strict-csp
Report-Only mode is not supported here since the policy is added via a meta tag (Content-Security-Policy-Report-Only is unfortunately not supported in meta tags).
What this library does: defense-in-depth against XSS 🛡
Cross-site scripting (XSS)—the ability to inject malicious scripts into a web application—has been one of the biggest web security vulnerabilities for over a decade.
strict-csp is a bundler-agnostic library that helps protect your single-page application against XSS attacks. It does so by configuring a strict, hash-based Content-Security-Policy (CSP) for your web application.
A strict CSP, added in the form of an HTML meta tag, looks as follows:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'sha256-3uCZp...oQxI=' 'strict-dynamic'; style-src 'self' 'unsafe-inline'">
</meta>Example usage
Let's say that htmlString is your SPA's html as a string.
const s = new StrictCsp(htmlString);
// Refactor sourced scripts so that we can set a strict hash-based CSP
s.refactorSourcedScriptsForHashBasedCsp();
// Hash inline scripts from this html file, if there are any
const scriptHashes = s.hashAllInlineScripts();
// Generate a strict CSP as a string
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, {
enableBrowserFallbacks: true,
});
// Set this CSP via a meta tag
s.addMetaTag(strictCsp);
const htmlStringWithCsp = s.serializeDom();TL;DR: this library automates the steps to add a hash-based strict CSP to your site.
Arguments for the options object in getStrictCsp
By default, strict-csp will generate up a valid, strict, hash-based CSP.
You can use additional options to configure it:
| Option | What it does |
|---|---|
enableBrowserFallbacks (defaults to true) |
When true, enables fallbacks for older browsers. This does not weaken the policy. |
enableTrustedTypes (defaults to false) |
When true, enables trusted types for additional protections against DOM XSS attacks. |
enableUnsafeEval (defaults to false) |
When true, enables unsafe-eval in case you cannot remove all uses of eval(). |
How does this library work?
Here's what the library does:
- It replaces sourced scripts with an inline script that dynamically loads all sourced scripts. It calculates the hash of this script.
- It calculates the hash of other inline scripts.
- It creates a strict hash-based CSP, that includes the hashes calculated in (1) and (2).
This CSP efficiently helps protect your site against XSS. This CSP is set in a meta tag. It looks like this:
script-src {HASH-INLINE-SCRIPT} 'strict-dynamic'; object-src 'none'; base-uri 'none';.
{HASH-INLINE-SCRIPT} is the hash on the inline script that dynamically loads all sourced scripts.
TL;DR: this library automates the steps to add a hash-based CSP to your site.