@jackdbd/eleventy-plugin-content-security-policy
TypeScript icon, indicating that this package has built-in type declarations

2.2.0 • Public • Published

@jackdbd/eleventy-plugin-content-security-policy

npm version install size CodeCov badge Socket Badge

Eleventy plugin that writes Content-Security-Policy and Content-Security-Policy-Report-Only headers to a _headers file when Eleventy builds your site.

Installation

npm install @jackdbd/eleventy-plugin-content-security-policy

Note: this library was tested on Node.js >=18. It might work on other Node.js versions though.

About

Hosting providers like Cloudflare Pages and Netlify allow to define custom response headers in a plain text file called _headers. This file must be placed in the publish directory of your site (e.g. usually _site for a Eleventy site).

This plugin allows you to define a Content-Security-Policy (CSP) or a Content-Security-Policy-Report-Only header in your Eleventy configuration file, and then it automatically writes those headers into your _headers file when you build your site.

Usage

In your Eleventy config file:

import { contentSecurityPolicyPlugin } from '@jackdbd/eleventy-plugin-content-security-policy'

export default function (eleventyConfig) {
  // some other eleventy configuration...

  // use the default CSP directives (not recommended)...
  eleventyConfig.addPlugin(contentSecurityPolicyPlugin)

  // ...or define your CSP directives
  eleventyConfig.addPlugin(contentSecurityPolicyPlugin, {
    allowDeprecatedDirectives: true,
    
    directives: {
      'base-uri': ['self'],

      // allow only self-hosted fonts (i.e. fonts hosted on this origin)
      'font-src': ['self'],

      // allow scripts hosted on this origin, on plausible.io (analytics),
      // cloudflareinsights.com (analytics), unpkg.com (preact)
      'script-src-elem': [
        'self',
        'https://plausible.io/js/plausible.js',
        'https://static.cloudflareinsights.com/beacon.min.js',
        'https://unpkg.com/htm/preact/standalone.module.js'
      ],

      // allow CSS hosted on this origin, and inline styles that match a sha256
      // hash automatically computed at build time by this 11ty plugin.
      // See also here for the pros and cons of 'unsafe-inline'
      // https://stackoverflow.com/questions/30653698/csp-style-src-unsafe-inline-is-it-worth-it
      'style-src-elem': ['self', 'sha256'],
    },

    // Only .html files should be served with the Content-Security-Policy header. Avoid header bloat by making sure that other files are not served with Content-Security-Policy header.
    globPatternsDetach: ['/*.png'],

    includePatterns: ['/**/**.html']
  })

  // some other eleventy configuration...
}

Configuration

Refer also to the library @jackdbd/content-security-policy for the configuration.

Option Default Explanation
allowDeprecatedDirectives false whether deprecated directives should be allowed or not.
directives {} Directives for the Content-Security-Policy (or Content-Security-Policy-Report-Only) header.
excludePatterns [] Files that match these patterns will not be searched.
globPatterns ['/', '/*/'] Files that match these patterns will be searched.
globPatternsDetach [] Files that match these patterns will not be served with the Content-Security-Policy (or Content-Security-Policy-Report-Only) header.
includePatterns ['/**/**.html'] Files that match these patterns will be served with the Content-Security-Policy (or Content-Security-Policy-Report-Only) header.
jsonRecap false whether to write a JSON containing the configuration of this plugin. This can useful for troubleshooting the CSP and/or to consume the CSP with some other tool (e.g. send a Telegram message containing the current CSP directives).
reportOnly false whether the policy should be applied to the Content-Security-Policy header, or to the Content-Security-Policy-Report-Only header.

Troubleshooting

This plugin uses the debug library for logging. You can control what's logged using the DEBUG environment variable.

For example, if you set your environment variables in a .envrc file, you can do:

# print all logging statements
export DEBUG=11ty-plugin:*

Dependencies

Package Version
@jackdbd/content-security-policy 3.0.0-canary.1
@jackdbd/hosting-utils 1.0.0-canary.1
zod ^3.23.0
zod-validation-error ^3.1.0

⚠️ Peer Dependencies

This package defines 2 peer dependencies.

Peer Version range
@11ty/eleventy >=2.0.0 or 3.0.0-alpha.6
debug >=4.0.0

License

© 2022 - 2024 Giacomo Debidda // MIT License

Package Sidebar

Install

npm i @jackdbd/eleventy-plugin-content-security-policy

Weekly Downloads

41

Version

2.2.0

License

MIT

Unpacked Size

37.9 kB

Total Files

20

Last publish

Collaborators

  • jackdbd