heise PlusAbo
Anzeige

Web framework Astro 5.9 arms itself against XSS attacks

Experimental support for CSP is intended to help secure Astro applications against cross-site scripting attacks. There are also new features for Markdown.

listen Print view
Various icons on the subject of data protection. A security lock in the middle, a digital ID card to the left and a fingerprint to the right. Behind it is a person with both hands open, making it appear as if the security symbols are floating above them.

(Image: TierneyMJ/Shutterstock.com)

3 min. read
Developer
By

Version 5.9 of the JavaScript web framework Astro focuses on security and allows the experimental use of the Content Security Policy (CSP). The Astro team has also added a helper function for rendering Markdown content.

The new release can be installed using the automated CLI tool @astrojs/upgrade or manually via the package manager. The recommended method is npx (npx @astrojs/upgrade).

Videos by heise

CSP support against cross-site scripting

As the Astro team explains, cross-site scripting attacks (XSS) are among the most common attacks on websites. By default, websites can load any scripts and styles from any source. The best defense against XSS is therefore to restrict this. This is where the content security policy comes into play by restricting the targets to a list of trustworthy sources.

Read also

Astro 5.9 comes with experimental out-of-the-box support for CSP. CSP can therefore be used in all render modes (static pages, dynamic pages and single-page applications), whereby a high degree of flexibility and type security should be guaranteed. The unsafe-inline workaround should become superfluous as a result.

To use CSP in Astro, it is necessary to activate the experimental flag:

import { defineConfig } from "astro/config"

export default defineConfig({
    experimental: {
        csp: true
    }
})

Developers who already use the Content-Security-Policy header via middleware, for example, can continue to do so. The browser will then use the stricter policy of the header and the <meta> element. The latter can also be configured, for example, to change the default algorithm or add additional directives.

Markdown rendering in content loaders

In Astro, developers previously had to handle the parsing of Markdown themselves in order to render Markdown content in a content loader. According to the Astro team, this could lead to confusion as it did not match how Markdown rendering worked on other parts of the site and used a different configuration.

Therefore, Astro 5.9 adds a new helper function to the loader context: renderMarkdown. It allows the rendering of Markdown content directly within the loader. It uses the same settings and plug-ins as the renderer used for Markdown files in Astro, including the Markdown settings configured in the Astro project.

Other updates include the fact that standard styles for experimental responsive images can now be deactivated and Astro adapters can suppress logging for unsupported features.

Detailed information on the highlights in Astro 5.9 can be found on the Astro blog.

(mai)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten