Generate Content Security Policy headers for a web application.
- Scan the project for frontend assets and their sources:
- JavaScript files: inline scripts, external CDN scripts, dynamic imports.
- CSS files: inline styles, external stylesheets, CSS-in-JS libraries.
- Images: local assets, external image CDNs, data URIs.
- Fonts: Google Fonts, self-hosted, CDN-hosted.
- API calls:
fetch,XMLHttpRequest, WebSocket connections. - Frames: iframes, embedded content.
- Identify all external domains referenced in the codebase.
- Build CSP directives:
default-src: Fallback policy.script-src: JavaScript sources with nonce or hash strategy.style-src: CSS sources.img-src: Image sources.connect-src: API endpoints, WebSocket URLs.font-src: Font sources.frame-src: Iframe sources.object-src: Plugin sources (should be'none').
- Add reporting configuration:
report-uriorreport-to. - Generate both enforcing and report-only headers.
- Output as HTTP header format and as meta tag format.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{random}' https://cdn.example.com;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://images.example.com;
connect-src 'self' https://api.example.com;
font-src 'self' https://fonts.gstatic.com;
object-src 'none';
frame-ancestors 'none';
report-uri /csp-report;
- Never use
unsafe-inlinefor scripts; prefer nonces or hashes. - Always include
object-src 'none'andframe-ancestors 'self'. - Start with a strict policy and relax only as needed.
- Provide a
Content-Security-Policy-Report-Onlyheader for testing. - Document each allowed domain with a comment explaining why it is needed.