vite-plugin-csp-dev 1.0.4 → 1.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -8
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
# vite-plugin-csp-dev
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
In order to set CSP headers in production builds, you must configure your web server accordingly. This plugin transforms build output in order to facilitate that.
|
|
3
|
+
Vite plugin for Content Security Policy with nonce support. Adds CSP headers in development and injects nonce placeholders in production builds for server-side replacement.
|
|
6
4
|
|
|
7
5
|
## Usage
|
|
8
6
|
|
|
@@ -15,9 +13,9 @@ export default {
|
|
|
15
13
|
plugins: [
|
|
16
14
|
secureHeaders({
|
|
17
15
|
reportOnly: false, // default: false - Report CSP violations instead of blocking them.
|
|
18
|
-
processI18n:
|
|
16
|
+
processI18n: false, // default: false - Process i18n.
|
|
19
17
|
defaultSrc: "'self'", // default: "'self'" - Value for default-src directive in CSP.
|
|
20
|
-
noncePlaceholder: 'NONCE_PLACEHOLDER', // default: 'NONCE_PLACEHOLDER' - Placeholder
|
|
18
|
+
noncePlaceholder: 'NONCE_PLACEHOLDER', // default: 'NONCE_PLACEHOLDER' - Placeholder replaced by server.
|
|
21
19
|
xssProtection: '1; mode=block', // default: '1; mode=block' - Value for X-XSS-Protection header.
|
|
22
20
|
frameOptions: 'DENY', // default: 'DENY' - Value for X-Frame-Options header.
|
|
23
21
|
contentTypeOptions: 'nosniff', // default: 'nosniff' - Value for X-Content-Type-Options header.
|
|
@@ -40,9 +38,17 @@ export default {
|
|
|
40
38
|
};
|
|
41
39
|
```
|
|
42
40
|
|
|
43
|
-
|
|
41
|
+
## How It Works
|
|
44
42
|
|
|
45
|
-
|
|
43
|
+
**Development:** Plugin generates a nonce and sets CSP headers via middleware.
|
|
44
|
+
|
|
45
|
+
**Production:** Plugin injects `NONCE_PLACEHOLDER` in HTML. Your web server replaces it with a real nonce per request.
|
|
46
|
+
|
|
47
|
+
## Server Configuration
|
|
48
|
+
|
|
49
|
+
**Nginx example:**
|
|
50
|
+
|
|
51
|
+
```nginx
|
|
46
52
|
map $request_id $nonce {
|
|
47
53
|
~. $request_id;
|
|
48
54
|
}
|
|
@@ -52,7 +58,19 @@ server {
|
|
|
52
58
|
sub_filter_types *;
|
|
53
59
|
sub_filter NONCE_PLACEHOLDER $nonce;
|
|
54
60
|
|
|
55
|
-
add_header Content-Security-Policy "default-src 'self';
|
|
61
|
+
add_header Content-Security-Policy "default-src 'self';
|
|
62
|
+
script-src 'self' 'nonce-$nonce';
|
|
63
|
+
style-src 'self' 'nonce-$nonce';
|
|
64
|
+
img-src 'self' data:;
|
|
65
|
+
font-src 'self';
|
|
66
|
+
object-src 'none';
|
|
67
|
+
base-uri 'self';
|
|
68
|
+
form-action 'self';
|
|
69
|
+
frame-ancestors 'none';
|
|
70
|
+
worker-src 'self';
|
|
71
|
+
connect-src 'self';
|
|
72
|
+
upgrade-insecure-requests;
|
|
73
|
+
" always;
|
|
56
74
|
add_header X-XSS-Protection "1; mode=block";
|
|
57
75
|
add_header X-Frame-Options "DENY";
|
|
58
76
|
add_header X-Content-Type-Options "nosniff";
|
package/dist/index.js
CHANGED
|
@@ -3,7 +3,7 @@ const L = () => B("sha256").update(Date.now().toString()).digest("base64");
|
|
|
3
3
|
function I(w = {}) {
|
|
4
4
|
const {
|
|
5
5
|
reportOnly: N = !1,
|
|
6
|
-
processI18n: v = !
|
|
6
|
+
processI18n: v = !1,
|
|
7
7
|
defaultSrc: S = "'self'",
|
|
8
8
|
noncePlaceholder: C = "NONCE_PLACEHOLDER",
|
|
9
9
|
xssProtection: p = "1; mode=block",
|
package/package.json
CHANGED