- Home
- Skills
- Jeremylongshore
- Claude Code Plugins Plus Skills
- Content Security Policy Generator
content-security-policy-generator_skill
- Python
1.4k
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill jeremylongshore/claude-code-plugins-plus-skills --skill content-security-policy-generator- SKILL.md2.4 KB
Overview
This skill automates generation and validation of Content Security Policy (CSP) configurations to reduce XSS and injection risks. It provides practical, production-ready CSP directives and guidance tailored to web apps, helping teams adopt secure defaults quickly. The skill is part of the Security Fundamentals category and activates when CSP generation is requested.
How this skill works
The skill inspects your application context and requested resources, then proposes a CSP that balances security and functionality. It generates directive sets (default-src, script-src, style-src, connect-src, etc.), suggests nonce or hash usage, and validates the resulting policy against common pitfalls and browser compatibility. It can output ready-to-deploy header or meta tag snippets and highlight changes needed in asset loading to comply with the policy.
When to use it
- When you need a starter or hardened CSP for a new or existing web app
- While reviewing or remediating reported XSS or content injection issues
- When migrating inline scripts/styles to safer alternatives (nonces/hashes)
- Before deploying to production to validate CSP compatibility with app assets
- When automating security baselines in CI/CD pipelines
Best practices
- Start with a restrictive default-src and explicitly allow required origins
- Prefer nonces or hashes over unsafe-inline to retain inline script functionality safely
- Incrementally tighten policy using report-only mode before enforcing
- Use separate directives for scripts, styles, and connections to minimize scope
- Regularly review CSP reports to detect broken resources and tune directives
Example use cases
- Generate a minimal CSP for a single-page app that loads scripts from its own domain and a CDN
- Produce a CSP with nonces for dynamically injected inline scripts in a server-rendered app
- Create a report-only policy to detect resources blocked by a future enforcement
- Validate an existing header against CSP best practices and browser compatibility
- Output header and meta tag variants for immediate deployment or testing
FAQ
Yes. Provide the list of trusted origins and service types, and the skill will include them explicitly in the appropriate directives while recommending tighter controls like subresource integrity or connection limiting.
How do I test a generated policy without breaking the site?
Use report-only mode headers to collect violation reports without blocking resources. The skill can produce a report-only policy and suggest tooling for aggregating the reports.