Skip to content

Content-Security-Policy (CSP)

Enabling CSP for SSR content

To enable the generation of Content-Security-Policy headers for your SSR content, you have to set the option securityHeaders.contentSecurityPolicy to a non-null object.

If you want more control, then you can set other nested options, such as cspDirectives.

import { resolve } from 'node:path'
import { defineConfig } from 'astro/config'
import { shield } from '@kindspells/astro-shield'
const rootDir = new URL('.', import.meta.url).pathname
const modulePath = resolve(rootDir, 'src', 'generated', 'sriHashes.mjs')
export default defineConfig({
integrations: [
shield({
sri: {
enableMiddleware: true, // MUST be enabled for dynamic pages!
hashesModule: modulePath, // SHOULD be set!
},
// - If set, it controls how the security headers will be
// generated in the middleware.
// - If not set, no security headers will be generated in the
// middleware.
securityHeaders: {
// - If set, it controls how the CSP (Content Security Policy)
// header will be generated in the middleware.
// - If not set, no CSP header will be generated in the
// middleware. (there is no need to specify its inner options)
contentSecurityPolicy: {
// - If set, it controls the "default" CSP directives (they
// can be overriden at runtime).
// - If not set, the middleware will use a minimal set of
// default directives.
cspDirectives: {
'default-src': "'none'",
}
}
}
})
]
})