vite-plugin-node-csp

A Vite plugin that generates and injects a Content Security Policy (CSP) for your SPA application.


Keywords
vite, vite-plugin, csp, content-security-policy, node, spa
License
MIT
Install
npm install vite-plugin-node-csp@0.1.3

Documentation

Vite Plugin CSP

Vite Plugin for adding a Content Security Policy to your Vite SPA application.

Library Version
vite-plugin-bun-csp NPM Version
vite-plugin-node-csp NPM Version

Features

  • ✨ Automatically calculates Subresource Integrity (SRI) hashes of JavaScript and CSS assets and adds them to the CSP.
  • 📚 Automatically detects and handles Google Fonts.
  • ⚡ Supports both Node.js and Bun runtimes.
  • 🏎 Fast and lightweight. Bun plugin has 0 dependencies. Node plugin has a single dependency.

Installation

# Bun Plugin
npm i -D vite-plugin-bun-csp

# Node Plugin
npm i -D vite-plugin-node-csp

Basic Usage

Let the plugin analyze the index.html file and automatically configure the CSP.

// vite.config.ts
import { defineConfig } from "vite";
import { generateCspPlugin } from "vite-plugin-bun-csp";

export default defineConfig({
  root: "src",
  build: {
    outDir: "build",
  },
  plugins: [generateCspPlugin()],
});

Advanced Usage

You can also manually configure the CSP. Even when manually setting the CSP, the plugin will still analyze the HTML, generate the integrity hashes and automatically add them to the policy.

// vite.config.ts
import { defineConfig } from "vite";
import { DEFAULT_CSP_POLICY, generateCspPlugin } from "vite-plugin-bun-csp";

export default defineConfig({
  root: "src",
  build: {
    outDir: "build",
  },
  plugins: [
    generateCspPlugin({
      algorithm: "sha256",
      policy: {
        ...DEFAULT_CSP_POLICY,
        "style-src": ["'self'", "'unsafe-inline'"],
        "img-src": ["'self'", "data:"],
        "upgrade-insecure-requests": [],
      },
    }),
  ],
});

Links

License

MIT