations.\n\nScripts that do not contain a matching `nonce` attribute, or that were not created from a trusted script (see [strict-dynamic](https://content-security-policy.com/strict-dynamic/)), will not be allowed to run.\n\nYou can use this plugin whether or not your site already has a CSP in place. If your site already has a CSP, the nonce will merge with your existing directives.\n\n## Installation\n\nFirst, add the dependency:\n\n```\nnpm i @netlify/plugin-csp-nonce\n```\n\nThen, include the plugin inside your `netlify.toml`:\n\n```\n# netlify.toml\n[[plugins]]\n  package = \"@netlify/plugin-csp-nonce\"\n```\n\n## Configuration options\n\nSample configuration:\n\n```\n# netlify.toml\n[[plugins]]\n  package = \"@netlify/plugin-csp-nonce\"\n  [plugins.inputs]\n    reportOnly = false\n    excludedPath = [\n      \"/api/*\",\n      \"**/*.bespoke.extension\"\n    ]\n```\n\n#### `reportOnly`\n\n_Default: `true`_.\n\nWhen true, uses the `Content-Security-Policy-Report-Only` header instead of the `Content-Security-Policy` header. Setting `reportOnly` to `true` is useful for testing the CSP with real production traffic without actually blocking resources. Be sure to monitor your logging function to observe potential violations.\n\n#### `reportUri`\n\n_Default: `undefined`_.\n\nThe relative or absolute URL to report any violations. If left undefined, violations are reported to the `__csp-violations` function, which this plugin deploys. If your site already has a `report-uri` directive defined in its CSP header, then that value will take precedence.\n\n#### `unsafeEval`\n\n_Default: `true`._\n\nWhen true, adds `'unsafe-eval'` to the CSP for easier adoption. Set to `false` to have a safer policy if your code and code dependencies does not use `eval()`.\n\n#### `path`\n\n_Default: `\"/*\"`._\n\nThe glob expressions of path(s) that should invoke the CSP nonce edge function. Can be a string or array of strings.\n\n#### `excludedPath`\n\n_Default: `[]`_\n\nThe glob expressions of path(s) that _should not_ invoke the CSP nonce edge function. Must be an array of strings. This value gets spread with common non-html filetype extensions (`*.css`, `*.js`, `*.svg`, etc).\n\n## Debugging\n\n### Limiting edge function invocations\n\nBy default, the edge function that inserts the nonce will be invoked on all requests whose path\n\n- does not begin with `/.netlify/`\n- does not end with common non-HTML filetype extensions\n\nTo further limit invocations, add globs to the `excludedPath` configuration option that are specific to your site.\n\nRequests that invoke the nonce edge function will contain a `x-debug-csp-nonce: invoked` response header. Use this to determine if unwanted paths are invoking the edge function, and add those paths to the `excludedPath` array.\n\nAlso, monitor the edge function logs in the Netlify UI. If the edge function is invoked but the response is not transformed, the request's path will be logged.\n\n### Not transforming as expected\n\nIf your HTML does not contain the `nonce` attribute on the `\u003cscript\u003e` tags that you expect, ensure that all of these criteria are met:\n\n- The request method is `GET`\n- The `content-type` response header starts with `text/html`\n- The path of the request is satisfied by the `path` config option, and not included in the `excludedPath` config option\n- This site does not use [Split Testing](https://docs.netlify.com/site-deploys/split-testing/). There is a [known limitation](https://docs.netlify.com/edge-functions/limits/#feature-limitations) that requests to sites with Split Testing enabled will not execute edge functions.\n\n### Controlling rollout\n\nYou may want to gradually rollout the effects of this plugin while you monitor violation reports, without modifying code.\n\nYou can ramp up or ramp down the inclusion of the `Content-Security-Policy` header by setting the `CSP_NONCE_DISTRIBUTION` environment variable to a value between `0` and `1`.\n\n- If `0`, the plugin is completely skipped at build time, and no extra functions or edge functions get deployed. Functionally, this acts the same as if the plugin isn't installed at all.\n- If `1`, 100% of traffic for all matching paths will include the nonce. Functionally, this acts the same as if the `CSP_NONCE_DISTRIBUTION` environment variable was not defined.\n- Any value in between `0` and `1` will include the nonce in randomly distributed traffic. For example, a value of `0.25` will put the nonce in the `Content-Security-Policy` header 25% of requests for matching paths. The other 75% of matching requests will have the nonce in the `Content-Security-Policy-Report-Only` header.\n\nThe `CSP_NONCE_DISTRIBUTION` environment variable needs to be scoped to both `Builds` and `Functions`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetlify%2Fplugin-csp-nonce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetlify%2Fplugin-csp-nonce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetlify%2Fplugin-csp-nonce/lists"}