From 14e731e8947178bd3db4cc9d3e21d0d3c74e7d48 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Tue, 9 Jan 2024 14:47:09 +0100 Subject: [PATCH] docs: add security warning (#615) --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 4d3e4ee..f85c3fe 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,10 @@ module.exports = { }; ``` +## Security Warning + +This loader is primarily meant for development. The default settings are not safe for production environments. See the [recommended example configuration](#recommended) and the section on [nonces](#nonce) for details. + ## Options - [**`injectType`**](#injecttype) @@ -964,6 +968,8 @@ module.exports = { ### Nonce +If you are using a [Content Security Policy](https://www.w3.org/TR/CSP3/) (CSP), the injected code will usually be blocked. A workaround is to use a nonce. Note, however, that using a nonce significantly reduces the protection provided by the CSP. You can read more about the security impact in [the specification](https://www.w3.org/TR/CSP3/#security-considerations). The better solution is not to use this loader in production. + There are two ways to work with `nonce`: - using the `attributes` option