https://github.com/posthtml/posthtml-nonce

A posthtml plugin create whitelist for specific inline scripts using a cryptographic nonce
https://github.com/posthtml/posthtml-nonce

Last synced: 11 months ago
JSON representation

A posthtml plugin create whitelist for specific inline scripts using a cryptographic nonce

• Host: GitHub
• URL: https://github.com/posthtml/posthtml-nonce
• Owner: posthtml
• License: mit
• Created: 2017-12-12T14:38:24.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2019-03-15T07:00:57.000Z (almost 7 years ago)
• Last Synced: 2024-10-29T21:06:06.583Z (over 1 year ago)
• Language: JavaScript
• Size: 276 KB
• Stars: 3
• Watchers: 3
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: readme.md
  • Changelog: changelog.md
  • License: license

Awesome Lists containing this project

README

          
# posthtml-nonce

> A posthtml plugin create whitelist for specific inline scripts,styles,images,media using a cryptographic nonce 

[![Travis Build Status](https://img.shields.io/travis/posthtml/posthtml-nonce.svg?style=flat-square&label=unix)](https://travis-ci.org/posthtml/posthtml-nonce)[![node](https://img.shields.io/node/v/posthtml-nonce.svg?style=flat-square)]()[![npm version](https://img.shields.io/npm/v/posthtml-nonce.svg?style=flat-square)](https://www.npmjs.com/package/posthtml-nonce)[![Dependency Status](https://david-dm.org/posthtml/posthtml-nonce.svg?style=flat-square)](https://david-dm.org/posthtml/posthtml-nonce)[![XO code style](https://img.shields.io/badge/code_style-XO-5ed9c7.svg?style=flat-square)](https://github.com/sindresorhus/xo)[![Coveralls status](https://img.shields.io/coveralls/posthtml/posthtml-nonce.svg?style=flat-square)](https://coveralls.io/r/posthtml/posthtml-nonce)

## Why?  

The HTTP [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).  

> Used in conjunction with the `middleware`

## Install

```bash

npm i -S posthtml posthtml-nonce

```

> **Note:** This project is compatible with node v6+

## Usage

```js

import {readFileSync, writeFileSync} from 'fs';

import posthtml from 'posthtml';

import posthtmlNonce from 'posthtml-nonce';

const html = readFileSync('input.html', 'utf8');

posthtml()

  .use(posthtmlNonce({tags: ['links'], nonce: '4f90d13a42'}))

  .process(html)

  .then(result => {

    writeFileSync('output.html', result.html);

  });

```

## Example

input.html

```html

  

    

  

  

    

    

  

```

output.html

```html

  

    

  

  

    

    

  

```

> *will be added nonce attribute with nanoid*

## Options

### `tags`

Type: `Array`(***required***)   

Default: `[]`  

Description: *You can also expand the list by adding the tags you need...*  

### `nanoid`

Type: `String`(***required***)   

Default: ``  

Description: *nanoid*