Skip to content

google/strict-csp

Glossary

  • CSP (content-security-policy): A layer of security that can be added to web apps as an HTTP header or meta tag. Source: MDN
  • Strict CSP: A specific set of CSP directives that has been identified as an effective and deployable mitigation against XSS (cross-site scripting). XSS is one of the most widespread sedcurity exploits. Source: w3c.
  • SPA (single-page application): a web app implementation that loads a single web document. When different content needs to be shown, it updates the body content of that document. Source: MDN

About this repo

Two codebases are in this repo:

  • strict-csp: a bundler-agnostic library, that can be used to generate a CSP. Go to strict-csp

  • strict-csp-html-webpack-plugin: a webpack plugin that configures a strict, hash-based CSP for an SPA. It uses the strict-csp library to form a CSP and hooks into the popular HtmlWebpackPlugin to set up this CSP as a meta HTML tag. Go to strict-csp-html-webpack-plugin

Both of these are available as separate npm packages.

Setup for development purposes

See DEVELOP.md.

Resources