jekyll-content-security-policy-generator

jekyll-content-security-policy-generator

This Jekyll plugin generates a content-security-policy HTML meta tag for your static site based on images, styles, scripts, frames and more found within each static page. Also converts style attributes to style tags and generates SHA256 hashes for them.

#jekyll#inline-scripts#nokogiri#content-security-policy#xss#static-site#plugin#jekyll-plugin#ruby
jekyll logo

Want a Jekyll website built?

Hire a Jekyll developer
Download

jekyll-content-security-policy-generator Plugin

This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin will scan .html files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If the script finds elements with style attributes <div style="color: red"></div>, the script will extract the style information and build a style element to which will also pass through the content security policy generation.

Goal

To speed up development of Jekyll based sites whilst also helping to generate secure HTML files protected from XSS.

Features

  • Scans for .html files generated by Jekyll.
  • Finds inline scripts such as <script>alert("Hello World!");</script> and generates an SHA256 hash.
  • Finds inline styles such as <style>.hello { color: "red"; }</style> and generates an SHA256 hash.
  • Creates or reuses an HTTP meta tag for the content security policy.
  • Finds all images, styles, scripts and frames with external URLs and builds CSP.
  • Converts style attributes into <style> elements.
  • If a page already has a content-security-policy tag, (such as your index.html file), the script will reuse it.
  • Image URLs such as https://strongscot.com/images/logo.svg will have a rule such as https://strongscot.com/images/

Upcoming Features

  • Ability to specify how lax the domain rules can be. For example, https://strongscot.com/images/logo.svg would be converted to https://strongscot.com/images/ under strict and https://strongscot.com under relaxed.
  • Ability in site.yaml file to specify what files it should parse, at the moment its only .html.

Installation

Add the plugin your Gemfile within the jekyll_plugins group:

group :jekyll_plugins do
  gem 'jekyll-content-security-policy-generator'
  ... other gem files
end

Then install

bundle install

Nokogiri Error on Mac?

For some reason, Nokogiri will install with both the ARM (M1) and x86 variants which will confuse bundler. Best way I found to fix this was to open the Gemfile.lock and remove the:

nokogiri (1.11.3-arm64-darwin)
  racc (~> 1.4)

Or the x86 if you have an M1 mac.

Alternatively, you can add nokogiri to your Gemfile, like so:

group :jekyll_plugins do
  gem 'nokogiri'
  gem 'jekyll-content-security-policy-generator'
  ... other gem files
end

Support

https://strongscot.com

minimalacademicresumeportfoliodocumentationwikitailwindbootstrapdarkecommercegithub-pagesblog
jekyll logo

Want a Jekyll website built?

Hire a Jekyll developer