{"id":15369692,"url":"https://github.com/rahil-p/csp-builder","last_synced_at":"2026-04-19T14:03:07.340Z","repository":{"id":103482067,"uuid":"409053194","full_name":"rahil-p/csp-builder","owner":"rahil-p","description":"A simple Docker executable for generating Content Security Policy headers from YAML","archived":false,"fork":false,"pushed_at":"2021-10-29T19:10:54.000Z","size":25,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-07T06:58:32.396Z","etag":null,"topics":["csp","docker","python","yaml"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rahil-p.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-09-22T03:33:50.000Z","updated_at":"2022-09-24T17:24:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"351f0c73-9576-43f3-8e99-c543145a1870","html_url":"https://github.com/rahil-p/csp-builder","commit_stats":{"total_commits":23,"total_committers":2,"mean_commits":11.5,"dds":0.04347826086956519,"last_synced_commit":"ea67900e8eb2ff05d412d168d752775b3b6176ed"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rahil-p/csp-builder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahil-p%2Fcsp-builder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahil-p%2Fcsp-builder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahil-p%2Fcsp-builder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahil-p%2Fcsp-builder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rahil-p","download_url":"https://codeload.github.com/rahil-p/csp-builder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahil-p%2Fcsp-builder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32009239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"online","status_checked_at":"2026-04-19T02:00:07.110Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","docker","python","yaml"],"created_at":"2024-10-01T13:37:33.617Z","updated_at":"2026-04-19T14:03:07.323Z","avatar_url":"https://github.com/rahil-p.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# csp-builder\n\n[![docker-image][docker-image-badge]][docker-image]\n[![github-workflow][github-workflow-badge]][github-workflow]\n\nA simple Docker executable for parsing Content Security Policies from YAML configuration files, including support for \nenvironment variables.\n\n## Motivation\n\nContent Security Policy is represented by a linefeed \u003ca id='fnr-1' href='#fn-1'\u003e\u003csup\u003e(1)\u003c/sup\u003e\u003c/a\u003e, which can become\ninconvenient to maintain. This is especially the case when several backing services require access from varying \ndeployment environments.\n\nThis Docker image provides support for configuring Content Security Policy in YAML.\n\nFor example, instead of maintaining CSP in this kind of format:\n```\ndefault-src 'none';frame-ancestors 'self';frame-src https://app.third-party.com;connect-src wss://qa-chat.my-site.com:*;script-src 'self' 'report-sample';style-src 'self' https://fonts.googleapis.com;font-src data: https://fonts.gstatic.com;report-to https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplekey\n```\n\n...it can be managed with more structure and readability in YAML like:\n```yaml\nContent-Security-Policy:\n default-src:\n - 'none'\n frame-ancestors:\n - 'self'\n frame-src:\n - ${WEBAPP_HOST}\n connect-src:\n # comments!\n - wss://${CHAT_SUBDOMAIN}.my-site.com:*\n script-src:\n - \"'self'\"\n - \"'report-sample'\"\n style-src:\n - \"'self'\"\n - https://fonts.googleapis.com\n font-src:\n - 'data:'\n - https://fonts.gstatic.com\n report-to:\n - https://o0.ingest.sentry.io/api/0/security/?sentry_key=${SENTRY_PUBLIC_KEY}\n```\n\nThis image can be used in multi-stage builds or CI pipelines to insert CSP headers in server configurations or `meta`\ntag equivalents in HTML. Furthermore, it supports environment variables to allow configuration for different deployment \nenvironments.\n\n\u003ca id='fn-1' href='fnr-1'\u003e\u003csup\u003e[1]\u003c/sup\u003e\u003c/a\u003e\n\u003csup\u003e\n Splitting policies into multiple headers is not equivalent as user agents are expected to enforce comma-delimited \n policies independently | \n\u003c/sup\u003e\n\u003ca href='https://www.w3.org/TR/CSP3/#multiple-policies'\u003e\u003csup\u003edetails\u003c/sup\u003e\u003c/a\u003e\n\n## Usage\n\nPython module:\n\n```shell\npython -m build-csp [options] in[:out] [in[:out] ...]\n```\n\n### Positional Arguments:\n\n- `in[:out]`\n\n \u003e input path of YAML file with an optional output path, which defaults to `stdout`\n\n### Optional Arguments:\n\n- `-l` `--lax`\n\n \u003e disable exceptions for unset environment variables\n\n- `-p` `--no-minify`\n\n \u003e disable minification of policy outputs\n\n- `-k` `--keep-ports`\n\n \u003e disable stripping default ports for URI schemes\n\n- `-n` `--nginx-format`\n \u003e format the output as an nginx `add_header` directive\n\n## Examples\n\n#### To run the image locally as an executable:\n\n```shell\ndocker run --rm \\\n --volume $(pwd):/var/csp/ \\\n --env-file ./.env\n rahilp/csp-builder:latest /var/csp/csp.yaml:/var/csp/csp.txt\n```\n\nRunning this command will write the policy to `csp.txt` in the working directory.\n\n#### To run in a multi-stage Dockerfile for NGINX:\n\n```dockerfile\n# ------------------------------------------------------------------------------\n# Stage 1: Serialize the policy (formatted as an NGINX `add_header` directive)\n# ------------------------------------------------------------------------------\n\nFROM rahilp/csp-builder:latest AS build-csp\n\n# As an alternative, you can pass environment variables via build args\nCOPY .env .\n\nCOPY csp.yaml /var/csp/\n\nRUN python -m csp-builder --nginx-format /var/csp/csp.yaml:/var/csp/csp.conf\n\n# ------------------------------------------------------------------------------\n# Stage 2: Configure the NGINX image with the built policy from Stage 1\n# ------------------------------------------------------------------------------\n\nFROM nginx:latest\n\nCOPY config/ /etc/nginx/\nCOPY --from=build-csp /var/csp/csp.conf /etc/nginx/partials\n```\n\nNGINX configs can add the header by reference with:\n\n```nginx\ninclude /etc/nginx/partials/csp.conf;\n```\n\n[docker-image-badge]: https://img.shields.io/docker/v/rahilp/csp-builder?logo=docker\n[github-workflow-badge]: https://img.shields.io/github/workflow/status/rahil-p/csp-builder/ci?logo=github\n\n[docker-image]: https://hub.docker.com/r/rahilp/csp-builder/tags\n[github-workflow]: https://github.com/rahil-p/csp-builder/actions\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frahil-p%2Fcsp-builder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frahil-p%2Fcsp-builder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frahil-p%2Fcsp-builder/lists"}