Astro 5.11

By
Emanuele Stoppa

More experimental Content Security Policy goodies, including serving the CSP using your preferred adapter!

Astro 5.11 is a small minor that ships with new CSP features and the ability to opt out of HTML streaming when using the Node.js adapter.

To upgrade an existing project, use the automated @astrojs/upgrade CLI tool. Alternatively, upgrade manually by running the upgrade command for your package manager:

# Recommended:
npx @astrojs/upgrade


# Manual:
npm install astro@latest
pnpm upgrade astro --latest
yarn upgrade astro --latest

CSP with adapters

Up until now, static pages could only serve the Content Security Policy (CSP) header via the <meta http-equiv="content-security-policy"> element. This was an inconvenience for some users because some CSP directives such as report-uri, frame-ancestors, and sandbox are not supported in a <meta> element.

Starting in Astro 5.11.0, the official @astrojs/node, @astro/netlify, and @astro/vercel adapters can specify custom headers for prerendered pages. This means that these adapters can now set the CSP header for static pages, allowing support for all directives, even on prerendered pages.

This is an experimental feature available by enabling the new experimentalStaticHeaders adapter option:

astro.config.mjs
import { defineConfig } from "astro/config";
import node from "@astrojs/node";


export default defineConfig({
    experimental: {
        csp: true
    },
    adapter: node({
        mode: "standalone",
        experimentalStaticHeaders: true
    })
})

You can start using this feature today on Netlify, Vercel, and Node.js, with Cloudflare support coming soon.

We will soon ship support for Cloudflare too, which will use the _headers file.

Under the hood, the adapters leverage a new Adapter API feature called experimentalStaticHeaders. If you’re an adapter developer, you can now provide full CSP capabilities to your users.

Disable HTML streaming

The @astrojs/node adapter can now be configured to disable HTML streaming for on-demand pages with the new experimentalDisableStreaming option.

HTML streaming helps with performance and generally provides a better visitor experience. In most cases, disabling streaming is not recommended.

However, when you need to disable HTML streaming (e.g. your host only supports non-streamed HTML caching at the CDN level), you can now opt out of the default behavior:

astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';


export default defineConfig({
  adapter: node({
    mode: 'standalone',
    experimentalDisableStreaming: true
  })
});

Bug fixes

As always, we’ve been working hard on fixing issues since the 5.10 release. See the changelog for all the details.

Community

The Astro core team is:

Alexander Niebuhr , Ben Holmes , Caleb Jasik , Chris Swithinbank , Emanuele Stoppa , Erika , Florian Lefebvre , Fred Schott , Fuzzy , HiDeoo , Luiz Ferraz , Matt Kane , Matthew Phillips , Nate Moore , Reuben Tier , Sarah Rainsberger , and Yan Thomas .

Thanks to all the other contributors who helped make Astro 5.11 possible with code and docs additions and improvements, including:

Armand Philippot, coderfee, David Umoru, Dawid Gaweł, Durojaye Olusegun, Felix Eklöf, Fuan200, Happydev, Junseong Park, knj, Louis Escher, Martin Trapp, Matthew Justice, Michael Samoylov, michaltarasiuk, Nin3, Paul Valladares, pioupia, Rezix, Sgal Cheung, Thomas Bonnet, vivek lokhande, and vrabe

Astro 5.10

Astro 5.10 brings responsive images for everyone, plus experimental live content collections, CSP improvements, and more!

Astro 5.9

Astro 5.9 has got your site on lockdown, with experimental support for Content Security Policy, rendering Markdown in content loaders, and more!