Skip to content

Start Here
- Getting Started
Guides
- Subresource Integrity
  - SRI for Statically Generated Sites
  - SRI for SSR Content
- Security Headers
  - Content-Security-Policy (CSP)
- Hosting Integrations
  - Netlify
  - Vercel
Reference
- Configuration
Other

Netlify

`Content-Security-Policy` for Static Content

Ensuring that Netlify serves your static content with the correct Content-Security-Policy headers requires some additional configuration. Specifically, set securityHeaders.enableOnStaticPages.provider to the value "netlify".

See a more complete example:

import { resolve } from 'node:path'

import { defineConfig } from 'astro/config'
import { shield } from '@kindspells/astro-shield'

const rootDir = new URL('.', import.meta.url).pathname
const modulePath = resolve(rootDir, 'src', 'generated', 'sriHashes.mjs')

export default defineConfig({
  integrations: [
    shield({
      // - If set, it controls how the security headers will be generated.
      // - If not set, no security headers will be generated.
      securityHeaders: {
        // This option is required to configure CSP headers for your static
        // content on Netlify.
        enableOnStaticPages: { provider: "netlify" },

        // - If set, it controls how the CSP (Content Security Policy) header
        //   will be generated.
        // - If not set, no CSP header will be configured for your static
        //   content (there is no need to specify its inner options).
        contentSecurityPolicy: {
          // - If set, it controls the "default" CSP directives (they can be
          //   overriden at runtime).
          // - If not set, Astro-Shield will use a minimal set of default
          //   directives.
          cspDirectives: {
            'default-src': "'none'",
          }
        }
      }
    })
  ]
})