Skip to content
Astro-Shield Docs

Content-Security-Policy (CSP)

Enabling CSP for SSR content

To enable the generation of Content-Security-Policy headers for your SSR content, you have to set the option securityHeaders.contentSecurityPolicy to a non-null object.

If you want more control, then you can set other nested options, such as cspDirectives.

import { resolve } from 'node:path'


import { defineConfig } from 'astro/config'
import { shield } from '@kindspells/astro-shield'


const rootDir = new URL('.', import.meta.url).pathname
const modulePath = resolve(rootDir, 'src', 'generated', 'sriHashes.mjs')


export default defineConfig({
  integrations: [
    shield({
      sri: {
        enableMiddleware: true,   // MUST be enabled for dynamic pages!
        hashesModule: modulePath, // SHOULD be set!
      },


      // - If set, it controls how the security headers will be
      //   generated in the middleware.
      // - If not set, no security headers will be generated in the
      //   middleware.
      securityHeaders: {
        // - If set, it controls how the CSP (Content Security Policy)
        //   header will be generated in the middleware.
        // - If not set, no CSP header will be generated in the
        //   middleware. (there is no need to specify its inner options)
        contentSecurityPolicy: {
          // - If set, it controls the "default" CSP directives (they
          //   can be overriden at runtime).
          // - If not set, the middleware will use a minimal set of
          //   default directives.
          cspDirectives: {
            'default-src': "'none'",
          }
        }
      }
    })
  ]
})