diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..dfe0770
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d63cb8d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,11 @@
+node_modules
+*.log
+.next
+.history
+package-lock.json
+yarn.lock
+notes.md
+.DS_Store
+src
+tsconfig.json
+.babelrc
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..a2d7edd
--- /dev/null
+++ b/README.md
@@ -0,0 +1,183 @@
+![Alt](/public/guy-dumais-logo.svg "Guy Dumais")
+
+# Next.js Strict Content Security Policy
+Hash-based Strict Content Security Policy generator for Next.js to protect a single-page app (SPA) against XSS and CSP bypass.
+
+## Why
+Based on a study from Google:
+1. 95% of real-world CSP deployments are bypassed.
+2. 99.34% of hosts with CSP use policies that offer no benefit against XSS.
+
+By using this package in your Next.js website you'll protect your single-page app (SPA) built with Next.js against XSS and CSP bypass.
+
+## How to install
+With NPM:
+```
+npm install next-strict-csp
+```
+
+With YARN:
+```
+yarn add next-strict-csp
+```
+
+## Basic usage
+Integrate the CSP generator in your `_document.tsx` this way:
+ 
+**_document.tsx**
+
+```
+...
+
+// Next.js libraries
+import Document, { Html, Head, Main, NextScript } from 'next/document'
+
+// Next Strict Content Security Policy
+import { NextStrictCSP } from 'next-strict-csp'
+
+...
+
+// Enable Head Strict CSP in production mode only
+const HeadCSP = process.env.NODE_ENV === 'production' ? NextStrictCSP : Head
+
+...
+
+// Document component
+class MyDoc extends Document {
+
+  render() {
+    return (
+      <Html>
+        <HeadCSP>
+          { process.env.NODE_ENV === 'production' && 
+          <meta httpEquiv="Content-Security-Policy" />
+          }
+
+          ...
+
+        </HeadCSP>
+        <body>
+
+          ...
+
+          <Main />
+          <NextScript />
+
+          ...
+
+        </body>
+      </Html>
+    )
+  }
+
+}
+
+```
+
+## Advanced usage with inline scripts
+You can also integrate any additionnal inline scripts and they'll get hashed automatically. Here's an example to add Google Tag Manager and Cloudflare Analytics inline scripts:
+ 
+**_document.tsx**
+
+```
+...
+
+// Next.js libraries
+import Document, { Html, Head, Main, NextScript } from 'next/document'
+
+// Next Strict Content Security Policy
+import { NextStrictCSP } from 'next-strict-csp'
+
+...
+
+// Cloudflare Insights Script (Optional)
+const cloudflareJs = `var s = document.createElement('script')
+s.src = 'https://static.cloudflareinsights.com/beacon.min.js'
+s.setAttribute('data-cf-beacon', '{"token": "YOUR CLOUDFLARE WEB ANALYTICS TOKEN STRING"}')
+document.body.appendChild(s)`
+
+// Google Tag Manager Script (Optional)
+const GTMJs = `(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+})(window,document,'script','dataLayer','YOUR GOOGLE TAG MANAGER ID STRING');`
+
+// Next Strict CSP
+// Inline scripts to hash  (Optional)
+NextStrictCSP.inlineJs = [
+  cloudflareJs,
+  GTMJs
+]
+
+...
+
+// Enable Head Strict CSP in production mode only
+const HeadCSP = process.env.NODE_ENV === 'production' ? NextStrictCSP : Head
+
+...
+
+// Document component
+class MyDoc extends Document {
+
+  render() {
+    return (
+      <Html>
+        <HeadCSP>
+          { process.env.NODE_ENV === 'production' && 
+          <meta httpEquiv="Content-Security-Policy" />
+          }
+
+          ...
+
+          {/* Google Tag Manager */}
+          { process.env.NODE_ENV === 'production' && 
+          <script 
+            dangerouslySetInnerHTML={{
+                __html: GTMJs
+            }}
+          />
+          }
+          {/* End Google Tag Manager */}
+
+        </HeadCSP>
+        <body>
+          { process.env.NODE_ENV === 'production' && 
+          <noscript
+            dangerouslySetInnerHTML={{
+                __html: `<iframe src="https://www.googletagmanager.com/ns.html?id=YOUR GOOGLE TAG MANAGER ID STRING" height="0" width="0" style="display:none;visibility:hidden"></iframe>`,
+            }}
+          />
+          }
+
+          ...
+
+          <Main />
+          <NextScript />
+          {/* Cloudflare Web Analytics */}
+          {/*<script defer src='https://static.cloudflareinsights.com/beacon.min.js' data-cf-beacon={`{"token": "YOUR CLOUDFLARE WEB ANALYTICS TOKEN STRING"}`}></script>*/}
+          {process.env.NODE_ENV === 'production' && 
+          <script dangerouslySetInnerHTML={{
+            __html: cloudflareJs
+          }} />
+          }
+          {/* End Cloudflare Web Analytics */}
+
+          ...
+
+        </body>
+      </Html>
+    )
+  }
+
+}
+
+```
+
+## Demo
+Live demo with Next.js Strict CSP for testing with website security scanner available here:  
+[Guy Dumais](https://guydumais.digital/ "Guy Dumais Digital")
+
+## Learn more
+Learn more about website security and how to protect a Next.js website:  
+[Website Security](https://guydumais.digital/blog/tag/website-security/ "Website Security")
diff --git a/dist/cjs/index.d.ts b/dist/cjs/index.d.ts
new file mode 100644
index 0000000..4d67df2
--- /dev/null
+++ b/dist/cjs/index.d.ts
@@ -0,0 +1,10 @@
+import { Head } from '../../../next/dist/pages/_document';
+export declare class NextStrictCSP extends Head {
+    static inlineJs: string[];
+    static inlineJsHashed: string[];
+    static nextJsFiles: string[];
+    getDynamicChunks(): never[];
+    getScripts: ({ allFiles }: {
+        allFiles: any;
+    }) => never[];
+}
diff --git a/dist/cjs/index.js b/dist/cjs/index.js
new file mode 100644
index 0000000..67f0f50
--- /dev/null
+++ b/dist/cjs/index.js
@@ -0,0 +1,71 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NextStrictCSP = void 0;
+const react_1 = __importDefault(require("react"));
+const _document_1 = require("../../../next/dist/pages/_document");
+const crypto_1 = __importDefault(require("crypto"));
+const cspHashOf = (text) => {
+    const hash = crypto_1.default.createHash('sha256');
+    hash.update(text);
+    return `'sha256-${hash.digest('base64')}'`;
+};
+class NextStrictCSP extends _document_1.Head {
+    static inlineJs = [];
+    static inlineJsHashed = [];
+    static nextJsFiles = [];
+    getDynamicChunks() {
+        const { dynamicImports } = this.context;
+        NextStrictCSP.nextJsFiles = dynamicImports
+            .filter((file) => /\.js$/.test(file))
+            .map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        return [];
+    }
+    getScripts = ({ allFiles }) => {
+        const jsFiles = allFiles
+            .filter((file) => /\.js$/.test(file))
+            .map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        const { buildManifest, __NEXT_DATA__ } = this.context;
+        const { lowPriorityFiles } = buildManifest;
+        const jsFiles2 = lowPriorityFiles.map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        const jsFiles3 = jsFiles.concat(jsFiles2);
+        const nextJsFiles = NextStrictCSP.nextJsFiles.concat(jsFiles3);
+        const nextJsSPA = `var scripts = [${nextJsFiles.join()}]
+    scripts.forEach(function(scriptUrl) {
+      var s = document.createElement('script')
+      s.src = scriptUrl
+      s.async = false // to preserve execution order
+      s.defer = true
+      document.head.appendChild(s)
+    })`;
+        const nextJsSPAScript = react_1.default.createElement("script", { defer: true, dangerouslySetInnerHTML: {
+                __html: nextJsSPA
+            } });
+        NextStrictCSP.inlineJsHashed = NextStrictCSP.inlineJs.map((inlineJs) => {
+            return cspHashOf(inlineJs);
+        });
+        const newChildren = [];
+        react_1.default.Children.forEach(this.props.children, (child) => {
+            if (child.type === 'meta') {
+                if (child.props?.httpEquiv !== undefined) {
+                    if (child.props.httpEquiv === 'Content-Security-Policy') {
+                        child.props.content = `script-src 'strict-dynamic' ${cspHashOf(nextJsSPA)} ${NextStrictCSP.inlineJsHashed.join(' ')} 'unsafe-inline' http: https:;`;
+                        child.props.slug = __NEXT_DATA__.page;
+                    }
+                }
+            }
+            newChildren.push(child);
+        });
+        this.context.headTags.push(nextJsSPAScript);
+        return [];
+    };
+}
+exports.NextStrictCSP = NextStrictCSP;
diff --git a/dist/esm/index.d.ts b/dist/esm/index.d.ts
new file mode 100644
index 0000000..4d67df2
--- /dev/null
+++ b/dist/esm/index.d.ts
@@ -0,0 +1,10 @@
+import { Head } from '../../../next/dist/pages/_document';
+export declare class NextStrictCSP extends Head {
+    static inlineJs: string[];
+    static inlineJsHashed: string[];
+    static nextJsFiles: string[];
+    getDynamicChunks(): never[];
+    getScripts: ({ allFiles }: {
+        allFiles: any;
+    }) => never[];
+}
diff --git a/dist/esm/index.js b/dist/esm/index.js
new file mode 100644
index 0000000..d1e7c40
--- /dev/null
+++ b/dist/esm/index.js
@@ -0,0 +1,64 @@
+import React from 'react';
+import { Head } from '../../../next/dist/pages/_document';
+import crypto from 'crypto';
+const cspHashOf = (text) => {
+    const hash = crypto.createHash('sha256');
+    hash.update(text);
+    return `'sha256-${hash.digest('base64')}'`;
+};
+export class NextStrictCSP extends Head {
+    static inlineJs = [];
+    static inlineJsHashed = [];
+    static nextJsFiles = [];
+    getDynamicChunks() {
+        const { dynamicImports } = this.context;
+        NextStrictCSP.nextJsFiles = dynamicImports
+            .filter((file) => /\.js$/.test(file))
+            .map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        return [];
+    }
+    getScripts = ({ allFiles }) => {
+        const jsFiles = allFiles
+            .filter((file) => /\.js$/.test(file))
+            .map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        const { buildManifest, __NEXT_DATA__ } = this.context;
+        const { lowPriorityFiles } = buildManifest;
+        const jsFiles2 = lowPriorityFiles.map((jsFile) => {
+            return `'/_next/${encodeURI(jsFile)}'`;
+        });
+        const jsFiles3 = jsFiles.concat(jsFiles2);
+        const nextJsFiles = NextStrictCSP.nextJsFiles.concat(jsFiles3);
+        const nextJsSPA = `var scripts = [${nextJsFiles.join()}]
+    scripts.forEach(function(scriptUrl) {
+      var s = document.createElement('script')
+      s.src = scriptUrl
+      s.async = false // to preserve execution order
+      s.defer = true
+      document.head.appendChild(s)
+    })`;
+        const nextJsSPAScript = React.createElement("script", { defer: true, dangerouslySetInnerHTML: {
+                __html: nextJsSPA
+            } });
+        NextStrictCSP.inlineJsHashed = NextStrictCSP.inlineJs.map((inlineJs) => {
+            return cspHashOf(inlineJs);
+        });
+        const newChildren = [];
+        React.Children.forEach(this.props.children, (child) => {
+            if (child.type === 'meta') {
+                if (child.props?.httpEquiv !== undefined) {
+                    if (child.props.httpEquiv === 'Content-Security-Policy') {
+                        child.props.content = `script-src 'strict-dynamic' ${cspHashOf(nextJsSPA)} ${NextStrictCSP.inlineJsHashed.join(' ')} 'unsafe-inline' http: https:;`;
+                        child.props.slug = __NEXT_DATA__.page;
+                    }
+                }
+            }
+            newChildren.push(child);
+        });
+        this.context.headTags.push(nextJsSPAScript);
+        return [];
+    };
+}
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..4d580ee
--- /dev/null
+++ b/package.json
@@ -0,0 +1,62 @@
+{
+  "name": "next-strict-csp",
+  "description": "Hash-based Strict CSP for Next.js",
+  "version": "1.0.1",
+  "main": "./dist/cjs/index.js",
+  "module": "./dist/esm/index.js",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "yarn build:esm && yarn build:cjs",
+    "build:esm": "tsc --outDir dist/esm",
+    "build:cjs": "tsc --module commonjs --outDir dist/cjs"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/guydumais/next-strict-csp.git"
+  },
+  "keywords": [
+    "nextjs",
+    "next.js",
+    "next",
+    "plugin",
+    "strict csp",
+    "hash-based csp",
+    "content security policy",
+    "single page app security",
+    "website security"
+  ],
+  "author": {
+    "name": "Guy Dumais",
+    "email": "info@guydumais.digital",
+    "website": "https://guydumais.digital"
+  },
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/guydumais/next-strict-csp/issues"
+  },
+  "homepage": "https://github.com/guydumais/next-strict-csp",
+  "dependencies": {},
+  "devDependencies": {
+    "@babel/core": "^7.15.5",
+    "@babel/plugin-proposal-optional-chaining": "^7.14.5",
+    "@babel/preset-env": "^7.15.4",
+    "@babel/preset-react": "^7.14.5",
+    "@babel/preset-typescript": "^7.15.0",
+    "@types/next": "^9.0.0",
+    "@types/node": "^16.7.10",
+    "@types/react": "^17.0.11",
+    "next": "^11.1.2",
+    "prettier": "^2.3.2",
+    "react": "^17.0.2",
+    "react-dom": "^17.0.2",
+    "typescript": "^4.3.4"
+  },
+  "peerDependencies": {
+    "next": "*",
+    "react": "*",
+    "react-dom": "*"
+  }
+}
+
diff --git a/public/favicon.ico b/public/favicon.ico
new file mode 100644
index 0000000..db13f52
Binary files /dev/null and b/public/favicon.ico differ
diff --git a/public/guy-dumais-logo.svg b/public/guy-dumais-logo.svg
new file mode 100644
index 0000000..1410e1e
--- /dev/null
+++ b/public/guy-dumais-logo.svg
@@ -0,0 +1,48 @@
+<svg version="1.1" id="guy_dumais_logo" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 width="291.871px" height="61.662px" viewBox="0 0 291.871 61.662" enable-background="new 0 0 291.871 61.662"
+	 xml:space="preserve">
+<g>
+	<g>
+		<path fill="#1D1A1F" d="M91.976,31.021h2.845v8.088c-1.027,0.849-2.222,1.501-3.585,1.955c-1.362,0.454-2.785,0.682-4.266,0.682
+			c-2.094,0-3.98-0.46-5.658-1.378c-1.679-0.918-2.996-2.182-3.955-3.791c-0.958-1.61-1.437-3.422-1.437-5.437
+			s0.479-3.831,1.437-5.45c0.959-1.619,2.281-2.884,3.971-3.792c1.688-0.908,3.588-1.363,5.701-1.363
+			c1.659,0,3.165,0.271,4.518,0.814c1.354,0.544,2.504,1.338,3.452,2.385l-1.837,1.837c-1.659-1.6-3.664-2.399-6.014-2.399
+			c-1.58,0-2.997,0.341-4.252,1.022c-1.254,0.682-2.235,1.629-2.947,2.844c-0.71,1.215-1.065,2.582-1.065,4.103
+			c0,1.501,0.355,2.858,1.065,4.073c0.712,1.215,1.693,2.168,2.947,2.858c1.255,0.692,2.662,1.037,4.223,1.037
+			c1.855,0,3.475-0.445,4.857-1.333V31.021z"/>
+		<path fill="#1D1A1F" d="M104.832,39.375c-1.54-1.58-2.312-3.851-2.312-6.813v-11.79h2.963v11.672c0,4.443,1.945,6.665,5.836,6.665
+			c1.896,0,3.348-0.548,4.354-1.645c1.007-1.096,1.511-2.77,1.511-5.021V20.771h2.873v11.79c0,2.982-0.77,5.258-2.311,6.828
+			c-1.54,1.569-3.692,2.355-6.457,2.355C108.524,41.745,106.372,40.955,104.832,39.375z"/>
+		<path fill="#1D1A1F" d="M135.995,34.339v7.169h-2.933V34.28l-8.235-13.509h3.17l6.636,10.931l6.665-10.931h2.933L135.995,34.339z"
+			/>
+		<path fill="#1D1A1F" d="M159.634,20.771h8.739c2.192,0,4.137,0.435,5.836,1.304c1.698,0.869,3.017,2.088,3.954,3.658
+			c0.938,1.57,1.408,3.372,1.408,5.406s-0.47,3.836-1.408,5.406c-0.938,1.57-2.256,2.789-3.954,3.658
+			c-1.699,0.869-3.644,1.304-5.836,1.304h-8.739V20.771z M168.195,38.931c1.679,0,3.155-0.326,4.429-0.978
+			c1.274-0.651,2.256-1.564,2.947-2.74c0.691-1.175,1.037-2.533,1.037-4.073s-0.346-2.897-1.037-4.073
+			c-0.691-1.175-1.673-2.089-2.947-2.74c-1.273-0.651-2.75-0.978-4.429-0.978h-5.599v15.582H168.195z"/>
+		<path fill="#1D1A1F" d="M188.457,39.375c-1.54-1.58-2.311-3.851-2.311-6.813v-11.79h2.962v11.672c0,4.443,1.945,6.665,5.836,6.665
+			c1.896,0,3.348-0.548,4.354-1.645c1.008-1.096,1.511-2.77,1.511-5.021V20.771h2.874v11.79c0,2.982-0.771,5.258-2.312,6.828
+			c-1.539,1.569-3.692,2.355-6.457,2.355C192.149,41.745,189.998,40.955,188.457,39.375z"/>
+		<path fill="#1D1A1F" d="M231.204,41.508l-0.03-15.108l-7.494,12.59h-1.363l-7.494-12.501v15.02h-2.845V20.771h2.43l8.65,14.574
+			l8.531-14.574h2.429l0.03,20.736H231.204z"/>
+		<path fill="#1D1A1F" d="M255.702,36.323h-11.021l-2.281,5.185h-3.051l9.391-20.736h2.933l9.42,20.736h-3.11L255.702,36.323z
+			 M254.665,33.954l-4.473-10.16l-4.474,10.16H254.665z"/>
+		<path fill="#1D1A1F" d="M266.396,20.771h2.963v20.736h-2.963V20.771z"/>
+		<path fill="#1D1A1F" d="M279.326,41.02c-1.451-0.484-2.592-1.111-3.422-1.881l1.097-2.312c0.789,0.711,1.802,1.289,3.036,1.733
+			c1.233,0.444,2.503,0.667,3.807,0.667c1.718,0,3.001-0.292,3.851-0.875c0.85-0.582,1.274-1.357,1.274-2.324
+			c0-0.712-0.233-1.289-0.696-1.734c-0.465-0.444-1.037-0.784-1.718-1.021c-0.683-0.237-1.646-0.504-2.889-0.8
+			c-1.561-0.375-2.819-0.75-3.777-1.126c-0.958-0.375-1.777-0.952-2.458-1.732c-0.682-0.78-1.023-1.832-1.023-3.155
+			c0-1.105,0.292-2.104,0.875-2.991c0.582-0.889,1.466-1.6,2.65-2.134c1.186-0.533,2.656-0.8,4.414-0.8
+			c1.225,0,2.43,0.159,3.614,0.475c1.186,0.316,2.202,0.771,3.052,1.362l-0.979,2.37c-0.869-0.553-1.797-0.973-2.783-1.259
+			c-0.988-0.286-1.955-0.431-2.904-0.431c-1.678,0-2.938,0.307-3.777,0.919c-0.839,0.612-1.259,1.402-1.259,2.369
+			c0,0.712,0.237,1.289,0.712,1.734c0.474,0.444,1.061,0.789,1.762,1.036s1.654,0.509,2.859,0.784
+			c1.561,0.377,2.814,0.751,3.762,1.126c0.948,0.376,1.763,0.948,2.444,1.719c0.681,0.771,1.021,1.808,1.021,3.111
+			c0,1.086-0.296,2.078-0.889,2.977s-1.491,1.609-2.695,2.132c-1.205,0.524-2.687,0.786-4.443,0.786
+			C282.283,41.745,280.778,41.503,279.326,41.02z"/>
+	</g>
+	<g>
+		<polygon fill="#DD0000" points="30.706,0 0,30.579 21.534,52.018 23.847,38.901 15.521,30.579 27.41,18.693 		"/>
+		<polygon fill="#DD0000" points="39.769,8.775 37.452,21.893 46.142,30.579 33.726,42.989 30.438,61.662 61.662,30.579 		"/>
+	</g>
+</g>
+</svg>