- CSP (content-security-policy): A layer of security that can be added to web apps as an HTTP header or meta tag. Source: MDN
- Strict CSP: A specific set of CSP directives that has been identified as an effective and deployable mitigation against XSS (cross-site scripting). XSS is one of the most widespread sedcurity exploits. Source: w3c.
- SPA (single-page application): a web app implementation that loads a single web document. When different content needs to be shown, it updates the body content of that document. Source: MDN
Two codebases are in this repo:
-
strict-csp
: a bundler-agnostic library, that can be used to generate a CSP. Go to strict-csp -
strict-csp-html-webpack-plugin
: a webpack plugin that configures a strict, hash-based CSP for an SPA. It uses thestrict-csp
library to form a CSP and hooks into the popularHtmlWebpackPlugin
to set up this CSP as ameta
HTML tag. Go to strict-csp-html-webpack-plugin
Both of these are available as separate npm packages.
See DEVELOP.md.