Astro 5.9 has got your site on lockdown, with experimental support for Content Security Policy, rendering Markdown in content loaders, and more! Cross-site scripting (XSS) attacks are some of the most common threats faced by websites. By default, web pages can load whichever scripts and styles they want, from wherever they want. The most powerful defense against XSS attacks is to limit this. A Content Security Policy (CSP) lets you do that, with tools to lock down the page to a list of trusted resources. Astro 5.9 introduces experimental support for CSP out of the box, making it easier to secure your Astro projects. This is Astro’s most upvoted feature request so far, and we certainly took our time to implement it. We hope this is worth the wait! We designed the feature to work in all Astro render modes (static pages, dynamic pages and single page applications), with maximum flexibility and type-safety in mind. You can ditch the unpleasant unsafe-inline workaround, use all the Astro features that you like, any adapter for any runtime, and add an extra layer of security to your site. An Astro CSP solution must work everywhere with any library, using approaches like the nonce header or calculating hashes of resources. Upgrade to Astro 5.9 now for enhanced site security and features! Read the full documentation for more details.
