Choose a version:

createContentSecurityPolicy

Create a content security policy to secure your application. The default content security policy includes exclusions for cdn.shopify.com and a script nonce.

Anchor to createContentSecurityPolicy
createContentSecurityPolicy(
props
)

Anchor to createContentSecurityPolicy-parametersParameters

Anchor to props props &

Anchor to createContentSecurityPolicy-returnsReturns

CreateContentSecurityPolicy

baseUri
```
DirectiveValues
```
blockAllMixedContent
```
boolean
```
childSrc
```
DirectiveValues
```
connectSrc
```
DirectiveValues
```
defaultSrc
```
DirectiveValues
```
fontSrc
```
DirectiveValues
```
formAction
```
DirectiveValues
```
frameAncestors
```
DirectiveValues
```
frameSrc
```
DirectiveValues
```
imgSrc
```
DirectiveValues
```
manifestSrc
```
DirectiveValues
```
mediaSrc
```
DirectiveValues
```
navigateTo
```
DirectiveValues
```
objectSrc
```
DirectiveValues
```
pluginTypes
```
DirectiveValues
```
prefetchSrc
```
DirectiveValues
```
reportTo
```
DirectiveValues
```
reportUri
```
DirectiveValues
```
sandbox
```
DirectiveValues
```
scriptSrc
```
DirectiveValues
```
scriptSrcElem
```
DirectiveValues
```
styleSrc
```
DirectiveValues
```
upgradeInsecureRequests
```
boolean
```
workerSrc
```
DirectiveValues
```

DirectiveValues

string[] | string | boolean

ShopProp

shop
Shop specific configurations
```
ShopifyDomains
```

ShopifyDomains

checkoutDomain
The production shop checkout domain url.
```
string
```
storeDomain
The production shop domain url.
```
string
```

ContentSecurityPolicy

header
The content security policy header
```
string
```
nonce
A randomly generated nonce string that should be passed to any custom `script` element
```
string
```
NonceProvider
Represents any user-defined component, either as a function or a class. Similar to , but with extra properties like and .
```
ComponentType<{children: ReactNode}>
```

Examples

import {ServerRouter} from 'react-router';

import {isbot} from 'isbot';

import {renderToReadableStream} from 'react-dom/server';

import {createContentSecurityPolicy} from '@shopify/hydrogen';

export default async function handleRequest(

request,

responseStatusCode,

responseHeaders,

remixContext,

) {

const {nonce, header, NonceProvider} = createContentSecurityPolicy({

// pass a custom directive to load content from a third party domain

styleSrc: [

"'self'",

'https://cdn.shopify.com',

'https://some-custom-css.cdn',

});

const body = await renderToReadableStream(

</NonceProvider>,

{

nonce,

signal: request.signal,

onError(error) {

// eslint-disable-next-line no-console

console.error(error);

responseStatusCode = 500;

);

if (isbot(request.headers.get('user-agent'))) {

await body.allReady;

}

responseHeaders.set('Content-Type', 'text/html');

responseHeaders.set('Content-Security-Policy', header);

return new Response(body, {

headers: responseHeaders,

status: responseStatusCode,

});

}

Examples

Example code

JavaScript

import {ServerRouter} from 'react-router';
import {isbot} from 'isbot';
import {renderToReadableStream} from 'react-dom/server';
import {createContentSecurityPolicy} from '@shopify/hydrogen';

export default async function handleRequest(
  request,
  responseStatusCode,
  responseHeaders,
  remixContext,
) {
  const {nonce, header, NonceProvider} = createContentSecurityPolicy({
    // pass a custom directive to load content from a third party domain
    styleSrc: [
      "'self'",
      'https://cdn.shopify.com',
      'https://some-custom-css.cdn',
    ],
  });
  const body = await renderToReadableStream(
    <NonceProvider>
      <ServerRouter context={remixContext} url={request.url} nonce={nonce} />
    </NonceProvider>,
    {
      nonce,
      signal: request.signal,
      onError(error) {
        // eslint-disable-next-line no-console
        console.error(error);
        responseStatusCode = 500;
      },
    },
  );

  if (isbot(request.headers.get('user-agent'))) {
    await body.allReady;
  }

  responseHeaders.set('Content-Type', 'text/html');
  responseHeaders.set('Content-Security-Policy', header);

  return new Response(body, {
    headers: responseHeaders,
    status: responseStatusCode,
  });
}

TypeScript

import type {EntryContext} from 'react-router';
import {ServerRouter} from 'react-router';
import {isbot} from 'isbot';
import {renderToReadableStream} from 'react-dom/server';
import {createContentSecurityPolicy} from '@shopify/hydrogen';

export default async function handleRequest(
  request: Request,
  responseStatusCode: number,
  responseHeaders: Headers,
  remixContext: EntryContext,
) {
  const {nonce, header, NonceProvider} = createContentSecurityPolicy({
    // pass a custom directive to load content from a third party domain
    styleSrc: [
      "'self'",
      'https://cdn.shopify.com',
      'https://some-custom-css.cdn',
    ],
  });
  const body = await renderToReadableStream(
    <NonceProvider>
      <ServerRouter context={remixContext} url={request.url} nonce={nonce} />
    </NonceProvider>,
    {
      nonce,
      signal: request.signal,
      onError(error) {
        // eslint-disable-next-line no-console
        console.error(error);
        responseStatusCode = 500;
      },
    },
  );

  if (isbot(request.headers.get('user-agent'))) {
    await body.allReady;
  }

  responseHeaders.set('Content-Type', 'text/html');
  responseHeaders.set('Content-Security-Policy', header);

  return new Response(body, {
    headers: responseHeaders,
    status: responseStatusCode,
  });
}

Anchor to RelatedRelated

useNonce

Script

Was this page helpful?

Anchor to createContentSecurityPolicycreateContentSecurityPolicy(propsprops)