{"id":22627,"library":"vite-plugin-csp","title":"vite-plugin-csp","description":"A Vite plugin that generates Content Security Policy meta tags and HTTP headers (CSP, CSP Report-Only, Report-To, Referrer-Policy) from all sources in the final HTML. Current stable version is 1.1.2 (June 2022). Uses csp-typed-directives for typed CSP directives. Compatible with csp-html-webpack-plugin configuration. No official releases since 2022; project appears in maintenance mode. Key differentiators: automated policy generation from Vite build output, TypeScript support, and header validation.","status":"maintenance","version":"1.1.2","language":"javascript","source_language":"en","source_url":"https://github.com/josh-hemphill/vite-plugin-csp","tags":["javascript","vite-plugin","CSP","CSPs","header","security","generate","typescript"],"install":[{"cmd":"npm install vite-plugin-csp","lang":"bash","label":"npm"},{"cmd":"yarn add vite-plugin-csp","lang":"bash","label":"yarn"},{"cmd":"pnpm add vite-plugin-csp","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"peer dependency","package":"vite","optional":false}],"imports":[{"note":"Default export; named export does not exist in published bundle.","wrong":"import { ViteCspPlugin } from 'vite-plugin-csp'","symbol":"ViteCspPlugin","correct":"import ViteCspPlugin from 'vite-plugin-csp'"},{"note":"CommonJS require works; destructuring will fail.","wrong":"const { ViteCspPlugin } = require('vite-plugin-csp')","symbol":"ViteCspPlugin","correct":"const ViteCspPlugin = require('vite-plugin-csp')"},{"note":"Type is exported from types file; available for TypeScript users.","wrong":"","symbol":"type CspOptions","correct":"import type { CspOptions } from 'vite-plugin-csp'"}],"quickstart":{"code":"// vite.config.ts\nimport { defineConfig } from 'vite';\nimport ViteCspPlugin from 'vite-plugin-csp';\n\nexport default defineConfig({\n  plugins: [\n    ViteCspPlugin({\n      policies: {\n        'script-src': [\"'self'\", 'https://apis.google.com'],\n        'style-src': [\"'self'\", \"'unsafe-inline'\"],\n      },\n      hashEnabled: true,\n      nonceEnabled: false,\n    }),\n  ],\n});","lang":"typescript","description":"Demonstrates minimal Vite CSP plugin configuration with custom policies."},"warnings":[{"fix":"Use absolute paths or resolve manually with path.resolve(__dirname, ...).","message":"Relative module paths are resolved relative to CWD, not the file location.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Do not use in SSR environments; avoids nonce-based CSP.","message":"No SSR support (and thus no nonce support).","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Add other directives manually if needed; plugin ignores them.","message":"Only script and style related directives are supported (except report-to).","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Manually include inline script hashes in policy.","message":"No parsing of JS embedded sources (requires framework-specific plugins).","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Evaluate vite-plugin-csp2 or other actively maintained CSP plugins.","message":"Project has not been updated since June 2022; consider alternatives for active development.","severity":"deprecated","affected_versions":">=1.1.2"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Use import ViteCspPlugin from 'vite-plugin-csp' (no braces).","cause":"Named import used for default export.","error":"Module \"vite-plugin-csp\" has no exported member 'ViteCspPlugin'."},{"fix":"Add \"types\": [\"vite-plugin-csp\"] in tsconfig or ensure moduleResolution is 'node'.","cause":"TypeScript may not resolve types if skipLibCheck is false and types are missing.","error":"Cannot find module 'vite-plugin-csp' or its corresponding type declarations."},{"fix":"Remove unsupported directives from policy; only 'script-src', 'style-src', and 'report-to' work.","cause":"Used directive like 'img-src' which is not supported.","error":"Error: The csp plugin only supports scripts and styles."},{"fix":"Set nonceEnabled: false or avoid SSR.","cause":"Used nonceEnabled: true with SSR.","error":"Error: Nonce generation is not supported in server-side rendering."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}