plug_content_security_policy

This is a Plug module for inserting a Content Security Policy header into the response. It supports generating nonces for inline <script> and <style> tags as specified in CSP Level 2.

Installation

Add plug_content_security_policy to the list of dependencies in your mix.exs:

def deps do
  [
    {:plug_content_security_policy, "~> 0.2.1"}
  ]
end

Usage

Add the PlugContentSecurityPolicy module to your pipeline:

defmodule YourApp.Endpoint do
  # Use application config
  plug PlugContentSecurityPolicy

  # Pass configuration explicitly
  plug PlugContentSecurityPolicy,
    nonces_for: [:style_src],
    directives: %{script_src: ~w(https: 'self')}
end

If nonces are requested for any directives, they will be available in the assigns map of the conn as <directive>_nonce — e.g., conn.assigns[:style_src_nonce] — and the nonce will be inserted into the CSP header.

Report-Only Mode

In order to use the report-only header, set report_only: true in your config and provide a report_uri:

config :plug_content_security_policy,
  report_only: true,
  directives: %{
    report_uri: "/csp-violation-report-endpoint/"
  }

Configuration

You can configure the CSP directives using Mix. The default configuration is shown below:

config :plug_content_security_policy,
  nonces_for: [],
  report_only: false,
  directives: %{
    default_src: ~w('none'),
    connect_src: ~w('self'),
    child_src: ~w('self'),
    img_src: ~w('self'),
    script_src: ~w('self'),
    style_src: ~w('self')
  }

Values should be passed to each directive as a list of strings. Please see the CSP spec for a full list of directives and valid attributes.

To request that a nonce be generated for a directive, pass its key to nonces_for:

config :plug_content_security_policy,
  nonces_for: [:script_src]

Development

Setup

bin/setup

Running the tests

bin/test

License

ISC