allowing scripts in csp
24.07.2023 1 min readContent Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
<meta http-equiv="Content-Security-Policy" content="script-src 'self'" />
This meta tag prevents inline scripts from executing. Your site is more secure because of it. This is great. But say you want to run your own code or you have a script that comes from a trusted source. How can we allow it to run?
Here’s what we need to do.
- With the
javascript
code, or the script’s source, go to this site. - Paste the code / URL into the appropriate input (“External source of script/style” / “Inline scripts/styles”, respectively)
- The generator will calculate the hashes and give you three strings for
sha256
,sha384
andsha512
. I took thesha256
version and added it to themeta
tag:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self' 'sha256-hash-from-generator'"
/>
References
Built with Astro and Tailwind 🚀