-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathhash-inline-scripts.js
More file actions
executable file
·100 lines (79 loc) · 2.68 KB
/
hash-inline-scripts.js
File metadata and controls
executable file
·100 lines (79 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env node
/**
* Generate SHA-256 hashes for inline scripts in index.html
* Used for CSP script-src directive
*/
import crypto from 'crypto';
import fs from 'fs';
import path from 'path';
import { fileURLToPath } from 'url';
import { dirname } from 'path';
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const INDEX_HTML = path.join(__dirname, 'dist', 'index.html');
/**
* Generate SHA-256 hash for inline script content
*/
function generateScriptHash(content) {
const hash = crypto.createHash('sha256').update(content).digest('base64');
return `'sha256-${hash}'`;
}
/**
* Extract inline scripts from HTML
*/
function extractInlineScripts(html) {
const scripts = [];
const scriptRegex = /<script>([\s\S]*?)<\/script>/g;
let match;
while ((match = scriptRegex.exec(html)) !== null) {
const content = match[1];
// Skip JSON-LD scripts
if (content.trim().startsWith('{')) {
continue;
}
scripts.push(content);
}
return scripts;
}
/**
* Main execution
*/
function main() {
console.log('🔐 Generating hashes for inline scripts...\n');
if (!fs.existsSync(INDEX_HTML)) {
console.error('❌ index.html not found');
process.exit(1);
}
const html = fs.readFileSync(INDEX_HTML, 'utf8');
const scripts = extractInlineScripts(html);
if (scripts.length === 0) {
console.log('✓ No inline scripts found');
return;
}
console.log(`Found ${scripts.length} inline script(s):\n`);
const hashes = [];
scripts.forEach((script, index) => {
const hash = generateScriptHash(script);
hashes.push(hash);
const preview = script.trim().substring(0, 80).replace(/\n/g, ' ');
console.log(`Script ${index + 1}:`);
console.log(` Preview: ${preview}...`);
console.log(` Hash: ${hash}`);
console.log('');
});
console.log('📋 CSP script-src directive (add these hashes):');
console.log('');
console.log(`script-src 'self' ${hashes.join(' ')} https://*.cloudflare.com https://*.google.com https://*.googleapis.com https://*.googlesyndication.com https://*.doubleclick.net https://*.googletagmanager.com https://*.google-analytics.com https://*.gstatic.com;`);
console.log('');
console.log('✅ Add these hashes to your CSP in server.js');
console.log(' Remove \'unsafe-inline\' and \'unsafe-eval\' after adding hashes');
// Save hashes to file for reference
const hashesFile = path.join(__dirname, 'inline-script-hashes.json');
fs.writeFileSync(hashesFile, JSON.stringify({
hashes,
generated: new Date().toISOString(),
cspDirective: `script-src 'self' ${hashes.join(' ')}`
}, null, 2));
console.log(`\n💾 Hashes saved to: ${hashesFile}`);
}
main();