Feat/nonces ssr (#230)

Author: tsotimus

.github/ISSUE_TEMPLATE/generic-bug-report.md

@@ -3,7 +3,7 @@ name: Generic Bug Report
 about: A non framework/library specific bug report
 title: "[BUG]"
 labels: bug
-assignees: RockiRider
+assignees: tsotimus
 
 ---
 

.github/ISSUE_TEMPLATE/react-bug-report.md

@@ -3,7 +3,7 @@ name: React Bug Report
 about: React specific bug report
 title: "[BUG]"
 labels: bug, react
-assignees: RockiRider
+assignees: tsotimus
 
 ---
 

.github/pull_request_template.md

@@ -1,4 +1,4 @@
-## Key Changes
+# Key Changes
 
 - Change 1
 

.github/workflows/triage.yml

@@ -21,10 +21,13 @@ jobs:
       - run: corepack --version
 
       - run: pnpm install
+      
       - name: Build All Publishable Packages
         run: pnpm p:build
+
       - name: Run Unit Tests
         run: pnpm p:test
+
       - name: Build Apps
         run: pnpm build
 

README.md

@@ -1,15 +1,22 @@
-# Repo for all things CSP related
+# Vite Plugin CSP Guard
 
-## What's inside?
+<!-- BEGIN BADGES -->
+[![npm version](https://img.shields.io/npm/v/vite-plugin-csp-guard)](https://www.npmjs.com/package/vite-plugin-csp-guard)
+[![npm downloads](https://img.shields.io/npm/dt/vite-plugin-csp-guard)](https://www.npmjs.com/package/vite-plugin-csp-guard)
+[![npm weekly downloads](https://img.shields.io/npm/dw/vite-plugin-csp-guard)](https://www.npmjs.com/package/vite-plugin-csp-guard)
+[![License](https://img.shields.io/npm/l/vite-plugin-csp-guard)](https://github.com/tsotimus/vite-plugin-csp-guard/blob/main/LICENSE)
+[![GitHub stars](https://img.shields.io/github/stars/tsotimus/vite-plugin-csp-guard?style=social)](https://github.com/tsotimus/vite-plugin-csp-guard)
+<!-- END BADGES -->
+
+This is a monorepo for the Vite Plugin CSP Guard.
 
-This is a turborepo monorepo using pnpm.
+## What's inside?
 
 All the apps under `/apps` are used to test the plugin.
 
-All the packages under `/packages` include the packages im building, as well as some others.
+All the packages under `/packages` include the packages im building, as well as some utilities.
 
 - [Vite Plugin CSP Guard](https://npmjs.com/package/vite-plugin-csp-guard)
-- [CSP Toolkit](https://npmjs.com/package/csp-toolkit)
 
 ## Documentation you might be looking for
 

apps/docs/pages/guides/mpa.mdx

@@ -3,45 +3,14 @@ import { Callout } from "nextra-theme-docs";
 # Multi-Page Applications (MPAs)
 
 <Callout type="info">
-Examples of MPA frameworks include Nuxt.js, Remix, and others.
+Examples of MPA frameworks include Nuxt, Remix, and others.
 </Callout>
 
 ## Current Status
 
 ### The Bad News
-The **Vite Plugin CSP Guard** currently does not support Multi-Page Applications (MPAs). Unfortunately, this limitation is unlikely to change due to the inherent differences between how MPAs operate in Vite.
+The **Vite Plugin CSP Guard** package currently does not support Multi-Page Applications (MPAs). Unfortunately, this limitation is unlikely to change due to the inherent differences between how MPAs operate in Vite.
 
 ### The Good News
-We are actively working on solutions to bring CSP support to MPAs. While the main plugin does not support this today, additional packages are on the way to address these needs.
+You should be able to use the **CSP Toolkit** to generate a nonce & a CSP policy. Check out the [CSP Toolkit documentation](https://csp-toolkit.tsotne.co.uk) for more information. It has framework specific examples for popular frameworks.
 
----
-
-## Our Roadmap
-Here’s what we’re working on to support CSP in MPA environments:
-
-1. **Build a common toolkit** (✅ Done! Check out [CSP Toolkit](https://www.npmjs.com/package/csp-toolkit)).
-2. Develop **framework-specific solutions** tailored for popular MPA frameworks.
-3. Create a lightweight **Vite Server solution** focused solely on attaching nonces.
-
----
-
-## What You Can Do in the Meantime
-
-MPAs typically have access to a server, making it feasible to implement a **nonce-based CSP**. Here’s how you can set up your CSP for MPAs:
-
-### Steps to Implement a Nonce-Based CSP
-
-1. **Generate a new [nonce](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce)** on every page request.  
-   *Use [CSP Toolkit](https://www.npmjs.com/package/csp-toolkit) to simplify this process.*
-
-2. **Add the nonce to the CSP header or meta tag.**  
-   Refer to the [MDN documentation on CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) for guidance on how to format the policy.
-
-3. **Attach the nonce to your script and style tags.**  
-   This ensures compliance with the CSP policy for inline scripts and styles.
-
----
-
-## Stay Tuned
-
-We are committed to supporting developers across all frameworks, including MPAs. Progress on our roadmap is ongoing, and you can expect updates soon. For now, implementing a nonce-based CSP is the best practice to secure your MPA.

apps/docs/pages/guides/spa.mdx

@@ -102,7 +102,7 @@ If you are using a library that dynamically injects CSS into the page (e.g., `st
 
 The only alternative is to move to a server and use nonce-based CSPs.
 
-We are actively working to find a solution to this [issue](https://github.com/RockiRider/vite-plugin-csp-guard/issues/2), but there isn't much support for hash-based CSPs in those libraries yet.
+We are actively working to find a solution to this [issue](https://github.com/tsotimus/vite-plugin-csp-guard/issues/2), but there isn't much support for hash-based CSPs in those libraries yet.
 
 <Callout type="warning">
 There are risks to using `'unsafe-inline'` for your styles. However, most of these could potentially be mitigated by the rest of the CSP. [Read more about this here](https://scotthelme.co.uk/can-you-get-pwned-with-css/)

apps/docs/pages/index.mdx

@@ -1,4 +1,3 @@
-
 # Vite Plugin CSP Guard
 Simplify CSP setup for your Vite SPA with Vite Plugin CSP Guard! Say goodbye to the hassle of managing Content Security Policies and hello to an easy way to protect your app from XSS attacks.
 
@@ -17,16 +16,16 @@ Here is a quick overview of the technologies we support, categorized by the leve
 
 | Framework/Library  | Support Level           | Notes                                                      |
 |--------------------|-------------------------|------------------------------------------------------------|
-| React              | ✅ Out of the Box        |                                                            |
+| React              | ✅ Out of the Box       |                                                            |
 | Vue                | ⚙️ Small Extra Config    | Requires `outlierSupport: ["vue"]` in [config](/api-docs/#dev) |
-| Svelte             | ✅ Out of the Box        |                                                            |
-| Solid              | ✅ Out of the Box        |                                                            |
-| Quik               | ❌ Not Supported         | We are actively working on a solution for this.            |
-| Lit                | ❌ Not Supported         |                                                            |
-| Remix              | ❌ Not Supported         |                                                            |
-| Remix SPA Mode     | ❌ Not Supported         | We are working on a solution for this.                     |
-| Nuxt (Vue)         | ❌ Not Supported         |                                                            |
-| Astro              | ❌ Not Supported         |                                                            |
+| Svelte             | ✅ Out of the Box       |                                                            |
+| Solid              | ✅ Out of the Box       |                                                            |
+| Quik               | ❌ Not Supported        | We are actively working on a solution for this.            |
+| Lit                | ❌ Not Supported        |                                                            |
+| Remix              | ℹ️ See MPA Guide        | [MPA Guide](/guides/mpa)                                   |
+| Remix SPA Mode     | ❌ Not Supported        | We are working on a solution for this.                     |
+| Nuxt (Vue)         | ℹ️ See MPA Guide        |                                                            |
+| Astro              | ❌ Not Supported        |                                                            |
 
 ### CSS Solutions
 

apps/docs/pages/toolkit.mdx

@@ -1,9 +1,9 @@
 export default {
   logo: <span style={{ fontWeight: 600 }}>Vite CSP Guard</span>,
   project: {
-    link: "https://github.com/RockiRider/csp",
+    link: "https://github.com/tsotimus/vite-plugin-csp-guard",
   },
-  docsRepositoryBase: "https://github.com/RockiRider/csp/tree/main/apps/docs",
+  docsRepositoryBase: "https://github.com/tsotimus/vite-plugin-csp-guard/tree/main/apps/docs",
   useNextSeoProps() {
     return {
       titleTemplate: "%s | Vite CSP Guard",

apps/docs/theme.config.jsx

@@ -12,17 +12,17 @@
     "typecheck": "tsc"
   },
   "dependencies": {
-    "@remix-run/node": "^2.10.3",
-    "@remix-run/react": "^2.10.3",
-    "@remix-run/serve": "^2.10.3",
+    "@remix-run/node": "^2.16.0",
+    "@remix-run/react": "^2.16.0",
+    "@remix-run/serve": "^2.16.0",
     "isbot": "^4.1.0",
     "react": "^18.2.0",
     "react-dom": "^18.2.0"
   },
   "devDependencies": {
-    "@remix-run/dev": "^2.10.3",
-    "@repo/typescript-config": "workspace:^",
+    "@remix-run/dev": "^2.16.0",
     "@repo/testing": "workspace:^",
+    "@repo/typescript-config": "workspace:^",
     "@types/react": "^18.2.20",
     "@types/react-dom": "^18.2.7",
     "@typescript-eslint/eslint-plugin": "^6.7.4",
@@ -37,8 +37,8 @@
     "postcss": "^8.4.38",
     "tailwindcss": "^3.4.4",
     "vite": "^5.1.0",
-    "vite-tsconfig-paths": "^4.2.1",
-    "vite-plugin-csp-guard": "workspace:^"
+    "vite-plugin-csp-guard": "workspace:^",
+    "vite-tsconfig-paths": "^4.2.1"
   },
   "engines": {
     "node": ">=20.0.0"

apps/remix-spa/package.json

@@ -13,7 +13,7 @@ export default defineConfig({
       },
       ssr: false,
     }),
-    tsconfigPaths(),
+    tsconfigPaths() as PluginOption,
     csp({
       dev: {
         run: true,