gila-astro-csp 0.1.0

package/README.md

@@ -0,0 +1,394 @@
+# gila-astro-csp
+
+Astro 5+ integration for automatic **SRI (Subresource Integrity)** and **CSP (Content-Security-Policy)** generation with nginx support.
+
+[![npm version](https://img.shields.io/npm/v/gila-astro-csp.svg)](https://www.npmjs.com/package/gila-astro-csp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+## Why gila-astro-csp?
+
+Modern web security requires strict CSP headers to prevent XSS attacks. However, frameworks like Astro generate inline scripts that break when using CSP without `unsafe-inline`.
+
+**gila-astro-csp solves this by:**
+
+1. Scanning all HTML files after build
+2. Calculating SHA-256 hashes for inline scripts and styles
+3. Adding `integrity` attributes to HTML elements
+4. Generating nginx-ready CSP configuration
+
+**Result:** A+ security rating without `unsafe-inline` or `unsafe-eval`.
+
+## Installation
+
+```bash
+npm install gila-astro-csp
+```
+
+## Quick Start
+
+Add to your `astro.config.mjs`:
+
+```javascript
+import { defineConfig } from 'astro/config';
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP()
+  ]
+});
+```
+
+Run your build:
+
+```bash
+npm run build
+```
+
+That's it! Check `dist/_csp/` for the generated files.
+
+## Configuration
+
+### Full Example
+
+```javascript
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP({
+      // Pre-configured external services
+      presets: ['google-analytics', 'cloudflare-insights', 'google-fonts'],
+
+      // Nginx output configuration
+      nginx: {
+        outputPath: './dist/_csp/nginx.conf',
+        includeComments: true,
+      },
+
+      // JSON output for custom integrations
+      json: {
+        outputPath: './dist/_csp/hashes.json',
+        pretty: true,
+      },
+
+      // Additional CSP directives
+      directives: {
+        'img-src': ["'self'", 'data:', 'https:'],
+        'connect-src': ['https://api.example.com'],
+      },
+    })
+  ]
+});
+```
+
+### Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `presets` | `string[]` | `[]` | Pre-configured services (see below) |
+| `nginx` | `object \| false` | `{ outputPath: './dist/_csp/nginx.conf' }` | Nginx config output |
+| `json` | `object \| false` | `{ outputPath: './dist/_csp/hashes.json' }` | JSON output |
+| `directives` | `object` | `{}` | Additional CSP directives |
+
+### Available Presets
+
+| Preset | Description | Adds |
+|--------|-------------|------|
+| `google-analytics` | Google Analytics & GTM | script-src, connect-src |
+| `cloudflare-insights` | Cloudflare Web Analytics | script-src, connect-src |
+| `google-fonts` | Google Fonts | style-src, font-src |
+
+## Output Files
+
+### nginx.conf
+
+Ready-to-include nginx configuration:
+
+```nginx
+# Content-Security-Policy Header
+# Generated by gila-astro-csp
+
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-abc123...' 'sha256-def456...'; style-src 'self' 'sha256-xyz789...'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+```
+
+### hashes.json
+
+JSON file for custom integrations:
+
+```json
+{
+  "scripts": [
+    "sha256-abc123...",
+    "sha256-def456..."
+  ],
+  "styles": [
+    "sha256-xyz789..."
+  ],
+  "externalScripts": [
+    "https://www.googletagmanager.com"
+  ],
+  "externalStyles": [
+    "https://fonts.googleapis.com"
+  ],
+  "directives": {
+    "default-src": ["'self'"],
+    "script-src": ["'self'", "'sha256-abc123...'"]
+  }
+}
+```
+
+## Usage with Nginx
+
+### Option 1: Include the generated file
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name example.com;
+
+    include /path/to/dist/_csp/nginx.conf;
+
+    # ... rest of config
+}
+```
+
+### Option 2: Use with nginx-proxy (Docker)
+
+Copy to your vhost.d folder:
+
+```bash
+cp dist/_csp/nginx.conf /etc/nginx/vhost.d/example.com_location
+```
+
+### Automation Script
+
+Create a script to update nginx after build:
+
+```bash
+#!/bin/bash
+# scripts/update-csp.sh
+
+CSP_CONF="./dist/_csp/nginx.conf"
+VHOST_DIR="/etc/nginx/vhost.d"
+
+# Extract CSP line
+CSP_LINE=$(grep 'add_header Content-Security-Policy' "$CSP_CONF")
+
+# Update vhost files
+for file in "$VHOST_DIR/example.com" "$VHOST_DIR/example.com_location"; do
+    if [ -f "$file" ]; then
+        sed -i '/^add_header Content-Security-Policy/c\'"$CSP_LINE" "$file"
+    fi
+done
+
+# Reload nginx
+nginx -s reload
+```
+
+## How It Works
+
+### Build Process
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                     Astro Build                              │
+└─────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────┐
+│  1. Scanner                                                  │
+│     - Find all HTML files in dist/                          │
+│     - Extract inline <script> and <style> content           │
+│     - Detect external scripts (https://)                    │
+└─────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────┐
+│  2. Hasher                                                   │
+│     - Calculate SHA-256 hash for each inline element        │
+│     - Format as 'sha256-{base64}'                           │
+└─────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────┐
+│  3. Injector                                                 │
+│     - Add integrity="sha256-..." to HTML elements           │
+│     - Update HTML files in place                            │
+└─────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────┐
+│  4. Generator                                                │
+│     - Merge hashes with presets and custom directives       │
+│     - Generate nginx.conf with CSP header                   │
+│     - Generate hashes.json for custom use                   │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Security Benefits
+
+| Without gila-astro-csp | With gila-astro-csp |
+|------------------------|---------------------|
+| `script-src 'unsafe-inline'` | `script-src 'sha256-...'` |
+| Vulnerable to XSS | Protected against XSS |
+| Security grade: C/D | Security grade: A+ |
+
+## Examples
+
+### Basic Static Site
+
+```javascript
+// astro.config.mjs
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP()
+  ]
+});
+```
+
+### With Google Analytics
+
+```javascript
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP({
+      presets: ['google-analytics'],
+    })
+  ]
+});
+```
+
+### With Multiple Services
+
+```javascript
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP({
+      presets: ['google-analytics', 'cloudflare-insights', 'google-fonts'],
+      directives: {
+        'img-src': ["'self'", 'data:', 'https:', 'blob:'],
+        'connect-src': ['https://api.myservice.com'],
+      },
+    })
+  ]
+});
+```
+
+### Custom Output Paths
+
+```javascript
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP({
+      nginx: {
+        outputPath: '../nginx/csp.conf',
+        includeComments: false,
+      },
+      json: {
+        outputPath: '../config/csp-hashes.json',
+      },
+    })
+  ]
+});
+```
+
+### Disable JSON Output
+
+```javascript
+import { gilaCSP } from 'gila-astro-csp';
+
+export default defineConfig({
+  integrations: [
+    gilaCSP({
+      json: false,  // Only generate nginx config
+    })
+  ]
+});
+```
+
+## TypeScript Support
+
+Full TypeScript support with exported types:
+
+```typescript
+import { gilaCSP } from 'gila-astro-csp';
+import type { GilaCSPOptions, PresetName, CSPDirectives } from 'gila-astro-csp';
+
+const options: GilaCSPOptions = {
+  presets: ['google-analytics'] as PresetName[],
+  directives: {
+    'img-src': ["'self'", 'data:'],
+  } as Partial<CSPDirectives>,
+};
+
+export default defineConfig({
+  integrations: [gilaCSP(options)]
+});
+```
+
+## Troubleshooting
+
+### Scripts still blocked after build
+
+1. Clear browser cache
+2. Verify nginx reloaded: `nginx -s reload`
+3. Check CSP header in DevTools > Network > Response Headers
+
+### Hash mismatch errors
+
+Hashes are calculated from exact content. If you see mismatches:
+
+1. Ensure no post-build modifications to HTML
+2. Check for whitespace differences
+3. Rebuild: `npm run build`
+
+### External scripts not working
+
+Add the domain to presets or directives:
+
+```javascript
+gilaCSP({
+  directives: {
+    'script-src': ['https://cdn.example.com'],
+  },
+})
+```
+
+## Contributing
+
+Contributions are welcome! Please read our contributing guidelines.
+
+```bash
+# Clone
+git clone https://github.com/petryx/gila-astro-csp.git
+
+# Install
+npm install
+
+# Test
+npm test
+
+# Build
+npm run build
+```
+
+## License
+
+MIT License - see [LICENSE](LICENSE) for details.
+
+## Credits
+
+Developed by [Gila Security](https://gilasecurity.com) - Cybersecurity specialists helping companies protect their digital assets.
+
+---
+
+**Need help securing your web application?** [Contact Gila Security](https://gilasecurity.com/contato) for professional cybersecurity services.

package/dist/hasher.d.ts

@@ -0,0 +1,4 @@
+import type { InlineElement, HashResult } from './types.js';
+export declare function calculateHash(content: string): string;
+export declare function hashInlineElements(elements: InlineElement[], type: 'script' | 'style'): HashResult[];
+//# sourceMappingURL=hasher.d.ts.map

package/dist/hasher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hasher.d.ts","sourceRoot":"","sources":["../src/hasher.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE5D,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKrD;AAED,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,aAAa,EAAE,EACzB,IAAI,EAAE,QAAQ,GAAG,OAAO,GACvB,UAAU,EAAE,CAMd"}

package/dist/hasher.js

@@ -0,0 +1,14 @@
+import { createHash } from 'node:crypto';
+export function calculateHash(content) {
+    const hash = createHash('sha256')
+        .update(content, 'utf8')
+        .digest('base64');
+    return `sha256-${hash}`;
+}
+export function hashInlineElements(elements, type) {
+    return elements.map(element => ({
+        hash: calculateHash(element.content),
+        content: element.content,
+        type
+    }));
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { gilaCSP } from './integration.js';
+export type { GilaCSPOptions, NginxOptions, JsonOptions, PresetName, CSPDirectives } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,YAAY,EACV,cAAc,EACd,YAAY,EACZ,WAAW,EACX,UAAU,EACV,aAAa,EACd,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1 @@
+export { gilaCSP } from './integration.js';

package/dist/injector.d.ts

@@ -0,0 +1,10 @@
+import type { HashResult, ProcessedHashes } from './types.js';
+export interface ProcessResult {
+    html: string;
+    hashes: ProcessedHashes;
+    externalScripts: string[];
+    externalStyles: string[];
+}
+export declare function injectIntegrity(html: string, hashes: HashResult[]): string;
+export declare function processHtml(html: string): ProcessResult;
+//# sourceMappingURL=injector.d.ts.map

package/dist/injector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injector.d.ts","sourceRoot":"","sources":["../src/injector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAI9D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,eAAe,CAAC;IACxB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,CA2B1E;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAkBvD"}

package/dist/injector.js

@@ -0,0 +1,40 @@
+import { extractInlineElements } from './scanner.js';
+import { hashInlineElements } from './hasher.js';
+export function injectIntegrity(html, hashes) {
+    if (hashes.length === 0) {
+        return html;
+    }
+    let result = html;
+    for (const hashResult of hashes) {
+        const { content, hash, type } = hashResult;
+        const escapedContent = escapeRegex(content);
+        if (type === 'script') {
+            const regex = new RegExp(`(<script)(?![^>]*\\bsrc=)([^>]*>)(${escapedContent})(</script>)`, 'g');
+            result = result.replace(regex, `$1 integrity="${hash}"$2$3$4`);
+        }
+        else {
+            const regex = new RegExp(`(<style)([^>]*>)(${escapedContent})(</style>)`, 'g');
+            result = result.replace(regex, `$1 integrity="${hash}"$2$3$4`);
+        }
+    }
+    return result;
+}
+export function processHtml(html) {
+    const scanResult = extractInlineElements(html);
+    const scriptHashes = hashInlineElements(scanResult.scripts, 'script');
+    const styleHashes = hashInlineElements(scanResult.styles, 'style');
+    const allHashes = [...scriptHashes, ...styleHashes];
+    const processedHtml = injectIntegrity(html, allHashes);
+    return {
+        html: processedHtml,
+        hashes: {
+            scripts: scriptHashes.map(h => h.hash),
+            styles: styleHashes.map(h => h.hash)
+        },
+        externalScripts: scanResult.externalScripts,
+        externalStyles: scanResult.externalStyles
+    };
+}
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/dist/integration.d.ts

@@ -0,0 +1,19 @@
+import type { AstroIntegration } from 'astro';
+import type { GilaCSPOptions, CSPDirectives } from './types.js';
+export interface DirectivesInput {
+    scriptHashes: string[];
+    styleHashes: string[];
+    externalScripts: string[];
+    externalStyles: string[];
+}
+export interface ProcessResult {
+    processedFiles: number;
+    scriptHashes: string[];
+    styleHashes: string[];
+    externalScripts: string[];
+    externalStyles: string[];
+}
+export declare function buildDirectives(input: DirectivesInput, options?: GilaCSPOptions): Partial<CSPDirectives>;
+export declare function processDirectory(dir: string): ProcessResult;
+export declare function gilaCSP(options?: GilaCSPOptions): AstroIntegration;
+//# sourceMappingURL=integration.d.ts.map

package/dist/integration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"integration.d.ts","sourceRoot":"","sources":["../src/integration.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AAG9C,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhE,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,eAAe,EACtB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CA4ExB;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CA8B3D;AAED,wBAAgB,OAAO,CAAC,OAAO,CAAC,EAAE,cAAc,GAAG,gBAAgB,CAwDlE"}

package/dist/integration.js

@@ -0,0 +1,166 @@
+import { readFileSync, writeFileSync, readdirSync, statSync, mkdirSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { processHtml } from './injector.js';
+import { applyPresets } from './presets.js';
+import { generateNginxConfig } from './nginx.js';
+export function buildDirectives(input, options) {
+    const directives = {
+        'default-src': ["'self'"],
+        'script-src': ["'self'"],
+        'style-src': ["'self'"],
+        'img-src': ["'self'", 'data:'],
+        'font-src': ["'self'"],
+        'connect-src': ["'self'"],
+        'frame-ancestors': ["'none'"],
+        'form-action': ["'self'"],
+        'base-uri': ["'self'"]
+    };
+    for (const hash of input.scriptHashes) {
+        directives['script-src'].push(`'${hash}'`);
+    }
+    for (const hash of input.styleHashes) {
+        directives['style-src'].push(`'${hash}'`);
+    }
+    for (const url of input.externalScripts) {
+        const origin = extractOrigin(url);
+        if (!directives['script-src'].includes(origin)) {
+            directives['script-src'].push(origin);
+        }
+    }
+    for (const url of input.externalStyles) {
+        const origin = extractOrigin(url);
+        if (!directives['style-src'].includes(origin)) {
+            directives['style-src'].push(origin);
+        }
+    }
+    if (options?.presets) {
+        const presetResources = applyPresets(options.presets);
+        for (const url of presetResources.scripts) {
+            if (!directives['script-src'].includes(url)) {
+                directives['script-src'].push(url);
+            }
+        }
+        for (const url of presetResources.styles) {
+            if (!directives['style-src'].includes(url)) {
+                directives['style-src'].push(url);
+            }
+        }
+        for (const url of presetResources.fonts) {
+            if (!directives['font-src'].includes(url)) {
+                directives['font-src'].push(url);
+            }
+        }
+        for (const url of presetResources.connect) {
+            if (!directives['connect-src'].includes(url)) {
+                directives['connect-src'].push(url);
+            }
+        }
+    }
+    if (options?.directives) {
+        for (const [key, values] of Object.entries(options.directives)) {
+            const directive = key;
+            if (values) {
+                directives[directive] = [
+                    ...(directives[directive] || []),
+                    ...values.filter(v => !directives[directive]?.includes(v))
+                ];
+            }
+        }
+    }
+    return directives;
+}
+export function processDirectory(dir) {
+    const result = {
+        processedFiles: 0,
+        scriptHashes: [],
+        styleHashes: [],
+        externalScripts: [],
+        externalStyles: []
+    };
+    const htmlFiles = findHtmlFiles(dir);
+    for (const file of htmlFiles) {
+        const html = readFileSync(file, 'utf-8');
+        const processed = processHtml(html);
+        writeFileSync(file, processed.html);
+        result.processedFiles++;
+        result.scriptHashes.push(...processed.hashes.scripts);
+        result.styleHashes.push(...processed.hashes.styles);
+        result.externalScripts.push(...processed.externalScripts);
+        result.externalStyles.push(...processed.externalStyles);
+    }
+    result.scriptHashes = [...new Set(result.scriptHashes)];
+    result.styleHashes = [...new Set(result.styleHashes)];
+    result.externalScripts = [...new Set(result.externalScripts)];
+    result.externalStyles = [...new Set(result.externalStyles)];
+    return result;
+}
+export function gilaCSP(options) {
+    return {
+        name: 'gila-astro-csp',
+        hooks: {
+            'astro:build:done': async ({ dir }) => {
+                const distPath = dir.pathname;
+                const result = processDirectory(distPath);
+                const directives = buildDirectives({
+                    scriptHashes: result.scriptHashes,
+                    styleHashes: result.styleHashes,
+                    externalScripts: result.externalScripts,
+                    externalStyles: result.externalStyles
+                }, options);
+                if (options?.nginx !== false) {
+                    const nginxOpts = typeof options?.nginx === 'object' ? options.nginx : {};
+                    const outputPath = nginxOpts.outputPath || './dist/_csp/nginx.conf';
+                    const config = generateNginxConfig(directives, nginxOpts);
+                    const outputDir = dirname(outputPath);
+                    if (!existsSync(outputDir)) {
+                        mkdirSync(outputDir, { recursive: true });
+                    }
+                    writeFileSync(outputPath, config);
+                }
+                if (options?.json !== false) {
+                    const jsonOpts = typeof options?.json === 'object' ? options.json : {};
+                    const outputPath = jsonOpts.outputPath || './dist/_csp/hashes.json';
+                    const pretty = jsonOpts.pretty !== false;
+                    const outputDir = dirname(outputPath);
+                    if (!existsSync(outputDir)) {
+                        mkdirSync(outputDir, { recursive: true });
+                    }
+                    const jsonContent = {
+                        scripts: result.scriptHashes,
+                        styles: result.styleHashes,
+                        externalScripts: result.externalScripts,
+                        externalStyles: result.externalStyles,
+                        directives
+                    };
+                    writeFileSync(outputPath, pretty ? JSON.stringify(jsonContent, null, 2) : JSON.stringify(jsonContent));
+                }
+                console.log(`[gila-astro-csp] Processed ${result.processedFiles} HTML files`);
+                console.log(`[gila-astro-csp] Found ${result.scriptHashes.length} script hashes, ${result.styleHashes.length} style hashes`);
+            }
+        }
+    };
+}
+function findHtmlFiles(dir) {
+    const files = [];
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+        const fullPath = join(dir, entry);
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) {
+            files.push(...findHtmlFiles(fullPath));
+        }
+        else if (entry.endsWith('.html')) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+function extractOrigin(url) {
+    try {
+        const parsed = new URL(url);
+        return `${parsed.protocol}//${parsed.host}`;
+    }
+    catch {
+        return url;
+    }
+}

package/dist/nginx.d.ts

@@ -0,0 +1,4 @@
+import type { CSPDirectives, NginxOptions } from './types.js';
+export declare function generateCSPHeader(directives: Partial<CSPDirectives>): string;
+export declare function generateNginxConfig(directives: Partial<CSPDirectives>, options?: Partial<NginxOptions>): string;
+//# sourceMappingURL=nginx.d.ts.map

package/dist/nginx.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nginx.d.ts","sourceRoot":"","sources":["../src/nginx.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAO9D,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAuB5E;AAED,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,EAClC,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,GAC9B,MAAM,CAeR"}

package/dist/nginx.js

@@ -0,0 +1,37 @@
+const DEFAULT_OPTIONS = {
+    outputPath: './dist/_csp/nginx.conf',
+    includeComments: true
+};
+export function generateCSPHeader(directives) {
+    const parts = [];
+    const directiveOrder = [
+        'default-src',
+        'script-src',
+        'style-src',
+        'img-src',
+        'font-src',
+        'connect-src',
+        'frame-ancestors',
+        'form-action',
+        'base-uri'
+    ];
+    for (const directive of directiveOrder) {
+        const values = directives[directive];
+        if (values && values.length > 0) {
+            parts.push(`${directive} ${values.join(' ')}`);
+        }
+    }
+    return parts.join('; ');
+}
+export function generateNginxConfig(directives, options) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    const cspHeader = generateCSPHeader(directives);
+    const lines = [];
+    if (opts.includeComments) {
+        lines.push('# Content-Security-Policy Header');
+        lines.push('# Generated by gila-astro-csp');
+        lines.push('');
+    }
+    lines.push(`add_header Content-Security-Policy "${cspHeader}" always;`);
+    return lines.join('\n');
+}

package/dist/presets.d.ts

@@ -0,0 +1,11 @@
+import type { PresetName, Preset } from './types.js';
+export interface PresetResources {
+    scripts: string[];
+    styles: string[];
+    fonts: string[];
+    connect: string[];
+}
+export declare const PRESETS: Record<PresetName, Preset>;
+export declare function getPreset(name: PresetName): Preset;
+export declare function applyPresets(presetNames: PresetName[]): PresetResources;
+//# sourceMappingURL=presets.d.ts.map

package/dist/presets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"presets.d.ts","sourceRoot":"","sources":["../src/presets.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAErD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,eAAO,MAAM,OAAO,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CA+B9C,CAAC;AAEF,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAMlD;AAED,wBAAgB,YAAY,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,eAAe,CA+BvE"}

package/dist/presets.js

@@ -0,0 +1,68 @@
+export const PRESETS = {
+    'google-analytics': {
+        name: 'google-analytics',
+        scripts: [
+            'https://www.googletagmanager.com',
+            'https://www.google-analytics.com'
+        ],
+        connect: [
+            'https://www.google-analytics.com',
+            'https://analytics.google.com',
+            'https://stats.g.doubleclick.net'
+        ]
+    },
+    'cloudflare-insights': {
+        name: 'cloudflare-insights',
+        scripts: [
+            'https://static.cloudflareinsights.com'
+        ],
+        connect: [
+            'https://cloudflareinsights.com'
+        ]
+    },
+    'google-fonts': {
+        name: 'google-fonts',
+        styles: [
+            'https://fonts.googleapis.com'
+        ],
+        fonts: [
+            'https://fonts.gstatic.com'
+        ]
+    }
+};
+export function getPreset(name) {
+    const preset = PRESETS[name];
+    if (!preset) {
+        throw new Error(`Unknown preset: ${name}`);
+    }
+    return preset;
+}
+export function applyPresets(presetNames) {
+    const result = {
+        scripts: [],
+        styles: [],
+        fonts: [],
+        connect: []
+    };
+    for (const name of presetNames) {
+        const preset = getPreset(name);
+        if (preset.scripts) {
+            result.scripts.push(...preset.scripts);
+        }
+        if (preset.styles) {
+            result.styles.push(...preset.styles);
+        }
+        if (preset.fonts) {
+            result.fonts.push(...preset.fonts);
+        }
+        if (preset.connect) {
+            result.connect.push(...preset.connect);
+        }
+    }
+    return {
+        scripts: [...new Set(result.scripts)],
+        styles: [...new Set(result.styles)],
+        fonts: [...new Set(result.fonts)],
+        connect: [...new Set(result.connect)]
+    };
+}

package/dist/scanner.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from './types.js';
+export declare function extractInlineElements(html: string): ScanResult;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAiB,MAAM,YAAY,CAAC;AAO5D,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAmD9D"}

package/dist/scanner.js

@@ -0,0 +1,51 @@
+const INLINE_SCRIPT_REGEX = /<script(?![^>]*\bsrc=)[^>]*>([\s\S]*?)<\/script>/gi;
+const EXTERNAL_SCRIPT_REGEX = /<script[^>]*\bsrc=["']([^"']+)["'][^>]*>/gi;
+const INLINE_STYLE_REGEX = /<style[^>]*>([\s\S]*?)<\/style>/gi;
+const EXTERNAL_STYLE_REGEX = /<link[^>]*\brel=["']stylesheet["'][^>]*\bhref=["']([^"']+)["'][^>]*>/gi;
+export function extractInlineElements(html) {
+    const scripts = [];
+    const styles = [];
+    const externalScripts = [];
+    const externalStyles = [];
+    // Extract inline scripts
+    let match;
+    const scriptRegex = new RegExp(INLINE_SCRIPT_REGEX.source, 'gi');
+    while ((match = scriptRegex.exec(html)) !== null) {
+        scripts.push({
+            content: match[1],
+            startIndex: match.index,
+            endIndex: match.index + match[0].length
+        });
+    }
+    // Extract external scripts (only https://)
+    const extScriptRegex = new RegExp(EXTERNAL_SCRIPT_REGEX.source, 'gi');
+    while ((match = extScriptRegex.exec(html)) !== null) {
+        const url = match[1];
+        if (url.startsWith('https://')) {
+            externalScripts.push(url);
+        }
+    }
+    // Extract inline styles
+    const styleRegex = new RegExp(INLINE_STYLE_REGEX.source, 'gi');
+    while ((match = styleRegex.exec(html)) !== null) {
+        styles.push({
+            content: match[1],
+            startIndex: match.index,
+            endIndex: match.index + match[0].length
+        });
+    }
+    // Extract external styles (only https://)
+    const extStyleRegex = new RegExp(EXTERNAL_STYLE_REGEX.source, 'gi');
+    while ((match = extStyleRegex.exec(html)) !== null) {
+        const url = match[1];
+        if (url.startsWith('https://')) {
+            externalStyles.push(url);
+        }
+    }
+    return {
+        scripts,
+        styles,
+        externalScripts,
+        externalStyles
+    };
+}

package/dist/types.d.ts

@@ -0,0 +1,96 @@
+import type { AstroIntegration } from 'astro';
+export interface GilaCSPOptions {
+    /**
+     * Presets for common external services
+     * @example ['google-analytics', 'cloudflare-insights', 'google-fonts']
+     */
+    presets?: PresetName[];
+    /**
+     * Additional external scripts and styles
+     */
+    external?: {
+        scripts?: string[];
+        styles?: string[];
+    };
+    /**
+     * Additional CSP directives
+     */
+    directives?: Partial<CSPDirectives>;
+    /**
+     * Nginx output configuration
+     * Set to false to disable nginx output
+     * @default { outputPath: './dist/_csp/nginx.conf' }
+     */
+    nginx?: NginxOptions | false;
+    /**
+     * JSON output configuration
+     * Set to false to disable JSON output
+     * @default { outputPath: './dist/_csp/hashes.json' }
+     */
+    json?: JsonOptions | false;
+}
+export interface NginxOptions {
+    /**
+     * Path to output nginx config file
+     * @default './dist/_csp/nginx.conf'
+     */
+    outputPath?: string;
+    /**
+     * Include explanatory comments in output
+     * @default true
+     */
+    includeComments?: boolean;
+}
+export interface JsonOptions {
+    /**
+     * Path to output JSON file
+     * @default './dist/_csp/hashes.json'
+     */
+    outputPath?: string;
+    /**
+     * Pretty print JSON
+     * @default true
+     */
+    pretty?: boolean;
+}
+export type PresetName = 'google-analytics' | 'cloudflare-insights' | 'google-fonts';
+export interface Preset {
+    name: PresetName;
+    scripts?: string[];
+    styles?: string[];
+    connect?: string[];
+    fonts?: string[];
+}
+export interface CSPDirectives {
+    'default-src': string[];
+    'script-src': string[];
+    'style-src': string[];
+    'img-src': string[];
+    'font-src': string[];
+    'connect-src': string[];
+    'frame-ancestors': string[];
+    'form-action': string[];
+    'base-uri': string[];
+}
+export interface HashResult {
+    hash: string;
+    content: string;
+    type: 'script' | 'style';
+}
+export interface ScanResult {
+    scripts: InlineElement[];
+    styles: InlineElement[];
+    externalScripts: string[];
+    externalStyles: string[];
+}
+export interface InlineElement {
+    content: string;
+    startIndex: number;
+    endIndex: number;
+}
+export interface ProcessedHashes {
+    scripts: string[];
+    styles: string[];
+}
+export type GilaCSPIntegration = (options?: GilaCSPOptions) => AstroIntegration;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AAE9C,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,OAAO,CAAC,EAAE,UAAU,EAAE,CAAC;IAEvB;;OAEG;IACH,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IAEF;;OAEG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAEpC;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,GAAG,KAAK,CAAC;IAE7B;;;;OAIG;IACH,IAAI,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC;CAC5B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,MAAM,UAAU,GAClB,kBAAkB,GAClB,qBAAqB,GACrB,cAAc,CAAC;AAEnB,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,CAAC,EAAE,cAAc,KAAK,gBAAgB,CAAC"}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "gila-astro-csp",
+  "version": "0.1.0",
+  "description": "Astro 5+ integration for SRI (Subresource Integrity) and CSP (Content-Security-Policy) with nginx support",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src --ext .ts",
+    "prepare": "npm run build",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "astro",
+    "astro-integration",
+    "csp",
+    "content-security-policy",
+    "sri",
+    "subresource-integrity",
+    "security",
+    "nginx"
+  ],
+  "author": "Gila Security <contato@gilasecurity.com> (https://gilasecurity.com)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/petryx/gila-astro-csp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/petryx/gila-astro-csp/issues"
+  },
+  "homepage": "https://gilasecurity.com",
+  "peerDependencies": {
+    "astro": "^5.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "astro": "^5.16.0",
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.0"
+  }
+}