# PlugContentSecurityPolicy

[![Build Status](
"Build Status")](

This is a [Plug][plug] module for inserting a [Content Security Policy][csp]
header into the response. It supports generating nonces for inline `<script>`
and `<style>` tags [as specified in CSP Level 2][nonces].

## Installation

Add `plug_content_security_policy` to the list of dependencies in your `mix.exs`:

def deps do
    {:plug_content_security_policy, "~> 0.1.0"}

## Usage

Add the `PlugContentSecurityPolicy` module to your pipeline:

defmodule YourApp.Endpoint do
  # Use application config
  plug PlugContentSecurityPolicy

  # Pass configuration explicitly
  plug PlugContentSecurityPolicy,
    nonces_for: [:style_src],
    directives: %{script_src: ~w(https: 'self')}

If nonces are requested for any directives, they will be available in the
`assigns` map of the `conn` as `<directive>_nonce` — e.g.,
`conn.assigns[:style_src_nonce]` — and the nonce will be inserted into the
CSP header.

### Report-Only Mode

In order to use the [report-only header][report-only], set `report_only: true`
in your config and provide a `report_uri`:

config :plug_content_security_policy,
  report_only: true,
  directives: %{
    report_uri: "/csp-violation-report-endpoint/"

## Configuration

You can configure the CSP directives using Mix. The default configuration
is shown below:

config :plug_content_security_policy,
  nonces_for: [],
  report_only: false,
  directives: %{
    default_src: ~w('none'),
    connect_src: ~w('self'),
    child_src: ~w('self'),
    img_src: ~w('self'),
    script_src: ~w('self'),
    style_src: ~w('self')

Values should be passed to each directive as a list of strings.
Please see the CSP spec for
[a full list of directives and valid attributes][directives].

To request that a nonce be generated for a directive, pass its key
to `nonces_for`:

config :plug_content_security_policy,
  nonces_for: [:script_src]


## Development

### Setup


### Running the tests


## License