content-security-policy-generator_skill

This skill automates content security policy generator workflows, delivering production-ready configurations and best-practice guidance for secure web
  • Python

1.4k

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill jeremylongshore/claude-code-plugins-plus-skills --skill content-security-policy-generator

  • SKILL.md2.4 KB

Overview

This skill automates generation and validation of Content Security Policy (CSP) configurations to reduce XSS and injection risks. It provides practical, production-ready CSP directives and guidance tailored to web apps, helping teams adopt secure defaults quickly. The skill is part of the Security Fundamentals category and activates when CSP generation is requested.

How this skill works

The skill inspects your application context and requested resources, then proposes a CSP that balances security and functionality. It generates directive sets (default-src, script-src, style-src, connect-src, etc.), suggests nonce or hash usage, and validates the resulting policy against common pitfalls and browser compatibility. It can output ready-to-deploy header or meta tag snippets and highlight changes needed in asset loading to comply with the policy.

When to use it

  • When you need a starter or hardened CSP for a new or existing web app
  • While reviewing or remediating reported XSS or content injection issues
  • When migrating inline scripts/styles to safer alternatives (nonces/hashes)
  • Before deploying to production to validate CSP compatibility with app assets
  • When automating security baselines in CI/CD pipelines

Best practices

  • Start with a restrictive default-src and explicitly allow required origins
  • Prefer nonces or hashes over unsafe-inline to retain inline script functionality safely
  • Incrementally tighten policy using report-only mode before enforcing
  • Use separate directives for scripts, styles, and connections to minimize scope
  • Regularly review CSP reports to detect broken resources and tune directives

Example use cases

  • Generate a minimal CSP for a single-page app that loads scripts from its own domain and a CDN
  • Produce a CSP with nonces for dynamically injected inline scripts in a server-rendered app
  • Create a report-only policy to detect resources blocked by a future enforcement
  • Validate an existing header against CSP best practices and browser compatibility
  • Output header and meta tag variants for immediate deployment or testing

FAQ

Yes. Provide the list of trusted origins and service types, and the skill will include them explicitly in the appropriate directives while recommending tighter controls like subresource integrity or connection limiting.

How do I test a generated policy without breaking the site?

Use report-only mode headers to collect violation reports without blocking resources. The skill can produce a report-only policy and suggest tooling for aggregating the reports.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
content-security-policy-generator skill by jeremylongshore/claude-code-plugins-plus-skills | VeilStrat