docs: explain csp config

Signed-off-by: Andres Correa Casablanca <[email protected]>
kindspells · Mar 26, 2024 · 4cd4de4 · 4cd4de4
1 parent 3fa577e
commit 4cd4de4
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -65,15 +65,45 @@ export default defineConfig({
       // parameter if you don't need this data, but it can be useful to
       // configure your CSP policies.
       sriHashesModule: resolve(rootDir, 'src', 'utils', 'sriHashes.mjs'),
+
+      // - If set, it controls how the security headers will be generated in the
+      //   middleware.
+      // - If not set, no security headers will be generated in the middleware.
+      securityHeaders: {
+        // For now, we can only control CSP headers, but we'll add more options
+        // in the future.
+        // - If set, it controls how the CSP (Content Security Policy) header will be
+        //   generated in the middleware.
+        // - If not set, no CSP header will be generated in the middleware.
+        contentSecurityPolicy: {
+          // - If set, it controls the "default" CSP directives (they can be overriden
+          //   at runtime).
+          // - If not set, the middleware will use a minimal set of default directives.
+          cspDirectives: {
+            'default-src': "'none'",
+          }
+        }
+      }
     })
   ]
 })
 ```
 
 ### Generating Content-Security-Policy Headers
 
-Although `@kindspells/astro-shield` does not generate CSP headers for you (yet),
-it will make it much easier.
+You can enable automated CSP headers generation by setting the option
+`securityHeaders.contentSecurityPolicy` (it can be an empty object if you don't
+need to customise any specific behavior, but it must be defined).
+
+Besides enabling CSP, you can also configure its directives to some extent, via
+the `cspDirectives` option.
+
+> [!INFO]
+> It is advisable to set the option `sriHashesModule` in case your dynamic pages
+> include static JS or CSS resources (also: do not explicitly disable the
+> `enableStatic_SRI` option if you want support for those static assets).
+
+### Accessing metadata generated at build time
 
 Once you run `astro build`, `@kindspells/astro-shield` will analyse the static
 output and generate a new module that exports the SRI hashes, so you can use

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@kindspells/astro-shield",
-	"version": "1.1.0",
+	"version": "1.2.0",
 	"description": "Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.",
 	"private": false,
 	"type": "module",