@taujs/server 0.2.4 → 0.2.5

package/dist/build.js

@@ -188,7 +188,6 @@ var require_picocolors = __commonJS({
 });
 
 // src/build.ts
-import fs from "fs/promises";
 import path3 from "path";
 import { build } from "vite";
 import { nodePolyfills } from "vite-plugin-node-polyfills";
@@ -213,6 +212,53 @@ var TEMPLATE = {
   defaultEntryServer: "entry-server",
   defaultHtmlTemplate: "index.html"
 };
+var DEV_CSP_DIRECTIVES = {
+  "default-src": ["'self'"],
+  "connect-src": ["'self'", "ws:", "http:"],
+  "style-src": ["'self'", "'unsafe-inline'"],
+  "img-src": ["'self'", "data:"]
+};
+
+// src/security/csp.ts
+import crypto from "crypto";
+var defaultGenerateCSP = (directives, nonce) => {
+  const merged = { ...directives };
+  merged["script-src"] = merged["script-src"] || ["'self'"];
+  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) merged["script-src"].push(`'nonce-${nonce}'`);
+  if (process.env.NODE_ENV !== "production") {
+    const connect = merged["connect-src"] || ["'self'"];
+    if (!connect.includes("ws:")) connect.push("ws:");
+    if (!connect.includes("http:")) connect.push("http:");
+    merged["connect-src"] = connect;
+    const style = merged["style-src"] || ["'self'"];
+    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
+    merged["style-src"] = style;
+  }
+  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+};
+var generateNonce = () => crypto.randomBytes(16).toString("base64");
+var cspHook = (options = {}) => (req, reply, done) => {
+  const nonce = generateNonce();
+  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
+  const generate = options.generateCSP ?? defaultGenerateCSP;
+  const cspHeader = generate(directives, nonce);
+  reply.header("Content-Security-Policy", cspHeader);
+  if (typeof options.exposeNonce === "function") {
+    options.exposeNonce(req, nonce);
+  } else {
+    req.nonce = nonce;
+  }
+  done();
+};
+var applyCSP = (security, reply) => {
+  if (!security?.csp) return;
+  const nonce = generateNonce();
+  const { directives = {}, generateCSP = defaultGenerateCSP } = security.csp;
+  const header = generateCSP(directives, nonce);
+  reply.header("Content-Security-Policy", header);
+  reply.request.nonce = nonce;
+  return nonce;
+};
 
 // src/utils/Utils.ts
 import { dirname, join } from "path";
@@ -426,6 +472,13 @@ var SSRServer = (0, import_fastify_plugin.default)(
       root: baseClientRoot,
       wildcard: false
     });
+    app.addHook(
+      "onRequest",
+      cspHook({
+        directives: opts.security?.csp?.directives ?? DEV_CSP_DIRECTIVES,
+        generateCSP: opts.security?.csp?.generateCSP
+      })
+    );
     if (isDevelopment) {
       const { createServer } = await import("vite");
       viteDevServer = await createServer({
@@ -483,6 +536,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
         const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
         const matchedRoute = matchRoute(url, routes);
+        const nonce = applyCSP(opts.security, reply);
         if (!matchedRoute) {
           reply.callNotFound();
           return;
@@ -524,12 +578,12 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (renderType === RENDERTYPE.ssr) {
           const { renderSSR } = renderModule;
           const initialDataResolved = await initialDataPromise;
-          const initialDataScript = `<script>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
+          const initialDataScript = `<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
           const { headContent, appHtml } = await renderSSR(initialDataResolved, req.url, attr?.meta);
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
-          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script type="module" src="${bootstrapModule}" defer></script>`);
+          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;
@@ -544,7 +598,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
                 reply.raw.write(`${beforeHead}${aggregateHeadContent}${afterHead}`);
               },
               onFinish: async (initialDataResolved) => {
-                reply.raw.write(`<script>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
+                reply.raw.write(`<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
                 reply.raw.write(afterBody);
                 reply.raw.end();
               },
@@ -571,12 +625,13 @@ var SSRServer = (0, import_fastify_plugin.default)(
         const defaultConfig = processedConfigs[0];
         if (!defaultConfig) throw new Error("No default configuration found.");
         const { clientRoot } = defaultConfig;
+        const nonce = applyCSP(opts.security, reply);
         let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
         const cssLink = cssLinks.get(clientRoot);
         const bootstrapModule = bootstrapModules.get(clientRoot);
         template = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
         if (!isDevelopment && cssLink) template = template.replace("</head>", `${cssLink}</head>`);
-        if (bootstrapModule) template = template.replace("</body>", `<script type="module" src="${bootstrapModule}" defer></script></body>`);
+        if (bootstrapModule) template = template.replace("</body>", `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
         reply.status(200).type("text/html").send(template);
       } catch (error) {
         console.error("Failed to serve clientHtmlTemplate:", error);
@@ -595,9 +650,10 @@ async function taujsBuild({
   isSSRBuild = process.env.BUILD_MODE === "ssr"
 }) {
   const deleteDist = async () => {
+    const { rm } = await import("fs/promises");
     const distPath = path3.resolve(projectRoot, "dist");
     try {
-      await fs.rm(distPath, { recursive: true, force: true });
+      await rm(distPath, { recursive: true, force: true });
       console.log("Deleted the dist directory\n");
     } catch (err) {
       console.error("Error deleting dist directory:", err);

package/dist/index.d.ts

@@ -1,113 +1,4 @@
-import { ServerResponse } from 'node:http';
-import { FastifyPluginAsync } from 'fastify';
-import { PluginOption } from 'vite';
-
-declare const RENDERTYPE: {
-    ssr: string;
-    streaming: string;
-};
-declare const TEMPLATE: {
-    defaultEntryClient: string;
-    defaultEntryServer: string;
-    defaultHtmlTemplate: string;
-};
-
-declare const createMaps: () => {
-    bootstrapModules: Map<string, string>;
-    cssLinks: Map<string, string>;
-    manifests: Map<string, Manifest>;
-    preloadLinks: Map<string, string>;
-    renderModules: Map<string, RenderModule>;
-    ssrManifests: Map<string, SSRManifest>;
-    templates: Map<string, string>;
-};
-declare const processConfigs: (configs: Config[], baseClientRoot: string, templateDefaults: typeof TEMPLATE) => ProcessedConfig[];
-declare const SSRServer: FastifyPluginAsync<SSRServerOptions>;
-type Config = {
-    appId: string;
-    entryPoint: string;
-    entryClient?: string;
-    entryServer?: string;
-    htmlTemplate?: string;
-};
-type ProcessedConfig = {
-    appId: string;
-    clientRoot: string;
-    entryClient: string;
-    entryPoint: string;
-    entryServer: string;
-    htmlTemplate: string;
-    plugins?: PluginOption[];
-};
-type SSRServerOptions = {
-    alias?: Record<string, string>;
-    clientRoot: string;
-    configs: Config[];
-    routes: Route<RouteParams>[];
-    serviceRegistry: ServiceRegistry;
-    isDebug?: boolean;
-};
-type ServiceMethod = (params: Record<string, unknown>) => Promise<Record<string, unknown>>;
-type NamedService = Record<string, ServiceMethod>;
-type ServiceRegistry = Record<string, NamedService>;
-type RenderCallbacks = {
-    onHead: (headContent: string) => void;
-    onFinish: (initialDataResolved: unknown) => void;
-    onError: (error: unknown) => void;
-};
-type FetchConfig = {
-    url?: string;
-    options: RequestInit & {
-        params?: Record<string, unknown>;
-    };
-    serviceName?: string;
-    serviceMethod?: string;
-};
-type SSRManifest = {
-    [key: string]: string[];
-};
-type ManifestEntry = {
-    file: string;
-    src?: string;
-    isDynamicEntry?: boolean;
-    imports?: string[];
-    css?: string[];
-    assets?: string[];
-};
-type Manifest = {
-    [key: string]: ManifestEntry;
-};
-type RenderSSR = (initialDataResolved: Record<string, unknown>, location: string, meta?: Record<string, unknown>) => Promise<{
-    headContent: string;
-    appHtml: string;
-    initialDataScript: string;
-}>;
-type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>) => void;
-type RenderModule = {
-    renderSSR: RenderSSR;
-    renderStream: RenderStream;
-};
-type RouteAttributes<Params = {}> = {
-    fetch?: (params?: Params, options?: RequestInit & {
-        params?: Record<string, unknown>;
-    }) => Promise<FetchConfig>;
-} & ({
-    render?: typeof RENDERTYPE.ssr;
-    meta?: Record<string, unknown>;
-} | {
-    render: typeof RENDERTYPE.streaming;
-    meta: Record<string, unknown>;
-});
-type Route<Params = {}> = {
-    attr?: RouteAttributes<Params>;
-    path: string;
-    appId?: string;
-};
-interface InitialRouteParams extends Record<string, unknown> {
-    serviceName?: string;
-    serviceMethod?: string;
-}
-type RouteParams = InitialRouteParams & Record<string, unknown>;
-type RoutePathsAndAttributes<Params = {}> = Omit<Route<Params>, 'element'>;
-
-export { type Config, type FetchConfig, type InitialRouteParams, type Manifest, type ManifestEntry, type NamedService, type ProcessedConfig, type RenderCallbacks, type RenderModule, type RenderSSR, type RenderStream, type Route, type RouteAttributes, type RouteParams, type RoutePathsAndAttributes, type SSRManifest, SSRServer, type SSRServerOptions, type ServiceMethod, type ServiceRegistry, TEMPLATE, createMaps, processConfigs };
+export { C as Config, F as FetchConfig, I as InitialRouteParams, f as Manifest, M as ManifestEntry, N as NamedService, P as ProcessedConfig, R as RenderCallbacks, i as RenderModule, g as RenderSSR, h as RenderStream, k as Route, j as RouteAttributes, l as RouteParams, m as RoutePathsAndAttributes, e as SSRManifest, S as SSRServer, a as SSRServerOptions, b as ServiceMethod, d as ServiceRegistry, T as TEMPLATE, c as createMaps, p as processConfigs } from './security/csp.js';
+import 'node:http';
+import 'fastify';
+import 'vite';

package/dist/index.js

@@ -207,6 +207,53 @@ var TEMPLATE = {
   defaultEntryServer: "entry-server",
   defaultHtmlTemplate: "index.html"
 };
+var DEV_CSP_DIRECTIVES = {
+  "default-src": ["'self'"],
+  "connect-src": ["'self'", "ws:", "http:"],
+  "style-src": ["'self'", "'unsafe-inline'"],
+  "img-src": ["'self'", "data:"]
+};
+
+// src/security/csp.ts
+import crypto from "crypto";
+var defaultGenerateCSP = (directives, nonce) => {
+  const merged = { ...directives };
+  merged["script-src"] = merged["script-src"] || ["'self'"];
+  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) merged["script-src"].push(`'nonce-${nonce}'`);
+  if (process.env.NODE_ENV !== "production") {
+    const connect = merged["connect-src"] || ["'self'"];
+    if (!connect.includes("ws:")) connect.push("ws:");
+    if (!connect.includes("http:")) connect.push("http:");
+    merged["connect-src"] = connect;
+    const style = merged["style-src"] || ["'self'"];
+    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
+    merged["style-src"] = style;
+  }
+  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+};
+var generateNonce = () => crypto.randomBytes(16).toString("base64");
+var cspHook = (options = {}) => (req, reply, done) => {
+  const nonce = generateNonce();
+  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
+  const generate = options.generateCSP ?? defaultGenerateCSP;
+  const cspHeader = generate(directives, nonce);
+  reply.header("Content-Security-Policy", cspHeader);
+  if (typeof options.exposeNonce === "function") {
+    options.exposeNonce(req, nonce);
+  } else {
+    req.nonce = nonce;
+  }
+  done();
+};
+var applyCSP = (security, reply) => {
+  if (!security?.csp) return;
+  const nonce = generateNonce();
+  const { directives = {}, generateCSP = defaultGenerateCSP } = security.csp;
+  const header = generateCSP(directives, nonce);
+  reply.header("Content-Security-Policy", header);
+  reply.request.nonce = nonce;
+  return nonce;
+};
 
 // src/utils/Utils.ts
 import { dirname, join } from "path";
@@ -420,6 +467,13 @@ var SSRServer = (0, import_fastify_plugin.default)(
       root: baseClientRoot,
       wildcard: false
     });
+    app.addHook(
+      "onRequest",
+      cspHook({
+        directives: opts.security?.csp?.directives ?? DEV_CSP_DIRECTIVES,
+        generateCSP: opts.security?.csp?.generateCSP
+      })
+    );
     if (isDevelopment) {
       const { createServer } = await import("vite");
       viteDevServer = await createServer({
@@ -477,6 +531,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
         const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
         const matchedRoute = matchRoute(url, routes);
+        const nonce = applyCSP(opts.security, reply);
         if (!matchedRoute) {
           reply.callNotFound();
           return;
@@ -518,12 +573,12 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (renderType === RENDERTYPE.ssr) {
           const { renderSSR } = renderModule;
           const initialDataResolved = await initialDataPromise;
-          const initialDataScript = `<script>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
+          const initialDataScript = `<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
           const { headContent, appHtml } = await renderSSR(initialDataResolved, req.url, attr?.meta);
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
-          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script type="module" src="${bootstrapModule}" defer></script>`);
+          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;
@@ -538,7 +593,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
                 reply.raw.write(`${beforeHead}${aggregateHeadContent}${afterHead}`);
               },
               onFinish: async (initialDataResolved) => {
-                reply.raw.write(`<script>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
+                reply.raw.write(`<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
                 reply.raw.write(afterBody);
                 reply.raw.end();
               },
@@ -565,12 +620,13 @@ var SSRServer = (0, import_fastify_plugin.default)(
         const defaultConfig = processedConfigs[0];
         if (!defaultConfig) throw new Error("No default configuration found.");
         const { clientRoot } = defaultConfig;
+        const nonce = applyCSP(opts.security, reply);
         let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
         const cssLink = cssLinks.get(clientRoot);
         const bootstrapModule = bootstrapModules.get(clientRoot);
         template = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
         if (!isDevelopment && cssLink) template = template.replace("</head>", `${cssLink}</head>`);
-        if (bootstrapModule) template = template.replace("</body>", `<script type="module" src="${bootstrapModule}" defer></script></body>`);
+        if (bootstrapModule) template = template.replace("</body>", `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
         reply.status(200).type("text/html").send(template);
       } catch (error) {
         console.error("Failed to serve clientHtmlTemplate:", error);

package/dist/security/csp.d.ts

@@ -0,0 +1,131 @@
+import { ServerResponse } from 'node:http';
+import { FastifyRequest, FastifyReply, HookHandlerDoneFunction, FastifyPluginAsync } from 'fastify';
+import { PluginOption } from 'vite';
+
+type CSPDirectives = Record<string, string[]>;
+interface CSPOptions {
+    directives?: CSPDirectives;
+    exposeNonce?: (req: FastifyRequest, nonce: string) => void;
+    generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+}
+declare const defaultGenerateCSP: (directives: CSPDirectives, nonce: string) => string;
+declare const generateNonce: () => string;
+declare const cspHook: (options?: CSPOptions) => (req: FastifyRequest, reply: FastifyReply, done: HookHandlerDoneFunction) => void;
+declare const getRequestNonce: (req: FastifyRequest) => string | undefined;
+declare const applyCSP: (security: SSRServerOptions["security"], reply: FastifyReply) => string | undefined;
+
+declare const RENDERTYPE: {
+    ssr: string;
+    streaming: string;
+};
+declare const TEMPLATE: {
+    defaultEntryClient: string;
+    defaultEntryServer: string;
+    defaultHtmlTemplate: string;
+};
+
+declare const createMaps: () => {
+    bootstrapModules: Map<string, string>;
+    cssLinks: Map<string, string>;
+    manifests: Map<string, Manifest>;
+    preloadLinks: Map<string, string>;
+    renderModules: Map<string, RenderModule>;
+    ssrManifests: Map<string, SSRManifest>;
+    templates: Map<string, string>;
+};
+declare const processConfigs: (configs: Config[], baseClientRoot: string, templateDefaults: typeof TEMPLATE) => ProcessedConfig[];
+declare const SSRServer: FastifyPluginAsync<SSRServerOptions>;
+type Config = {
+    appId: string;
+    entryPoint: string;
+    entryClient?: string;
+    entryServer?: string;
+    htmlTemplate?: string;
+};
+type ProcessedConfig = {
+    appId: string;
+    clientRoot: string;
+    entryClient: string;
+    entryPoint: string;
+    entryServer: string;
+    htmlTemplate: string;
+    plugins?: PluginOption[];
+};
+type SSRServerOptions = {
+    alias?: Record<string, string>;
+    clientRoot: string;
+    configs: Config[];
+    routes: Route<RouteParams>[];
+    serviceRegistry: ServiceRegistry;
+    security?: {
+        csp?: {
+            directives?: CSPDirectives;
+            generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+        };
+    };
+    isDebug?: boolean;
+};
+type ServiceMethod = (params: Record<string, unknown>) => Promise<Record<string, unknown>>;
+type NamedService = Record<string, ServiceMethod>;
+type ServiceRegistry = Record<string, NamedService>;
+type RenderCallbacks = {
+    onHead: (headContent: string) => void;
+    onFinish: (initialDataResolved: unknown) => void;
+    onError: (error: unknown) => void;
+};
+type FetchConfig = {
+    url?: string;
+    options: RequestInit & {
+        params?: Record<string, unknown>;
+    };
+    serviceName?: string;
+    serviceMethod?: string;
+};
+type SSRManifest = {
+    [key: string]: string[];
+};
+type ManifestEntry = {
+    file: string;
+    src?: string;
+    isDynamicEntry?: boolean;
+    imports?: string[];
+    css?: string[];
+    assets?: string[];
+};
+type Manifest = {
+    [key: string]: ManifestEntry;
+};
+type RenderSSR = (initialDataResolved: Record<string, unknown>, location: string, meta?: Record<string, unknown>) => Promise<{
+    headContent: string;
+    appHtml: string;
+    initialDataScript: string;
+}>;
+type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>) => void;
+type RenderModule = {
+    renderSSR: RenderSSR;
+    renderStream: RenderStream;
+};
+type RouteAttributes<Params = {}> = {
+    fetch?: (params?: Params, options?: RequestInit & {
+        params?: Record<string, unknown>;
+    }) => Promise<FetchConfig>;
+} & ({
+    render?: typeof RENDERTYPE.ssr;
+    meta?: Record<string, unknown>;
+} | {
+    render: typeof RENDERTYPE.streaming;
+    meta: Record<string, unknown>;
+});
+type Route<Params = {}> = {
+    attr?: RouteAttributes<Params>;
+    path: string;
+    appId?: string;
+};
+interface InitialRouteParams extends Record<string, unknown> {
+    serviceName?: string;
+    serviceMethod?: string;
+}
+type RouteParams = InitialRouteParams & Record<string, unknown>;
+type RoutePathsAndAttributes<Params = {}> = Omit<Route<Params>, 'element'>;
+
+export { type Config as C, type CSPDirectives, type CSPOptions, type FetchConfig as F, type InitialRouteParams as I, type ManifestEntry as M, type NamedService as N, type ProcessedConfig as P, type RenderCallbacks as R, SSRServer as S, TEMPLATE as T, type SSRServerOptions as a, applyCSP, type ServiceMethod as b, createMaps as c, cspHook, type ServiceRegistry as d, defaultGenerateCSP, type SSRManifest as e, type Manifest as f, type RenderSSR as g, generateNonce, getRequestNonce, type RenderStream as h, type RenderModule as i, type RouteAttributes as j, type Route as k, type RouteParams as l, type RoutePathsAndAttributes as m, processConfigs as p };

package/dist/security/csp.js

@@ -0,0 +1,58 @@
+// src/security/csp.ts
+import crypto from "crypto";
+
+// src/constants.ts
+var DEV_CSP_DIRECTIVES = {
+  "default-src": ["'self'"],
+  "connect-src": ["'self'", "ws:", "http:"],
+  "style-src": ["'self'", "'unsafe-inline'"],
+  "img-src": ["'self'", "data:"]
+};
+
+// src/security/csp.ts
+var defaultGenerateCSP = (directives, nonce) => {
+  const merged = { ...directives };
+  merged["script-src"] = merged["script-src"] || ["'self'"];
+  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) merged["script-src"].push(`'nonce-${nonce}'`);
+  if (process.env.NODE_ENV !== "production") {
+    const connect = merged["connect-src"] || ["'self'"];
+    if (!connect.includes("ws:")) connect.push("ws:");
+    if (!connect.includes("http:")) connect.push("http:");
+    merged["connect-src"] = connect;
+    const style = merged["style-src"] || ["'self'"];
+    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
+    merged["style-src"] = style;
+  }
+  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+};
+var generateNonce = () => crypto.randomBytes(16).toString("base64");
+var cspHook = (options = {}) => (req, reply, done) => {
+  const nonce = generateNonce();
+  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
+  const generate = options.generateCSP ?? defaultGenerateCSP;
+  const cspHeader = generate(directives, nonce);
+  reply.header("Content-Security-Policy", cspHeader);
+  if (typeof options.exposeNonce === "function") {
+    options.exposeNonce(req, nonce);
+  } else {
+    req.nonce = nonce;
+  }
+  done();
+};
+var getRequestNonce = (req) => req.nonce;
+var applyCSP = (security, reply) => {
+  if (!security?.csp) return;
+  const nonce = generateNonce();
+  const { directives = {}, generateCSP = defaultGenerateCSP } = security.csp;
+  const header = generateCSP(directives, nonce);
+  reply.header("Content-Security-Policy", header);
+  reply.request.nonce = nonce;
+  return nonce;
+};
+export {
+  applyCSP,
+  cspHook,
+  defaultGenerateCSP,
+  generateNonce,
+  getRequestNonce
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@taujs/server",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "taujs | τjs",
   "author": "Aoede <taujs@aoede.uk.net> (https://www.aoede.uk.net)",
   "license": "MIT",
@@ -33,6 +33,10 @@
       "import": "./dist/build.js",
       "types": "./dist/build.d.ts"
     },
+    "./csp": {
+      "import": "./dist/security/csp.js",
+      "types": "./dist/security/csp.d.ts"
+    },
     "./package.json": "./package.json"
   },
   "files": [
@@ -49,6 +53,7 @@
     "@changesets/cli": "^2.27.7",
     "@types/node": "^20.14.9",
     "@vitest/coverage-v8": "^2.1.0",
+    "@vitest/ui": "^2.1.9",
     "fastify": "^5.3.3",
     "jsdom": "^25.0.0",
     "prettier": "^3.3.3",