vite-plugin-csp-dev 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +12 -6
  2. package/dist/index.js +1 -1
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -1,8 +1,6 @@
1
1
  # vite-plugin-csp-dev
2
2
 
3
- A Vite plugin to add Content Security Policy (CSP) headers to your application in serve mode.
4
-
5
- In order to set CSP headers in production builds, you must configure your web server accordingly. This plugin transforms build output in order to facilitate that.
3
+ Vite plugin for Content Security Policy with nonce support. Adds CSP headers in development and injects nonce placeholders in production builds for server-side replacement.
6
4
 
7
5
  ## Usage
8
6
 
@@ -15,9 +13,9 @@ export default {
15
13
  plugins: [
16
14
  secureHeaders({
17
15
  reportOnly: false, // default: false - Report CSP violations instead of blocking them.
18
- processI18n: true, // default: true - Process i18n.
16
+ processI18n: false, // default: false - Process i18n.
19
17
  defaultSrc: "'self'", // default: "'self'" - Value for default-src directive in CSP.
20
- noncePlaceholder: 'NONCE_PLACEHOLDER', // default: 'NONCE_PLACEHOLDER' - Placeholder for nonce in HTML.
18
+ noncePlaceholder: 'NONCE_PLACEHOLDER', // default: 'NONCE_PLACEHOLDER' - Placeholder replaced by server.
21
19
  xssProtection: '1; mode=block', // default: '1; mode=block' - Value for X-XSS-Protection header.
22
20
  frameOptions: 'DENY', // default: 'DENY' - Value for X-Frame-Options header.
23
21
  contentTypeOptions: 'nosniff', // default: 'nosniff' - Value for X-Content-Type-Options header.
@@ -40,7 +38,15 @@ export default {
40
38
  };
41
39
  ```
42
40
 
43
- In server configuration, set the CSP header similarly to vite-plugin-csp-dev. `NONCE_PLACEHOLDER` should be replaced with a generated nonce value for each request. For example, in nginx:
41
+ ## How It Works
42
+
43
+ **Development:** Plugin generates a nonce and sets CSP headers via middleware.
44
+
45
+ **Production:** Plugin injects `NONCE_PLACEHOLDER` in HTML. Your web server replaces it with a real nonce per request.
46
+
47
+ ## Server Configuration
48
+
49
+ **Nginx example:**
44
50
 
45
51
  ```nginx
46
52
  map $request_id $nonce {
package/dist/index.js CHANGED
@@ -3,7 +3,7 @@ const L = () => B("sha256").update(Date.now().toString()).digest("base64");
3
3
  function I(w = {}) {
4
4
  const {
5
5
  reportOnly: N = !1,
6
- processI18n: v = !0,
6
+ processI18n: v = !1,
7
7
  defaultSrc: S = "'self'",
8
8
  noncePlaceholder: C = "NONCE_PLACEHOLDER",
9
9
  xssProtection: p = "1; mode=block",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "vite-plugin-csp-dev",
3
- "version": "1.0.5",
3
+ "version": "1.0.6",
4
4
  "type": "module",
5
5
  "description": "A Vite plugin to add Content Security Policy (CSP) headers to your application in serve mode.",
6
6
  "main": "./dist/index.js",